Refresh locked dependencies to clear Dependabot alerts#46
Merged
Conversation
GitHub's Dependabot flagged vulnerabilities in the locked dependency tree. Every runtime/dev dependency in the Pipfile is `*`-pinned, so the Pipfile is the source of truth and the fix is a lock refresh rather than any constraint change: `pipenv update --dev` re-resolves the whole tree to the latest compatible releases, then `pipenv requirements --hash --dev` regenerates requirements.txt so the two lockfiles stay in sync (the long-standing convention for this repo). Fifteen packages moved. The security-relevant ones are in the requests networking stack: - urllib3 2.6.3 -> 2.7.0 - requests 2.33.1 -> 2.34.2 - idna 3.11 -> 3.18 - certifi 2026.2.25 -> 2026.6.17 The rest are minor/patch bumps on dev tooling and transitive deps (pyinstaller, pylint, pytest, debugpy, setuptools, packaging, tomlkit, typing-extensions, charset-normalizer, platformdirs). No Pipfile edits — the constraint surface is unchanged. One tooling wrinkle worth recording: the newer pipenv (2026.6.2) evaluates environment markers against the host when locking, so running the refresh on Linux pruned the three `sys_platform == 'win32'` dev packages (colorama, pefile, pywin32-ctypes) that previous locks carried. Those are required by PyInstaller on the Windows CI runner, which installs straight from the lockfile via `pipenv install --dev`; dropping them would break the Windows installer build. They are unchanged upstream (latest versions equal the pinned ones), so I restored the exact entries to keep both lockfiles cross-platform complete. All 79 pytest cases pass on the upgraded tree. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01D1ehd51ut8ciZreFbdjDZH
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GitHub's Dependabot flagged vulnerabilities in the locked dependency
tree. Every runtime/dev dependency in the Pipfile is
*-pinned, so thePipfile is the source of truth and the fix is a lock refresh rather than
any constraint change:
pipenv update --devre-resolves the whole treeto the latest compatible releases, then
pipenv requirements --hash --devregenerates requirements.txt so the two lockfiles stay in sync (the
long-standing convention for this repo).
Fifteen packages moved. The security-relevant ones are in the requests
networking stack:
The rest are minor/patch bumps on dev tooling and transitive deps
(pyinstaller, pylint, pytest, debugpy, setuptools, packaging, tomlkit,
typing-extensions, charset-normalizer, platformdirs). No Pipfile edits —
the constraint surface is unchanged.
One tooling wrinkle worth recording: the newer pipenv (2026.6.2) evaluates
environment markers against the host when locking, so running the refresh
on Linux pruned the three
sys_platform == 'win32'dev packages(colorama, pefile, pywin32-ctypes) that previous locks carried. Those are
required by PyInstaller on the Windows CI runner, which installs straight
from the lockfile via
pipenv install --dev; dropping them would breakthe Windows installer build. They are unchanged upstream (latest versions
equal the pinned ones), so I restored the exact entries to keep both
lockfiles cross-platform complete.
All 79 pytest cases pass on the upgraded tree.
Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_01D1ehd51ut8ciZreFbdjDZH