Summary
Dependabot commit 7d586456c89 ("Bump the all-pip-updates group across 3 directories with 15 updates", merged to 3008.x on 2026-06-17) lifted several pin floors in requirements/base.txt (pyopenssl, virtualenv, cryptography, ...) without regenerating the per-platform .lock files. The lockfiles still pin the older versions, so the resulting constraint sets are unsatisfiable.
This breaks every PR targeting 3008.x.
Confirmed failing on bare origin/3008.x
Run on 7d586456c89 (push to 3008.x): https://github.com/saltstack/salt/actions/runs/27816556007
Pre-Commit / Run Pre-Commit Against Salt -> FAIL (pip-compile hooks fail to regenerate locks)Prepare Release: 3008.1+22.g7d586456c8 -> FAIL with:
ERROR: Cannot install pyopenssl>=26.3.0 because these package versions have conflicting dependencies.
The user requested pyopenssl>=26.3.0
The user requested (constraint) pyopenssl==26.2.0
- All downstream
Build Source Packages / *, Build Salt Onedir / Windows, Documentation / Build, Build Source Tarball cascade-fail on missing artifacts from Prepare Release.
The last green Prepare Release on 3008.x is fc21fca15f, the commit immediately preceding the dependabot bump.
Local repro
pre-commit run --files requirements/static/pkg/py3.10/linux.lock (or any other lock) fails:
× No solution found when resolving dependencies:
╰─▶ Because you require virtualenv>=21.5.1 and virtualenv==21.4.2, we can
conclude that your requirements are unsatisfiable.
Same pattern for pyopenssl 26.3.0 vs 26.2.0 and cryptography 49.0.0 vs 46.0.7-47.x floors.
Fix
Regenerate every requirements/static/{pkg,ci}/py3.*/{linux,freebsd,windows,darwin}*.lock file with pip-compile so the pins match the new requirements/base.txt floors. Some pre-commit pip-compile hooks also need their environments fixed (the py3.9 cryptography upper-bound markers conflict).
This unblocks the whole 3008.x branch — currently every open PR (#69489, #69494, #69415, #69338, #69323, #69222, #69110, #67043) is red because of it.
Summary
Dependabot commit
7d586456c89("Bump the all-pip-updates group across 3 directories with 15 updates", merged to 3008.x on 2026-06-17) lifted several pin floors inrequirements/base.txt(pyopenssl, virtualenv, cryptography, ...) without regenerating the per-platform.lockfiles. The lockfiles still pin the older versions, so the resulting constraint sets are unsatisfiable.This breaks every PR targeting 3008.x.
Confirmed failing on bare origin/3008.x
Run on
7d586456c89(push to 3008.x): https://github.com/saltstack/salt/actions/runs/27816556007Pre-Commit / Run Pre-Commit Against Salt-> FAIL (pip-compilehooks fail to regenerate locks)Prepare Release: 3008.1+22.g7d586456c8-> FAIL with:Build Source Packages / *,Build Salt Onedir / Windows,Documentation / Build,Build Source Tarballcascade-fail on missing artifacts from Prepare Release.The last green Prepare Release on 3008.x is
fc21fca15f, the commit immediately preceding the dependabot bump.Local repro
pre-commit run --files requirements/static/pkg/py3.10/linux.lock(or any other lock) fails:Same pattern for
pyopenssl 26.3.0 vs 26.2.0andcryptography 49.0.0 vs 46.0.7-47.xfloors.Fix
Regenerate every
requirements/static/{pkg,ci}/py3.*/{linux,freebsd,windows,darwin}*.lockfile withpip-compileso the pins match the newrequirements/base.txtfloors. Some pre-commitpip-compilehooks also need their environments fixed (the py3.9 cryptography upper-bound markers conflict).This unblocks the whole 3008.x branch — currently every open PR (#69489, #69494, #69415, #69338, #69323, #69222, #69110, #67043) is red because of it.