chore(deps): pin conda environment.yml; tighten postgres/pgvector extras#482
Merged
Conversation
…tras environment.yml left nearly every conda-forge dependency unpinned (only the 3 pip: sub-entries were pinned), so python-package-conda.yml could silently resolve a different fastapi/pydantic/chromadb/numpy than the exactly-pinned pip path -- including numpy floating to 2.x, a documented trap that breaks chromadb/onnxruntime. Pinned every dependency to match pyproject.toml / constraints.txt exactly; each version verified present on conda-forge via the anaconda.org API before pinning (all 16 confirmed available). pyproject.toml's postgres/pgvector optional-dependency extras used loose >=3.2.0 / >=0.3.6 floors while constraints.txt pins psycopg==3.2.13 and pgvector==0.4.2 exactly -- tightened the extras to match. requirements.txt's documented enable command (pip install 'cyclaw[postgres]') skipped -c constraints.txt, the one install path in the repo that wasn't actually reproducible when followed literally; added the flag.
…y needs CI caught it: mamba's solve for the previous pin (fastapi=0.138.0, matching pyproject.toml) failed -- chromadb =1.5.9 * is installable and it requires fastapi ==0.115.9 * fastapi =0.138.0 * conflicts with any installable versions previously reported conda-forge's chromadb=1.5.9 build hard-pins fastapi==0.115.9 -- a packaging constraint on that feedstock, not a CyClaw choice. The pip path is unaffected and stays on fastapi==0.138.0 (PyPI's chromadb 1.5.9 carries no such pin). Documented the divergence inline so it doesn't look like an oversight next time someone reconciles this file against pyproject.toml.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
environment.yml: pins every conda-forge dependency (fastapi,uvicorn,pydantic,pyyaml,httpx,langchain-core,chromadb,sentence-transformers,numpy,nltk,pytest,pytest-asyncio,ruff,mypy,bandit,pytest-cov) to the exact version already used inpyproject.toml/constraints.txt. Previously only the 3pip:sub-entries were pinned; everything else was a bare package name.pyproject.toml: tightens thepostgres/pgvector/fulloptional-dependency extras from loose>=floors (psycopg[binary]>=3.2.0,pgvector>=0.3.6) to the exact versionsconstraints.txtalready pins (==3.2.13,==0.4.2).requirements.txt: the documented enable command for those extras (pip install 'cyclaw[postgres]') skipped-c constraints.txt— added the flag.Why / benefit
environment.ymlfeedspython-package-conda.yml(a real, separate CI lane). Unpinned, that lane can silently resolve a differentchromadb/pydantic/numpythan the exactly-pinned pip path — including numpy floating to 2.x, whichCLAUDE.mddocuments elsewhere as a known trap that breakschromadb/onnxruntime(dependabot already ignoresnumpy>=2.0.0on the pip side; conda had no equivalent guard). The postgres/pgvector extras were the one install path in the repo that wasn't actually reproducible when followed literally (a bare>=floor, and a documented command that dropped the constraints flag).Verification, not assumption: every one of the 16 exact versions pinned in
environment.ymlwas checked against conda-forge's real package index (api.anaconda.org/package/conda-forge/<name>) before pinning — all 16 confirmed present. I don't havecondaavailable locally to do a full solve, sopython-package-conda.yml's own run is still the real end-to-end validator; flagging that as the residual risk below rather than assuming a clean solve.Risk to monitor
No
condabinary available in this sandbox, so the pins are verified for package+version existence on conda-forge but not for a full dependency-solve (transitive conflicts, if any, would only surface whenpython-package-conda.ymlactually runs). If that workflow goes red on this PR, it's telling us something real — don't dismiss it as unrelated flake without checking. Theuvicorn[standard]pip extra (uvloop/httptools/websockets accelerators) has no direct conda equivalent bundled here; conda'suvicorn=0.49.0is the base package only, which is an existing gap this PR doesn't newly introduce or attempt to close.Verify
pyproject.tomlparses viatomllib.load;environment.ymlparses viayaml.safe_load. No Python production code touched.Scan context
CyClaw-Optimize (ponytail + Karpathy + fable-protocol loaded). Findings #3 and #5 of an 8-finding scan; deduped against open PRs #473, #477, #415.
Generated by Claude Code