Skip to content

Chore/batch dependabot 20260716#84

Open
MDzaja wants to merge 11 commits into
mainfrom
chore/batch-dependabot-20260716
Open

Chore/batch dependabot 20260716#84
MDzaja wants to merge 11 commits into
mainfrom
chore/batch-dependabot-20260716

Conversation

@MDzaja

@MDzaja MDzaja commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

Batches all open dependabot dependency updates into a single PR, pulls the
patched HTTP stack enabled by the Python >=3.10 floor (#83), and moves Python
client dependency floor management into the shared OpenAPI generator template so
bumps survive regeneration.

Dependabot updates (cherry-picked, oldest → newest)

PR Update
#8 pip-prod group across 5 directories — 14 updates (urllib3 2.7.0, aiohttp 3.14.1, pydantic 2.13.4, typing-extensions 4.16.0, python-dateutil 2.9.0.post0, aiohttp-retry 2.9.1, dev-group tooling)
#61 http-proxy-middleware 2.0.9 → 2.0.10 (proxy-table routing bypass hardening)
#65 actions/setup-java 5.4.0 → 5.5.0 (setup-toolchain composite action)
#66 apache/skywalking-eyes/header 29bd646 → 6e368ec (license header check)
#79 websocket-driver 0.7.4 → 0.7.5 (max-length enforcement hardening)
#85 cryptography 46.0.3 → 49.0.0 (dependabot targeted 48.0.1; the root constraint resolves to the newer release carrying the same fixes)
#86 webpack-dev-server 5.2.4 → 5.2.6
#87 protobufjs 7.6.2 → 7.6.5

Patched HTTP stack (follow-up to #83)

#8 originally couldn't land because its urllib3>=2.7.0 / aiohttp>=3.14.1
floors require Python >=3.10 while the repo still supported 3.9. With #83 merged,
this PR applies dependabot's floors as intended and updates the lock to
urllib3 2.7.0 and aiohttp 3.14.1, closing:

Supporting generator changes:

  • hack/python-client/postprocess.sh: urllib3 lower-bound sed retargeted
    2.1.0 → 2.7.0 (it would otherwise revert the floor on every regeneration), and
    a new sed syncs PYTHON_REQUIRES in the generated setup.py to >= 3.10
  • setup.py / requirements.txt across all 6 generated clients now advertise
    Python >= 3.10 and urllib3 >= 2.7.0
  • Root requires-python fixed from Poetry caret syntax (^3.10, invalid
    PEP 440 — uv refuses to parse it) to >=3.10,<4.0

Template override for generated Python clients

The generated clients' pyproject.toml is generator-owned (not in
.openapi-generator-ignore), so floor bumps applied directly to those files are
silently reverted by the next yarn generate:api-client. This PR adds
hack/python-client/openapi-templates/pyproject.mustache (override of the
upstream openapi-generator v7.21.0 template, shared by all 6 generated Python
clients) as the single source of truth for dependency floors.

Generated Go clients need no equivalent (empty go.mod, no external deps); the
generated TS/Java/Ruby clients are not covered by dependabot.

Review feedback addressed

The previous Build clients failure (each client's poetry lock --regenerate
could not solve mypy >= 2.3.0 against the old >=3.9 range) is fixed by the
rebase onto #83 — verified locally in both a sync and an async client. cubic's
playbook comments are applied: nix-only tooling wording restored, regeneration
command routed through nix develop .#node, and the template scope corrected to
the 6 generated clients (sdk-python is hand-written).

Validation

  • yarn install --immutable clean; poetry check --lock consistent
  • poetry lock --regenerate solves inside sync and async generated clients
  • yarn generate:api-client reproduces all committed files with zero drift
  • sdk-typescript: 238/238 unit
  • sdk-python: 529/529 unit; 97/97 sync e2e against production on urllib3 2.7.0
  • Resolved versions confirmed in locks: urllib3 2.7.0, aiohttp 3.14.1,
    cryptography 49.0.0, webpack-dev-server 5.2.6, protobufjs 7.6.5

Closes

Closes #8
Closes #61
Closes #65
Closes #66
Closes #79
Closes #85
Closes #86
Closes #87

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found across 13 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="analytics-api-client-python/pyproject.toml">

<violation number="1" location="analytics-api-client-python/pyproject.toml:26">
P1: Python 3.9 development/bootstrap can no longer resolve this project's default Poetry install because `pytest`, `tox`, `types-python-dateutil`, and `mypy` now have Python >=3.10 floors. Please retain Python-3.9-compatible constraints or add Python-version-specific dependency branches for all four tools.</violation>
</file>

<file name="analytics-api-client-python-async/pyproject.toml">

<violation number="1" location="analytics-api-client-python-async/pyproject.toml:27">
P2: Python 3.9 development installs can no longer resolve this generated client because four new dev-dependency floors require Python 3.10+. Version-split these constraints with Python markers (or retain Python-3.9-compatible floors) for `pytest`, `tox`, `types-python-dateutil`, and `mypy`.</violation>
</file>

Tip: instead of fixing issues one by one fix them all with cubic

Re-trigger cubic

@@ -11,9 +11,9 @@ requires-python = ">=3.9"

@cubic-dev-ai cubic-dev-ai Bot Jul 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Python 3.9 development/bootstrap can no longer resolve this project's default Poetry install because pytest, tox, types-python-dateutil, and mypy now have Python >=3.10 floors. Please retain Python-3.9-compatible constraints or add Python-version-specific dependency branches for all four tools.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At analytics-api-client-python/pyproject.toml, line 26:

<comment>Python 3.9 development/bootstrap can no longer resolve this project's default Poetry install because `pytest`, `tox`, `types-python-dateutil`, and `mypy` now have Python >=3.10 floors. Please retain Python-3.9-compatible constraints or add Python-version-specific dependency branches for all four tools.</comment>

<file context>
@@ -23,12 +23,12 @@ Repository = "https://github.com/daytona/clients"
-flake8 = ">= 4.0.0"
-types-python-dateutil = ">= 2.8.19.14"
-mypy = ">= 1.5"
+pytest = ">=9.1.1"
+pytest-cov = ">=7.1.0"
+tox = ">=4.56.4"
</file context>
Fix with cubic

Comment thread .claude/agents/batch-dependabot.md Outdated
@@ -10,11 +10,11 @@ keywords = ["OpenAPI", "OpenAPI-Generator", "Daytona Analytics API"]
requires-python = ">=3.9"

@cubic-dev-ai cubic-dev-ai Bot Jul 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Python 3.9 development installs can no longer resolve this generated client because four new dev-dependency floors require Python 3.10+. Version-split these constraints with Python markers (or retain Python-3.9-compatible floors) for pytest, tox, types-python-dateutil, and mypy.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At analytics-api-client-python-async/pyproject.toml, line 27:

<comment>Python 3.9 development installs can no longer resolve this generated client because four new dev-dependency floors require Python 3.10+. Version-split these constraints with Python markers (or retain Python-3.9-compatible floors) for `pytest`, `tox`, `types-python-dateutil`, and `mypy`.</comment>

<file context>
@@ -24,12 +24,12 @@ Repository = "https://github.com/daytona/clients"
-flake8 = ">= 4.0.0"
-types-python-dateutil = ">= 2.8.19.14"
-mypy = ">= 1.5"
+pytest = ">=9.1.1"
+pytest-cov = ">=7.1.0"
+tox = ">=4.56.4"
</file context>
Fix with cubic

Comment thread .claude/agents/batch-dependabot.md Outdated
Comment thread hack/python-client/openapi-templates/pyproject.mustache
Comment thread .claude/agents/batch-dependabot.md Outdated
dependabot Bot and others added 11 commits July 16, 2026 15:20
…ates

---
updated-dependencies:
- dependency-name: aiofiles
  dependency-version: 25.1.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: aiohttp
  dependency-version: 3.14.1
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: aiohttp
  dependency-version: 3.14.1
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: aiohttp-retry
  dependency-version: 2.9.1
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: aiohttp-retry
  dependency-version: 2.9.1
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: flake8
  dependency-version: 7.3.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: flake8
  dependency-version: 7.3.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: flake8
  dependency-version: 7.3.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: flake8
  dependency-version: 7.3.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: mypy
  dependency-version: 2.1.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: mypy
  dependency-version: 2.1.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: mypy
  dependency-version: 2.1.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: mypy
  dependency-version: 2.1.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: obstore
  dependency-version: 0.10.1
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: pydantic
  dependency-version: 2.13.4
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: pydantic
  dependency-version: 2.13.4
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: pydantic
  dependency-version: 2.13.4
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: pydantic
  dependency-version: 2.13.4
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: pytest
  dependency-version: 9.1.1
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: pytest
  dependency-version: 9.1.1
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: pytest
  dependency-version: 9.1.1
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: pytest
  dependency-version: 9.1.1
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: pytest-cov
  dependency-version: 7.1.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: pytest-cov
  dependency-version: 7.1.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: pytest-cov
  dependency-version: 7.1.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: pytest-cov
  dependency-version: 7.1.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: python-dateutil
  dependency-version: 2.9.0.post0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: python-dateutil
  dependency-version: 2.9.0.post0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: python-dateutil
  dependency-version: 2.9.0.post0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: python-dateutil
  dependency-version: 2.9.0.post0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: tox
  dependency-version: 4.56.1
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: tox
  dependency-version: 4.56.1
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: tox
  dependency-version: 4.56.1
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: tox
  dependency-version: 4.56.1
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: types-python-dateutil
  dependency-version: 2.9.0.20260518
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: types-python-dateutil
  dependency-version: 2.9.0.20260518
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: types-python-dateutil
  dependency-version: 2.9.0.20260518
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: types-python-dateutil
  dependency-version: 2.9.0.20260518
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: typing-extensions
  dependency-version: 4.15.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: typing-extensions
  dependency-version: 4.15.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: typing-extensions
  dependency-version: 4.15.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: typing-extensions
  dependency-version: 4.15.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: urllib3
  dependency-version: 2.7.0
  dependency-type: direct:production
  dependency-group: pip-prod
- dependency-name: urllib3
  dependency-version: 2.7.0
  dependency-type: direct:production
  dependency-group: pip-prod
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [http-proxy-middleware](https://github.com/chimurai/http-proxy-middleware) from 2.0.9 to 2.0.10.
- [Release notes](https://github.com/chimurai/http-proxy-middleware/releases)
- [Changelog](https://github.com/chimurai/http-proxy-middleware/blob/v2.0.10/CHANGELOG.md)
- [Commits](chimurai/http-proxy-middleware@v2.0.9...v2.0.10)

---
updated-dependencies:
- dependency-name: http-proxy-middleware
  dependency-version: 2.0.10
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps the github-actions group in /.github/actions/setup-toolchain with 1 update: [actions/setup-java](https://github.com/actions/setup-java).


Updates `actions/setup-java` from 5.4.0 to 5.5.0
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](actions/setup-java@1bcf9fb...0f481fc)

---
updated-dependencies:
- dependency-name: actions/setup-java
  dependency-version: 5.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps the github-actions group with 1 update: [apache/skywalking-eyes/header](https://github.com/apache/skywalking-eyes).


Updates `apache/skywalking-eyes/header` from 29bd646002b63bb4c0ed1648d1654c35fb8ff027 to 6e368ec14f31521edc7118374773e78d2d646aeb
- [Release notes](https://github.com/apache/skywalking-eyes/releases)
- [Changelog](https://github.com/apache/skywalking-eyes/blob/main/CHANGES.md)
- [Commits](apache/skywalking-eyes@29bd646...6e368ec)

---
updated-dependencies:
- dependency-name: apache/skywalking-eyes/header
  dependency-version: 6e368ec14f31521edc7118374773e78d2d646aeb
  dependency-type: direct:production
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [websocket-driver](https://github.com/faye/websocket-driver-node) from 0.7.4 to 0.7.5.
- [Changelog](https://github.com/faye/websocket-driver-node/blob/main/CHANGELOG.md)
- [Commits](faye/websocket-driver-node@0.7.4...0.7.5)

---
updated-dependencies:
- dependency-name: websocket-driver
  dependency-version: 0.7.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
…ect.mustache override

Generated clients' pyproject.toml is generator-owned (not in .openapi-generator-ignore),
so floor bumps made directly in those files are reverted by the next
'yarn generate:api-client'. Move floor management into
hack/python-client/openapi-templates/pyproject.mustache (shared by all 7 python
client projects, sync and asyncio). Regeneration now reproduces the dependabot
bumps byte-identically and brings the analytics clients (not covered by #8) to
the same floors.
Python >=3.10 floor (#83) makes the patched HTTP stack resolvable:
urllib3 2.7.0 closes GHSA-mf9v-mfxr-j63j and GHSA-qccp-gfcp-xxvc (HIGH),
aiohttp 3.14.1 closes GHSA-xcgm-r5h9-7989, GHSA-4fvr-rgm6-gqmc and
GHSA-g3cq-j2xw-wf74. Also replace the root requires-python poetry caret
constraint with PEP 440 syntax so standards-compliant tools (uv) can
parse the workspace.
Dependabot #85 targeted 48.0.1; the root constraint resolves to the newer
49.0.0 which carries the same fixes.
Bumps [webpack-dev-server](https://github.com/webpack/webpack-dev-server) from 5.2.4 to 5.2.6.
- [Release notes](https://github.com/webpack/webpack-dev-server/releases)
- [Changelog](https://github.com/webpack/webpack-dev-server/blob/v5.2.6/CHANGELOG.md)
- [Commits](webpack/webpack-dev-server@v5.2.4...v5.2.6)

---
updated-dependencies:
- dependency-name: webpack-dev-server
  dependency-version: 5.2.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 7.6.2 to 7.6.5.
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.6.5/CHANGELOG.md)
- [Commits](protobufjs/protobuf.js@protobufjs-v7.6.2...protobufjs-v7.6.5)

---
updated-dependencies:
- dependency-name: protobufjs
  dependency-version: 7.6.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@MDzaja
MDzaja force-pushed the chore/batch-dependabot-20260716 branch from e19457f to b2dceed Compare July 16, 2026 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant