From 7f9f41d400f7a5b350afb716711308a4a498b1b9 Mon Sep 17 00:00:00 2001 From: Eric Joanis Date: Mon, 30 Mar 2026 14:10:33 -0400 Subject: [PATCH 1/3] build(deps): rebuild the Heroku requirements.txt file fresh prompted in part by various CVEs fixed in gunicorn until version 25.3.0 --- requirements.txt | 119 ++++++++++++++++++++++++++++------------------- 1 file changed, 71 insertions(+), 48 deletions(-) diff --git a/requirements.txt b/requirements.txt index 6c1eafb4..c5ead9ab 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,52 +9,57 @@ # - lxml>=4.9.4 # - numpy>=1.20.2 # - pydantic<3,>=1.8.2 -# - pydub-ng==0.2.0 +# - pydub>=0.25.1; python_version < "3.10" +# - pydub-ng==0.2.0; python_version >= "3.10" # - pympi-ling<2.0,>=1.69 # - python-slugify==5.0.0 # - requests>=2.31.0 # - soundswallower~=0.6.0 # - webvtt-py==0.5.1 -# - gunicorn>=23.0.0; platform_system != "Windows" +# - readalongs[api] # - ilt-panphon<0.22,>=0.21.4 -# - uvicorn>=0.30.1 # -annotated-doc==0.0.3 +annotated-doc==0.0.4 # via fastapi annotated-types==0.7.0 # via pydantic -anyio==4.11.0 +anyio==4.13.0 # via starlette -audioop-lts==0.2.2 ; python_version >= "3.13" +audioop-lts==0.2.2 # via pydub-ng -certifi==2025.10.5 +certifi==2026.2.25 # via requests -charset-normalizer==3.4.4 +charset-normalizer==3.4.6 # via requests chevron==0.14.0 - # via hatch.envs.prod + # via + # hatch.envs.prod + # readalongs click==8.1.8 # via # hatch.envs.prod # g2p + # readalongs # uvicorn coloredlogs==15.0.1 # via # hatch.envs.prod # g2p -ilt-editdistance==0.8.2 - # via panphon + # readalongs et-xmlfile==2.0.0 # via openpyxl -fastapi==0.120.2 - # via hatch.envs.prod -# Manual override: for deployment on Heroku, we want the latest g2p@main on GitHub +fastapi==0.135.2 + # via + # hatch.envs.prod + # readalongs g2p @ git+https://github.com/roedoejet/g2p.git@main -# g2p==2.2.2 - # via hatch.envs.prod -gunicorn==23.0.0 ; platform_system != "Windows" - # via hatch.envs.prod + # Manual override: for deployment on Heroku, we want the latest g2p@main on GitHub + # via + # hatch.envs.prod + # readalongs +gunicorn==25.3.0 + # via readalongs h11==0.16.0 # via uvicorn humanfriendly==10.0 @@ -63,57 +68,68 @@ idna==3.11 # via # anyio # requests +ilt-editdistance==0.8.2 + # via ilt-panphon +ilt-panphon==0.21.4 + # via + # hatch.envs.prod + # g2p lxml==6.0.2 - # via hatch.envs.prod + # via + # hatch.envs.prod + # readalongs munkres==1.1.4 - # via panphon -numpy==2.3.4 + # via ilt-panphon +numpy==2.4.3 # via # hatch.envs.prod - # panphon + # ilt-panphon + # readalongs openpyxl==3.1.5 # via g2p -packaging==25.0 +packaging==26.0 # via gunicorn -ilt-panphon==0.21.4 - # via - # hatch.envs.prod - # g2p -pydantic==2.8.2 +pydantic==2.12.5 # via # hatch.envs.prod # fastapi # g2p -pydantic-core==2.20.1 + # readalongs +pydantic-core==2.41.5 # via pydantic -pydub-ng==0.2.0 - # via hatch.envs.prod +pydub-ng==0.2.0 ; python_version >= "3.10" + # via + # hatch.envs.prod + # readalongs pympi-ling==1.71 - # via hatch.envs.prod + # via + # hatch.envs.prod + # readalongs python-slugify==5.0.0 - # via hatch.envs.prod + # via + # hatch.envs.prod + # readalongs pyyaml==6.0.3 # via # g2p - # panphon -regex==2025.10.23 + # ilt-panphon +readalongs==1.2.2 + # via hatch.envs.prod +regex==2026.2.28 # via # g2p - # panphon + # ilt-panphon requests==2.33.0 - # via hatch.envs.prod -sniffio==1.3.1 - # via anyio -# Manual override: soundswallower is not needed for the web API so ignore it. -# soundswallower==0.6.5 - # via hatch.envs.prod -starlette==0.49.1 + # via + # hatch.envs.prod + # readalongs +starlette==1.0.0 # via fastapi text-unidecode==1.3 # via # g2p # python-slugify -tqdm==4.67.1 +tqdm==4.67.3 # via g2p typing-extensions==4.15.0 # via @@ -121,11 +137,18 @@ typing-extensions==4.15.0 # g2p # pydantic # pydantic-core + # typing-inspection +typing-inspection==0.4.2 + # via + # fastapi + # pydantic unicodecsv==0.14.1 - # via panphon + # via ilt-panphon urllib3==2.6.3 # via requests -uvicorn==0.38.0 - # via hatch.envs.prod +uvicorn==0.42.0 + # via readalongs webvtt-py==0.5.1 - # via hatch.envs.prod + # via + # hatch.envs.prod + # readalongs From 3d3efec84966784130fd8382113efa2cca82e61d Mon Sep 17 00:00:00 2001 From: Eric Joanis Date: Wed, 1 Apr 2026 12:12:03 -0400 Subject: [PATCH 2/3] build: fix how heroku reqs are declared to avoid circular dep --- pyproject.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index c5fd7f77..8ac25978 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -72,7 +72,6 @@ api = [ ] heroku = [ - "readalongs[api]", # We don't actually use the panphon 0.22 improvements on heroku so stick to # 0.21 with its lighter weight dependencies "ilt-panphon>=0.21.4,<0.22", @@ -118,7 +117,7 @@ requires = [ "hatch-pip-compile" ] features = [ "dev" ] [tool.hatch.envs.prod] -features = [ "heroku" ] +features = [ "heroku", "api" ] type = "pip-compile" python = "3.13" lock-filename = "requirements.txt" @@ -140,4 +139,5 @@ profile = "black" [tool.pytest] filterwarnings = [ "ignore:'audioop' is deprecated and slated for removal in Python 3.13:DeprecationWarning", + "ignore:.*codecs.open.. is deprecated. Use open.. instead.*:DeprecationWarning", ] From 0029beb6e4cae4411722c81d00c99cf6bb315de1 Mon Sep 17 00:00:00 2001 From: Eric Joanis Date: Wed, 1 Apr 2026 12:17:55 -0400 Subject: [PATCH 3/3] fix(build): correctly declare the prod features --- requirements.txt | 63 +++++++++++++++++------------------------------- 1 file changed, 22 insertions(+), 41 deletions(-) diff --git a/requirements.txt b/requirements.txt index c5ead9ab..2545399b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,7 +16,8 @@ # - requests>=2.31.0 # - soundswallower~=0.6.0 # - webvtt-py==0.5.1 -# - readalongs[api] +# - gunicorn>=23.0.0; platform_system != "Windows" +# - uvicorn>=0.30.1 # - ilt-panphon<0.22,>=0.21.4 # @@ -33,33 +34,26 @@ certifi==2026.2.25 charset-normalizer==3.4.6 # via requests chevron==0.14.0 - # via - # hatch.envs.prod - # readalongs + # via hatch.envs.prod click==8.1.8 # via # hatch.envs.prod # g2p - # readalongs # uvicorn coloredlogs==15.0.1 # via # hatch.envs.prod # g2p - # readalongs et-xmlfile==2.0.0 # via openpyxl fastapi==0.135.2 - # via - # hatch.envs.prod - # readalongs + # via hatch.envs.prod g2p @ git+https://github.com/roedoejet/g2p.git@main - # Manual override: for deployment on Heroku, we want the latest g2p@main on GitHub - # via - # hatch.envs.prod - # readalongs -gunicorn==25.3.0 - # via readalongs +# g2p==2.3.1 + # Manual override: for deployment on Heroku, we want the latest g2p@main on GitHub + # via hatch.envs.prod +gunicorn==25.3.0 ; platform_system != "Windows" + # via hatch.envs.prod h11==0.16.0 # via uvicorn humanfriendly==10.0 @@ -75,16 +69,13 @@ ilt-panphon==0.21.4 # hatch.envs.prod # g2p lxml==6.0.2 - # via - # hatch.envs.prod - # readalongs + # via hatch.envs.prod munkres==1.1.4 # via ilt-panphon -numpy==2.4.3 +numpy==2.4.4 # via # hatch.envs.prod # ilt-panphon - # readalongs openpyxl==3.1.5 # via g2p packaging==26.0 @@ -94,35 +85,27 @@ pydantic==2.12.5 # hatch.envs.prod # fastapi # g2p - # readalongs pydantic-core==2.41.5 # via pydantic pydub-ng==0.2.0 ; python_version >= "3.10" - # via - # hatch.envs.prod - # readalongs + # via hatch.envs.prod pympi-ling==1.71 - # via - # hatch.envs.prod - # readalongs + # via hatch.envs.prod python-slugify==5.0.0 - # via - # hatch.envs.prod - # readalongs + # via hatch.envs.prod pyyaml==6.0.3 # via # g2p # ilt-panphon -readalongs==1.2.2 - # via hatch.envs.prod -regex==2026.2.28 +regex==2026.3.32 # via # g2p # ilt-panphon -requests==2.33.0 - # via - # hatch.envs.prod - # readalongs +requests==2.33.1 + # via hatch.envs.prod +# soundswallower==0.6.7 + # Manual override: soundswallower is not needed for the web API so ignore it. + # via hatch.envs.prod starlette==1.0.0 # via fastapi text-unidecode==1.3 @@ -147,8 +130,6 @@ unicodecsv==0.14.1 urllib3==2.6.3 # via requests uvicorn==0.42.0 - # via readalongs + # via hatch.envs.prod webvtt-py==0.5.1 - # via - # hatch.envs.prod - # readalongs + # via hatch.envs.prod