Chore/batch dependabot 20260716#84
Conversation
There was a problem hiding this comment.
2 issues found across 13 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="analytics-api-client-python/pyproject.toml">
<violation number="1" location="analytics-api-client-python/pyproject.toml:26">
P1: Python 3.9 development/bootstrap can no longer resolve this project's default Poetry install because `pytest`, `tox`, `types-python-dateutil`, and `mypy` now have Python >=3.10 floors. Please retain Python-3.9-compatible constraints or add Python-version-specific dependency branches for all four tools.</violation>
</file>
<file name="analytics-api-client-python-async/pyproject.toml">
<violation number="1" location="analytics-api-client-python-async/pyproject.toml:27">
P2: Python 3.9 development installs can no longer resolve this generated client because four new dev-dependency floors require Python 3.10+. Version-split these constraints with Python markers (or retain Python-3.9-compatible floors) for `pytest`, `tox`, `types-python-dateutil`, and `mypy`.</violation>
</file>
Tip: instead of fixing issues one by one fix them all with cubic
Re-trigger cubic
| @@ -11,9 +11,9 @@ requires-python = ">=3.9" | |||
|
|
|||
There was a problem hiding this comment.
P1: Python 3.9 development/bootstrap can no longer resolve this project's default Poetry install because pytest, tox, types-python-dateutil, and mypy now have Python >=3.10 floors. Please retain Python-3.9-compatible constraints or add Python-version-specific dependency branches for all four tools.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At analytics-api-client-python/pyproject.toml, line 26:
<comment>Python 3.9 development/bootstrap can no longer resolve this project's default Poetry install because `pytest`, `tox`, `types-python-dateutil`, and `mypy` now have Python >=3.10 floors. Please retain Python-3.9-compatible constraints or add Python-version-specific dependency branches for all four tools.</comment>
<file context>
@@ -23,12 +23,12 @@ Repository = "https://github.com/daytona/clients"
-flake8 = ">= 4.0.0"
-types-python-dateutil = ">= 2.8.19.14"
-mypy = ">= 1.5"
+pytest = ">=9.1.1"
+pytest-cov = ">=7.1.0"
+tox = ">=4.56.4"
</file context>
| @@ -10,11 +10,11 @@ keywords = ["OpenAPI", "OpenAPI-Generator", "Daytona Analytics API"] | |||
| requires-python = ">=3.9" | |||
There was a problem hiding this comment.
P2: Python 3.9 development installs can no longer resolve this generated client because four new dev-dependency floors require Python 3.10+. Version-split these constraints with Python markers (or retain Python-3.9-compatible floors) for pytest, tox, types-python-dateutil, and mypy.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At analytics-api-client-python-async/pyproject.toml, line 27:
<comment>Python 3.9 development installs can no longer resolve this generated client because four new dev-dependency floors require Python 3.10+. Version-split these constraints with Python markers (or retain Python-3.9-compatible floors) for `pytest`, `tox`, `types-python-dateutil`, and `mypy`.</comment>
<file context>
@@ -24,12 +24,12 @@ Repository = "https://github.com/daytona/clients"
-flake8 = ">= 4.0.0"
-types-python-dateutil = ">= 2.8.19.14"
-mypy = ">= 1.5"
+pytest = ">=9.1.1"
+pytest-cov = ">=7.1.0"
+tox = ">=4.56.4"
</file context>
…ates --- updated-dependencies: - dependency-name: aiofiles dependency-version: 25.1.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: aiohttp dependency-version: 3.14.1 dependency-type: direct:production dependency-group: pip-prod - dependency-name: aiohttp dependency-version: 3.14.1 dependency-type: direct:production dependency-group: pip-prod - dependency-name: aiohttp-retry dependency-version: 2.9.1 dependency-type: direct:production dependency-group: pip-prod - dependency-name: aiohttp-retry dependency-version: 2.9.1 dependency-type: direct:production dependency-group: pip-prod - dependency-name: flake8 dependency-version: 7.3.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: flake8 dependency-version: 7.3.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: flake8 dependency-version: 7.3.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: flake8 dependency-version: 7.3.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: mypy dependency-version: 2.1.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: mypy dependency-version: 2.1.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: mypy dependency-version: 2.1.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: mypy dependency-version: 2.1.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: obstore dependency-version: 0.10.1 dependency-type: direct:production dependency-group: pip-prod - dependency-name: pydantic dependency-version: 2.13.4 dependency-type: direct:production dependency-group: pip-prod - dependency-name: pydantic dependency-version: 2.13.4 dependency-type: direct:production dependency-group: pip-prod - dependency-name: pydantic dependency-version: 2.13.4 dependency-type: direct:production dependency-group: pip-prod - dependency-name: pydantic dependency-version: 2.13.4 dependency-type: direct:production dependency-group: pip-prod - dependency-name: pytest dependency-version: 9.1.1 dependency-type: direct:production dependency-group: pip-prod - dependency-name: pytest dependency-version: 9.1.1 dependency-type: direct:production dependency-group: pip-prod - dependency-name: pytest dependency-version: 9.1.1 dependency-type: direct:production dependency-group: pip-prod - dependency-name: pytest dependency-version: 9.1.1 dependency-type: direct:production dependency-group: pip-prod - dependency-name: pytest-cov dependency-version: 7.1.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: pytest-cov dependency-version: 7.1.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: pytest-cov dependency-version: 7.1.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: pytest-cov dependency-version: 7.1.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: python-dateutil dependency-version: 2.9.0.post0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: python-dateutil dependency-version: 2.9.0.post0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: python-dateutil dependency-version: 2.9.0.post0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: python-dateutil dependency-version: 2.9.0.post0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: tox dependency-version: 4.56.1 dependency-type: direct:production dependency-group: pip-prod - dependency-name: tox dependency-version: 4.56.1 dependency-type: direct:production dependency-group: pip-prod - dependency-name: tox dependency-version: 4.56.1 dependency-type: direct:production dependency-group: pip-prod - dependency-name: tox dependency-version: 4.56.1 dependency-type: direct:production dependency-group: pip-prod - dependency-name: types-python-dateutil dependency-version: 2.9.0.20260518 dependency-type: direct:production dependency-group: pip-prod - dependency-name: types-python-dateutil dependency-version: 2.9.0.20260518 dependency-type: direct:production dependency-group: pip-prod - dependency-name: types-python-dateutil dependency-version: 2.9.0.20260518 dependency-type: direct:production dependency-group: pip-prod - dependency-name: types-python-dateutil dependency-version: 2.9.0.20260518 dependency-type: direct:production dependency-group: pip-prod - dependency-name: typing-extensions dependency-version: 4.15.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: typing-extensions dependency-version: 4.15.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: typing-extensions dependency-version: 4.15.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: typing-extensions dependency-version: 4.15.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: direct:production dependency-group: pip-prod - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: direct:production dependency-group: pip-prod ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [http-proxy-middleware](https://github.com/chimurai/http-proxy-middleware) from 2.0.9 to 2.0.10. - [Release notes](https://github.com/chimurai/http-proxy-middleware/releases) - [Changelog](https://github.com/chimurai/http-proxy-middleware/blob/v2.0.10/CHANGELOG.md) - [Commits](chimurai/http-proxy-middleware@v2.0.9...v2.0.10) --- updated-dependencies: - dependency-name: http-proxy-middleware dependency-version: 2.0.10 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the github-actions group in /.github/actions/setup-toolchain with 1 update: [actions/setup-java](https://github.com/actions/setup-java). Updates `actions/setup-java` from 5.4.0 to 5.5.0 - [Release notes](https://github.com/actions/setup-java/releases) - [Commits](actions/setup-java@1bcf9fb...0f481fc) --- updated-dependencies: - dependency-name: actions/setup-java dependency-version: 5.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the github-actions group with 1 update: [apache/skywalking-eyes/header](https://github.com/apache/skywalking-eyes). Updates `apache/skywalking-eyes/header` from 29bd646002b63bb4c0ed1648d1654c35fb8ff027 to 6e368ec14f31521edc7118374773e78d2d646aeb - [Release notes](https://github.com/apache/skywalking-eyes/releases) - [Changelog](https://github.com/apache/skywalking-eyes/blob/main/CHANGES.md) - [Commits](apache/skywalking-eyes@29bd646...6e368ec) --- updated-dependencies: - dependency-name: apache/skywalking-eyes/header dependency-version: 6e368ec14f31521edc7118374773e78d2d646aeb dependency-type: direct:production dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [websocket-driver](https://github.com/faye/websocket-driver-node) from 0.7.4 to 0.7.5. - [Changelog](https://github.com/faye/websocket-driver-node/blob/main/CHANGELOG.md) - [Commits](faye/websocket-driver-node@0.7.4...0.7.5) --- updated-dependencies: - dependency-name: websocket-driver dependency-version: 0.7.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…ect.mustache override Generated clients' pyproject.toml is generator-owned (not in .openapi-generator-ignore), so floor bumps made directly in those files are reverted by the next 'yarn generate:api-client'. Move floor management into hack/python-client/openapi-templates/pyproject.mustache (shared by all 7 python client projects, sync and asyncio). Regeneration now reproduces the dependabot bumps byte-identically and brings the analytics clients (not covered by #8) to the same floors.
…dependabot playbook
Python >=3.10 floor (#83) makes the patched HTTP stack resolvable: urllib3 2.7.0 closes GHSA-mf9v-mfxr-j63j and GHSA-qccp-gfcp-xxvc (HIGH), aiohttp 3.14.1 closes GHSA-xcgm-r5h9-7989, GHSA-4fvr-rgm6-gqmc and GHSA-g3cq-j2xw-wf74. Also replace the root requires-python poetry caret constraint with PEP 440 syntax so standards-compliant tools (uv) can parse the workspace.
Dependabot #85 targeted 48.0.1; the root constraint resolves to the newer 49.0.0 which carries the same fixes.
Bumps [webpack-dev-server](https://github.com/webpack/webpack-dev-server) from 5.2.4 to 5.2.6. - [Release notes](https://github.com/webpack/webpack-dev-server/releases) - [Changelog](https://github.com/webpack/webpack-dev-server/blob/v5.2.6/CHANGELOG.md) - [Commits](webpack/webpack-dev-server@v5.2.4...v5.2.6) --- updated-dependencies: - dependency-name: webpack-dev-server dependency-version: 5.2.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 7.6.2 to 7.6.5. - [Release notes](https://github.com/protobufjs/protobuf.js/releases) - [Changelog](https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.6.5/CHANGELOG.md) - [Commits](protobufjs/protobuf.js@protobufjs-v7.6.2...protobufjs-v7.6.5) --- updated-dependencies: - dependency-name: protobufjs dependency-version: 7.6.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
e19457f to
b2dceed
Compare
Summary
Batches all open dependabot dependency updates into a single PR, pulls the
patched HTTP stack enabled by the Python >=3.10 floor (#83), and moves Python
client dependency floor management into the shared OpenAPI generator template so
bumps survive regeneration.
Dependabot updates (cherry-picked, oldest → newest)
Patched HTTP stack (follow-up to #83)
#8 originally couldn't land because its
urllib3>=2.7.0/aiohttp>=3.14.1floors require Python >=3.10 while the repo still supported 3.9. With #83 merged,
this PR applies dependabot's floors as intended and updates the lock to
urllib3 2.7.0 and aiohttp 3.14.1, closing:
Supporting generator changes:
hack/python-client/postprocess.sh: urllib3 lower-bound sed retargeted2.1.0 → 2.7.0 (it would otherwise revert the floor on every regeneration), and
a new sed syncs
PYTHON_REQUIRESin the generatedsetup.pyto>= 3.10setup.py/requirements.txtacross all 6 generated clients now advertisePython >= 3.10 and urllib3 >= 2.7.0
requires-pythonfixed from Poetry caret syntax (^3.10, invalidPEP 440 —
uvrefuses to parse it) to>=3.10,<4.0Template override for generated Python clients
The generated clients'
pyproject.tomlis generator-owned (not in.openapi-generator-ignore), so floor bumps applied directly to those files aresilently reverted by the next
yarn generate:api-client. This PR addshack/python-client/openapi-templates/pyproject.mustache(override of theupstream openapi-generator v7.21.0 template, shared by all 6 generated Python
clients) as the single source of truth for dependency floors.
batch-dependabot.mdplaybook documents the generated-manifest andminimum-Python floor rules
Generated Go clients need no equivalent (empty
go.mod, no external deps); thegenerated TS/Java/Ruby clients are not covered by dependabot.
Review feedback addressed
The previous
Build clientsfailure (each client'spoetry lock --regeneratecould not solve mypy >= 2.3.0 against the old
>=3.9range) is fixed by therebase onto #83 — verified locally in both a sync and an async client. cubic's
playbook comments are applied: nix-only tooling wording restored, regeneration
command routed through
nix develop .#node, and the template scope corrected tothe 6 generated clients (sdk-python is hand-written).
Validation
yarn install --immutableclean;poetry check --lockconsistentpoetry lock --regeneratesolves inside sync and async generated clientsyarn generate:api-clientreproduces all committed files with zero driftcryptography 49.0.0, webpack-dev-server 5.2.6, protobufjs 7.6.5
Closes
Closes #8
Closes #61
Closes #65
Closes #66
Closes #79
Closes #85
Closes #86
Closes #87