Bump the pip group across 3 directories with 1 update#248
Bump the pip group across 3 directories with 1 update#248dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps the pip group with 1 update in the /chart_data_extractor directory: [pillow](https://github.com/python-pillow/Pillow). Bumps the pip group with 1 update in the /python directory: [pillow](https://github.com/python-pillow/Pillow). Bumps the pip group with 1 update in the /template directory: [pillow](https://github.com/python-pillow/Pillow). Updates `pillow` from 12.1.1 to 12.2.0 - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@12.1.1...12.2.0) Updates `pillow` from 12.1.1 to 12.2.0 - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@12.1.1...12.2.0) Updates `pillow` from 12.1.1 to 12.2.0 - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@12.1.1...12.2.0) --- updated-dependencies: - dependency-name: pillow dependency-version: 12.2.0 dependency-type: indirect dependency-group: pip - dependency-name: pillow dependency-version: 12.2.0 dependency-type: indirect dependency-group: pip - dependency-name: pillow dependency-version: 12.2.0 dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
dependabot
bot
requested review from
ValentaTomas,
jakubno and
mishushakov
as code owners
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| # This file is automatically @generated by Poetry 2.2.1 and should not be changed by hand. | ||
|
|
There was a problem hiding this comment.
🔴 The python/poetry.lock file was silently regenerated by Poetry 2.2.1, upgrading lock-version from 2.0 to 2.1, but the project's .tool-versions pins Poetry to 1.8.5 — which cannot read lock-version 2.1 files and will raise an incompatibility error on 'poetry install'. To fix, either update .tool-versions (and all CI workflows that read it) to require Poetry 2.1+, or regenerate python/poetry.lock using Poetry 1.8.5.
Extended reasoning...
What the bug is: The python/poetry.lock file was regenerated using Poetry 2.2.1 instead of the pinned version. The first line changed from '# This file is automatically @generated by Poetry 1.8.3' to '# This file is automatically @generated by Poetry 2.2.1', and more critically the metadata section at the bottom changed from 'lock-version = "2.0"' to 'lock-version = "2.1"'. This lock-version field is not cosmetic — Poetry uses it to detect format compatibility and will refuse to process a lock file whose version exceeds what it supports.
The specific code path that triggers it: The project's .tool-versions file pins 'poetry 1.8.5'. The CI workflows (python_tests.yml, lint.yml, etc.) use the wistia/parse-tool-versions action to read that file, pass TOOL_VERSION_POETRY to snok/install-poetry, and run 'poetry install'. When Poetry 1.8.5 encounters lock-version 2.1, it raises an incompatibility error and the install step fails.
Why existing code doesn't prevent it: Dependabot ran the lock file regeneration using whatever Poetry version was available in that environment (Poetry 2.2.1), not the version pinned in .tool-versions. There is no enforcement ensuring that lock file generation matches the pinned version. The PR description only mentions bumping pillow, so the silent Poetry version jump is easy to overlook.
Impact: Every CI run that runs 'poetry install' in the python/ directory will fail immediately after merge. Local developers who follow .tool-versions and use Poetry 1.8.5 will also be broken. This blocks all python-SDK CI until resolved.
How to fix: Either (a) update .tool-versions to 'poetry 2.1.0' or higher and ensure all CI workflows that install poetry are also updated, or (b) regenerate python/poetry.lock using 'poetry 1.8.5 lock --no-update' to revert the lock file format back to lock-version 2.0.
Step-by-step proof:
- .tool-versions contains 'poetry 1.8.5'
- CI reads this file and installs Poetry 1.8.5 via snok/install-poetry
- CI runs 'poetry install' in the python/ directory
- Python 1.8.5 reads python/poetry.lock and checks 'lock-version = "2.1"'
- Poetry 1.8.5 only supports up to lock-version 2.0; it raises: 'The lock file is not compatible with the current version of Poetry. Upgrade Poetry to be able to read the lock file or, alternatively, regenerate the lock file with the poetry lock command.'
- The CI step fails and the entire pipeline is broken.
Addressing the refutation: The refutation notes that chart_data_extractor/poetry.lock was already on Poetry 2.1.1 format before this PR, suggesting the team had already moved to Poetry 2.x. However, the python/ directory was still on lock-version 2.0 (Poetry 1.8.3 format) before this PR — meaning the python/ CI was previously consistent with the pinned version. If chart_data_extractor was already broken by this same issue, that is a separate pre-existing problem and does not justify introducing the same breakage to the python/ directory. The .tool-versions file still says 1.8.5, so there is no indication of an intentional migration to Poetry 2.x.
Bumps the pip group with 1 update in the /chart_data_extractor directory: pillow.
Bumps the pip group with 1 update in the /python directory: pillow.
Bumps the pip group with 1 update in the /template directory: pillow.
Updates
pillowfrom 12.1.1 to 12.2.0Release notes
Sourced from pillow's releases.
... (truncated)
Commits
3c41c0912.2.0 version bumpcdaa29eCheck calloc return value (#9527)585b2f5Check calloc return valueecf011eCheck all allocs in the Arrow tree (#9488)cf6de8cReject non-numeric elements inside list coords (#9526)ffdcedeUpdate 12.2.0 release notes (#9522)7929d77Added security release notes (#149)c4f7aa5Added security release notes22cdb5fMove variable declaration inside define (#9525)fc15b3bResize tall images vertically first (#9524)Updates
pillowfrom 12.1.1 to 12.2.0Release notes
Sourced from pillow's releases.
... (truncated)
Commits
3c41c0912.2.0 version bumpcdaa29eCheck calloc return value (#9527)585b2f5Check calloc return valueecf011eCheck all allocs in the Arrow tree (#9488)cf6de8cReject non-numeric elements inside list coords (#9526)ffdcedeUpdate 12.2.0 release notes (#9522)7929d77Added security release notes (#149)c4f7aa5Added security release notes22cdb5fMove variable declaration inside define (#9525)fc15b3bResize tall images vertically first (#9524)Updates
pillowfrom 12.1.1 to 12.2.0Release notes
Sourced from pillow's releases.
... (truncated)
Commits
3c41c0912.2.0 version bumpcdaa29eCheck calloc return value (#9527)585b2f5Check calloc return valueecf011eCheck all allocs in the Arrow tree (#9488)cf6de8cReject non-numeric elements inside list coords (#9526)ffdcedeUpdate 12.2.0 release notes (#9522)7929d77Added security release notes (#149)c4f7aa5Added security release notes22cdb5fMove variable declaration inside define (#9525)fc15b3bResize tall images vertically first (#9524)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.