Skip to content

chore(deps): pin conda environment.yml; tighten postgres/pgvector extras#482

Merged
cgfixit merged 3 commits into
mainfrom
claude/cyclaw-optimize-reproducible-pins
Jul 9, 2026
Merged

chore(deps): pin conda environment.yml; tighten postgres/pgvector extras#482
cgfixit merged 3 commits into
mainfrom
claude/cyclaw-optimize-reproducible-pins

Conversation

@cgfixit

@cgfixit cgfixit commented Jul 9, 2026

Copy link
Copy Markdown
Owner

What

  1. environment.yml: pins every conda-forge dependency (fastapi, uvicorn, pydantic, pyyaml, httpx, langchain-core, chromadb, sentence-transformers, numpy, nltk, pytest, pytest-asyncio, ruff, mypy, bandit, pytest-cov) to the exact version already used in pyproject.toml/constraints.txt. Previously only the 3 pip: sub-entries were pinned; everything else was a bare package name.
  2. pyproject.toml: tightens the postgres/pgvector/full optional-dependency extras from loose >= floors (psycopg[binary]>=3.2.0, pgvector>=0.3.6) to the exact versions constraints.txt already pins (==3.2.13, ==0.4.2).
  3. requirements.txt: the documented enable command for those extras (pip install 'cyclaw[postgres]') skipped -c constraints.txt — added the flag.

Why / benefit

environment.yml feeds python-package-conda.yml (a real, separate CI lane). Unpinned, that lane can silently resolve a different chromadb/pydantic/numpy than the exactly-pinned pip path — including numpy floating to 2.x, which CLAUDE.md documents elsewhere as a known trap that breaks chromadb/onnxruntime (dependabot already ignores numpy>=2.0.0 on the pip side; conda had no equivalent guard). The postgres/pgvector extras were the one install path in the repo that wasn't actually reproducible when followed literally (a bare >= floor, and a documented command that dropped the constraints flag).

Verification, not assumption: every one of the 16 exact versions pinned in environment.yml was checked against conda-forge's real package index (api.anaconda.org/package/conda-forge/<name>) before pinning — all 16 confirmed present. I don't have conda available locally to do a full solve, so python-package-conda.yml's own run is still the real end-to-end validator; flagging that as the residual risk below rather than assuming a clean solve.

Risk to monitor

No conda binary available in this sandbox, so the pins are verified for package+version existence on conda-forge but not for a full dependency-solve (transitive conflicts, if any, would only surface when python-package-conda.yml actually runs). If that workflow goes red on this PR, it's telling us something real — don't dismiss it as unrelated flake without checking. The uvicorn[standard] pip extra (uvloop/httptools/websockets accelerators) has no direct conda equivalent bundled here; conda's uvicorn=0.49.0 is the base package only, which is an existing gap this PR doesn't newly introduce or attempt to close.

Verify

pyproject.toml parses via tomllib.load; environment.yml parses via yaml.safe_load. No Python production code touched.

Scan context

CyClaw-Optimize (ponytail + Karpathy + fable-protocol loaded). Findings #3 and #5 of an 8-finding scan; deduped against open PRs #473, #477, #415.


Generated by Claude Code

claude and others added 3 commits July 9, 2026 19:12
…tras

environment.yml left nearly every conda-forge dependency unpinned (only the 3
pip: sub-entries were pinned), so python-package-conda.yml could silently
resolve a different fastapi/pydantic/chromadb/numpy than the exactly-pinned
pip path -- including numpy floating to 2.x, a documented trap that breaks
chromadb/onnxruntime. Pinned every dependency to match pyproject.toml /
constraints.txt exactly; each version verified present on conda-forge via the
anaconda.org API before pinning (all 16 confirmed available).

pyproject.toml's postgres/pgvector optional-dependency extras used loose
>=3.2.0 / >=0.3.6 floors while constraints.txt pins psycopg==3.2.13 and
pgvector==0.4.2 exactly -- tightened the extras to match. requirements.txt's
documented enable command (pip install 'cyclaw[postgres]') skipped
-c constraints.txt, the one install path in the repo that wasn't actually
reproducible when followed literally; added the flag.
…y needs

CI caught it: mamba's solve for the previous pin (fastapi=0.138.0, matching
pyproject.toml) failed --
  chromadb =1.5.9 * is installable and it requires fastapi ==0.115.9 *
  fastapi =0.138.0 * conflicts with any installable versions previously reported

conda-forge's chromadb=1.5.9 build hard-pins fastapi==0.115.9 -- a packaging
constraint on that feedstock, not a CyClaw choice. The pip path is unaffected
and stays on fastapi==0.138.0 (PyPI's chromadb 1.5.9 carries no such pin).
Documented the divergence inline so it doesn't look like an oversight next
time someone reconciles this file against pyproject.toml.
@cgfixit cgfixit marked this pull request as ready for review July 9, 2026 19:43
@cgfixit cgfixit merged commit a60baa0 into main Jul 9, 2026
25 of 33 checks passed
@cgfixit cgfixit deleted the claude/cyclaw-optimize-reproducible-pins branch July 9, 2026 19:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants