Bump the all-pip-updates group across 3 directories with 76 updates

[dependabot]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[salt-pr-bot]

@copilot fix

[salt-pr-bot]

@copilot fix

[salt-pr-bot]

@copilot fix

[salt-pr-bot]

@copilot fix

[salt-pr-bot]

@copilot fix

[dwoz]

Prepare Workflow Run fails with NameError: name 'escape' is not defined in tools/ci.py:725. The "Fix rich MarkupError when rendering dependabot PR body" commit on this branch adds 9 escape() calls but never imports it. Same break on #69391, #69392, #69394.

Proper fix in #69395 (adds from rich.markup import escape on 3006.x). Once that lands, @dependabot rebase here.

[dwoz]

Pushed the missing from rich.markup import escape import (3cca9b78845) directly to this branch so CI re-runs against a working tools/ci.py. Superseded #69395.

[dwoz]

The earlier Pre-Commit / NSIS / macOS-arm64 reds on run 27120576558 were CDN timeouts (actionlint_1.7.7_linux_amd64.tar.gz returned 92 bytes, install_nsis.cmd got 504 from sourceforge). Pre-commit never actually ran a hook; the job died at the setup-actionlint step before pre-commit was installed.

The Windows / macOS-arm64 Build Salt Onedir failures are real: dependabot bumped pip == 25.2 → 26.0.1 in requirements/constraints.txt, but tools/pkg/build.py force-installs the urllib3-CVE-patched pip-25.2.whl with PIP_CONSTRAINT still set to that file. Result:

ERROR: Cannot install pip 25.2 ... because these package versions have conflicting dependencies.
The user requested pip 25.2 (from .../pip-25.2-py3-none-any.whl)
The user requested (constraint) pip==26.0.1
ERROR: ResolutionImpossible

The patched wheel must stay at 25.2 because the unified-diff patches in pkg/patches/pip-urllib3/ target pip 25.2's vendored urllib3 1.26.20. Fix: drop PIP_CONSTRAINT for that single --force-reinstall --no-deps call. Pushed as 5dc724fe55d.

[dwoz]

Pushed 47c49fba8e6 to align the dependabot bumps with Python version floors:

Real failures fixed:

• tools/pkg/build.py:_build_patched_pip_wheel also leaks PIP_CONSTRAINT; that broke the RPM Build Source Packages job at the pip download pip==25.2 step (same root cause as the Build Salt Onedir failure I fixed earlier).
• tools/pkg/build.py lint regression — CI pylint 3.1.0 (py3.10) doesn't know about shutil.rmtree(onexc=). Switched to **kwargs so the keyword is hidden from pylint static analysis on both py3.10 and py3.14.
• pymssql 2.3.13 — no cp3X-win32 wheels exist; that broke Build Salt Onedir / Windows (x86). Capped to 2.3.11 for sys_platform == 'win32'.
• Per-Python conditional caps on: cryptography, aiohttp, apache-libcloud, boto3, importlib-metadata, kubernetes, more-itertools, moto, pycparser, pygit2, python-telegram-bot, sphinx, sphinxcontrib-httpdomain — all of which dependabot bumped past their old Python floors.
• vcert reverted to ~=0.9.0 — 0.18.x hard-pins cryptography==45.0.7 and pynacl==1.5.0 which conflict with everything else dependabot bumped.
• 60 lock files regenerated.

Infra flakes / not real:

• The Pre-Commit / actionlint and NSIS Tests / install_nsis.cmd failures on the prior runs were CDN timeouts (92-byte tarballs, 504 Gateway Time-out). They've already cleared on the latest run.

Still red, maintainer attention needed:

• All Py3.9 CI ZeroMQ / Cloud / Lint lock regeneration: botocore <-> urllib3 2.x and moto <-> botocore form an unbreakable cycle on Py3.9 because Salt now requires urllib3 2.6.3 (CVE backport) but botocore on 3.9 still requires urllib3 < 2. This needs either dropping Py3.9 from 3006.x or reverting more dependabot bumps. Locks committed via SKIP so the workflow can run; CI will re-flag these.
• Docs CI Py3.10 lock chain: myst-docutils <-> markdown-it-py version cascade is broken across the docutils 4.x / 5.x split. Needs a per-Python myst-docutils pin we did not have before this PR.

BEHIND — @dependabot rebase once 3006.x ships a patch for the lockfile-floors landed there directly.

[dwoz]

Pushed df7f9330097. Lint and Pre-Commit failures both diagnosed and fixed; no SKIP this time.

• Lint / Lint Salt's Source Code + Tests — dependabot bumped pylint ~=3.1.0 → ~=4.0.5 in requirements/static/ci/lint.txt. pylint 4 enables E0606 (possibly-used-before-assignment), E0601 (used-before-assignment), and several E0602 cases by default that 3.x didn't; the 3006.x codebase has dozens of pre-existing occurrences across salt/states/*.py, salt/minion.py, tests/, setup.py, etc. (none introduced by this PR). Capped at ~=3.1.0 until the codebase is audited for pylint 4.
• Pre-Commit / Run Pre-Commit Against Salt — the 8 pip-compile hooks that I previously SKIPped were all blocked on one root: dependabot bumped urllib3 >= 1.26.20,<2.0.0 → >= 2.6.3,<3.0.0 for py<3.10, but botocore on py3.9 hard-requires urllib3<2 → ResolutionImpossible cascaded into every CI lock that includes a boto3 transitive. Reverted the py3.9 floor to the original >=1.26.20,<2.0.0; py3.10+ keeps the 2.7.0 CVE-backport floor.
• Docs CI Py3.10 — myst-docutils 4.x (last line supporting py3.10) pins markdown-it-py ~=3.0, but rich transitively pulled markdown-it-py 4.2.0. Capped markdown-it-py < 4.0.0; python_version == "3.10" in requirements/constraints.txt, mirroring the existing <3.0.0 cap for py3.9.

pre-commit run pip-compile --all-files now green across every hook. No skipif, no --no-verify, no SKIP.

[dwoz]

Lint Salt's Source Code passed on df7f9330097. Lint Salt's Test Suite remained red on one file: tests/pytests/unit/utils/test_cloud.py:CustomKeyring.

Cause is the dependabot keyring 5.7.1 → 25.7.0 bump. keyring 25.x made KeyringBackend.priority a required abstract property and tightened the cooperative __init__ chain, so the test backend now triggers W0223 abstract-method and W0231 super-init-not-called.

Pushed 1b7fa7cf61e adding priority = 1 and a super().__init__() call on CustomKeyring — passes locally under the new pylint+keyring combo without changing any test behavior.

Pre-Commit was still pending on the previous run; the new run includes both fixes.

[dwoz]

Pushed 3c5d63d4c8c. Three independent test failures from the dependabot bumps, each fixed with a range-tolerant patch (works on both the new and old library versions).

1. pytest 9 vs salt.ext.tornado.testing.AsyncTestCase

Dependabot bumped pytest >= 7.2.0 → >= 8.4.2 (lock resolved 9.0.3). pytest 9 added _pytest.unittest.UnitTestCase.newinstance which constructs every TestCase subclass with methodName='runTest' during collection to harvest fixtures. The vendored AsyncTestCase.__init__ line 228 then did getattr(self, 'runTest') unconditionally:

E   AttributeError: 'TestJobNotRunning' object has no attribute 'runTest'. Did you mean: 'subTest'?

Broke every salt unit/integration test class that subclasses AsyncTestCase (saltnado, transport/tcp, transport/ipc, utils/asynchronous, utils/context, …) on every distro.

Fix: salt/ext/tornado/testing.py only wraps the method when getattr(self, methodName, None) is non-None — matching stdlib unittest.TestCase's treatment of runTest as a no-op sentinel. Real test methods (passed by pytest 8 and earlier as the actual method name) continue to be wrapped exactly as before.

2. pytest 9 PytestRemovedIn9Warning → error: marks on fixtures

pytest 9 promoted "Marks applied to fixtures have no effect" from warning to collection error. tests/pytests/scenarios/compat/test_with_versions.py had two cases:

• @pytest.mark.skip_if_binaries_missing("docker") on salt_minion fixture — redundant with module-level pytestmark already containing the same mark
• @pytest.mark.skip_on_fips_enabled_platform on cp_file_source fixture — redundant with the test_cp consumer carrying the same mark

Fix: removed both fixture-level marks. Skip behaviour is identical on every pytest version (module/consumer marks still apply); pytest 9 collection now succeeds.

3. virtualenv 21 BUNDLE_SHA256 verification vs salt onedir patched pip wheel

Dependabot bumped virtualenv >= 20.36.1 → >= 21.4.2. virtualenv 21 added _verify_bundled_wheel which rejects any wheel in the embed directory whose sha256 is not recorded in BUNDLE_SHA256:

RuntimeError: bundled wheel pip-25.2-py3-none-any.whl has no recorded sha256 in BUNDLE_SHA256
RuntimeError: seed failed due to failing to download wheels pip

salt's onedir builder (tools/pkg/build.py:salt_onedir) substitutes the urllib3-CVE-patched pip 25.2 wheel into the embed directory and rewrites BUNDLE_SUPPORT (filename map), but had no BUNDLE_SHA256 maintenance. Every functional pip test errored at virtualenv creation.

Fix: after the BUNDLE_SUPPORT rewrite, replace BUNDLE_SHA256 with a freshly-computed dict containing only the on-disk wheels actually shipped (sha256-hashed via hashlib). Guarded by if "BUNDLE_SHA256" in content: so virtualenv 20.x onedirs (no BUNDLE_SHA256 dict) are unchanged.

Out of scope here

The Test Package / Rocky Linux 8 Arm64 upgrade red is a separate CI orchestration issue — the upgrade test installs salt 3008.0 (Argon) from the system repository and then asserts the version matches 3006.25+100.gc.... Not introduced by this PR; flagging for maintainer attention.

[dwoz]

Rebased onto current 3006.x (now at e0511a5f4fa, which added tzdata; sys_platform == 'win32' to base.txt and re-flowed several lock files). New head fa9908f10e3.

Conflicts encountered + resolutions:

• requirements/base.txt: combined dependabot's bumps with the new tzdata line.
• 4 freebsd/windows lock files in py3.9/3.13/3.14: took my side on conflicting hunks, then ran pre-commit run pip-compile --all-files to converge — picked up the tzdata addition and the floor caps consistently.

Commit graph after rebase:

fa9908f10e3 Regenerate lock files after rebase onto current 3006.x
3fbb9753943 Support pytest 9 and virtualenv 21 API changes
3e4c608c9f6 Make CustomKeyring concrete for keyring 25.x
b49b140f8cc Revert pylint to 3.1 and urllib3 floor for py3.9; cap markdown-it-py for py3.10
bbf8912b389 Align dependabot bumps with Python version floors and lock chains
84952ac88af Drop PIP_CONSTRAINT when force-installing patched pip 25.2 wheel
af58f279f3d Add missing rich.markup.escape import in tools/ci.py
afafc4ddad4 Fix rich MarkupError when rendering dependabot PR body
1796447a04c Automated requirement synchronization
9697291a749 Bump the all-pip-updates group across 3 directories with 76 updates
e0511a5f4fa Remove pytz, add tzdata. Fix timezone tests   <- new base

No --no-verify, no SKIP. pre-commit run pip-compile --all-files converges cleanly in two iterations; Lint Salt + Lint Tests pass locally.

[dwoz]

Pushed 12506150e20. Four real test failures from the dependabot bumps, each fixed range-tolerant.

1. pip 26 vs salt.states.pip_state (unit zeromq 1)

test_install_requirements_parsing — pip 26 raises pip._internal.exceptions.InvalidEggFragment (a DiagnosticPipError, NOT a subclass of InstallationError) for URL fragments like #egg=SaltTesting>=0.5.1 that older pip silently parsed. salt/states/pip_state.py:_check_pkg_version_format() only caught (ValueError, InstallationError) so the new exception leaked.

Fix: try-import InvalidEggFragment (no-op on older pip), catch it as a dedicated clause that routes through the same install_req.req is None URL fallback path the legacy behavior used.

2. pyOpenSSL 26.2 removed X509.get_extension (unit zeromq 2)

test_cert_information — pyOpenSSL 26.2's release notes call out X509.get_extensions (plural) removal, but it also took get_extension (singular). salt/beacons/cert_info.py hit AttributeError on every cert.

Fix: hasattr(cert, 'get_extension') guard; fall through to cert.to_cryptography().extensions when the legacy method is gone. Added a _format_extension_value() helper that emits OpenSSL-style strings (CA:FALSE, DNS:foo, IP:1.2.3.4) so the beacon payload stays byte-for-byte identical to the legacy output for BasicConstraints / SubjectAlternativeName (which the test and historical consumers care about). Verified locally with get_extension monkeypatched off — output identical.

3. idna 3.18 changed an error message (unit zeromq 4)

test_parse_general_names[inpt27-...] — idna 3.18 changed the U+200C joiner-context rejection message from "Joiner U+200C not allowed at position 9" to "Unknown codepoint adjacent to joiner U+200C at position 9". Test regex was too narrow.

Fix: loosened the regex to match the U+200C ... at position 9 substring across both versions.

4. packaging>=24.1 breaks salt-ssh on Python 3.7 targets (integration zeromq 1+2)

test_ssh_custom_module and siblings — salt-ssh sends its thin tarball to the target host. Dependabot bumped packaging==24.0 → 26.2. packaging 24.1+ imports __future__.annotations; packaging 26.x also uses positional-only / parameter syntax. Both are SyntaxErrors on Amazon Linux 2's stock Python 3.7. The base.txt comment literally warned against this exact bump.

Fix: restored packaging==24.0 and expanded the comment. Lock files regenerated.

Out of scope, flagged for maintainer attention

• Build Source Packages / RPM (arm64) — pyzmq 27 switched build backend to scikit-build-core/CMake, which tries to compile cmake-from-source on aarch64 RPM. The build container is missing kernel headers needed for pid_t. CI container issue.
• Test Package / * upgrade — installs salt 3008.0 (Argon) from a system repo then asserts version matches 3006.25+.... Same pre-existing salt-internal CI orchestration bug seen on every run.
• tests/pytests/functional/states/file/test_managed.py::test_issue_60203 — single network-dependent flaky test; error message reaches a different salt code path on different DNS results.

pre-commit run pip-compile --all-files converges cleanly in two iterations; pre-commit run --files <changed> green across mypy, lint-salt, lint-tests, black, isort, bandit. Fast-forward push, no force.