Skip to content

Bump the minor-and-patch-updates group across 1 directory with 3 updates#2194

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/indexify/minor-and-patch-updates-5e5ab60c07
Open

Bump the minor-and-patch-updates group across 1 directory with 3 updates#2194
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/indexify/minor-and-patch-updates-5e5ab60c07

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 2, 2026
edited by cursor bot
Loading

Bumps the minor-and-patch-updates group with 3 updates in the /indexify directory: httpx, boto3 and tensorlake.

Updates httpx from 0.27.2 to 0.28.1

Release notes

Sourced from httpx's releases.

Version 0.28.1

0.28.1 (6th December, 2024)

  • Fix SSL case where verify=False together with client side certificates.

Version 0.28.0

0.28.0 (28th November, 2024)

The 0.28 release includes a limited set of deprecations.

Deprecations:

We are working towards a simplified SSL configuration API.

For users of the standard verify=True or verify=False cases, or verify=<ssl_context> case this should require no changes. The following cases have been deprecated...

  • The verify argument as a string argument is now deprecated and will raise warnings.
  • The cert argument is now deprecated and will raise warnings.

Our revised SSL documentation covers how to implement the same behaviour with a more constrained API.

The following changes are also included:

  • The deprecated proxies argument has now been removed.
  • The deprecated app argument has now been removed.
  • JSON request bodies use a compact representation. (#3363)
  • Review URL percent escape sets, based on WHATWG spec. (#3371, #3373)
  • Ensure certifi and httpcore are only imported if required. (#3377)
  • Treat socks5h as a valid proxy scheme. (#3178)
  • Cleanup Request() method signature in line with client.request() and httpx.request(). (#3378)
  • Bugfix: When passing params={}, always strictly update rather than merge with an existing querystring. (#3364)
Changelog

Sourced from httpx's changelog.

0.28.1 (6th December, 2024)

  • Fix SSL case where verify=False together with client side certificates.

0.28.0 (28th November, 2024)

Be aware that the default JSON request bodies now use a more compact representation. This is generally considered a prefered style, tho may require updates to test suites.

The 0.28 release includes a limited set of deprecations...

Deprecations:

We are working towards a simplified SSL configuration API.

For users of the standard verify=True or verify=False cases, or verify=<ssl_context> case this should require no changes. The following cases have been deprecated...

  • The verify argument as a string argument is now deprecated and will raise warnings.
  • The cert argument is now deprecated and will raise warnings.

Our revised SSL documentation covers how to implement the same behaviour with a more constrained API.

The following changes are also included:

  • The deprecated proxies argument has now been removed.
  • The deprecated app argument has now been removed.
  • JSON request bodies use a compact representation. (#3363)
  • Review URL percent escape sets, based on WHATWG spec. (#3371, #3373)
  • Ensure certifi and httpcore are only imported if required. (#3377)
  • Treat socks5h as a valid proxy scheme. (#3178)
  • Cleanup Request() method signature in line with client.request() and httpx.request(). (#3378)
  • Bugfix: When passing params={}, always strictly update rather than merge with an existing querystring. (#3364)
Commits

Updates boto3 from 1.42.57 to 1.42.59

Commits
  • cef3033 Merge branch 'release-1.42.59'
  • 463794a Bumping version to 1.42.59
  • 591d881 Add changelog entries from botocore
  • d327a89 Merge branch 'release-1.42.58'
  • 8727558 Merge branch 'release-1.42.58' into develop
  • 14eee00 Bumping version to 1.42.58
  • dbe54fa Add changelog entries from botocore
  • 8108f80 Merge branch 'release-1.42.57' into develop
  • See full diff in compare view

Updates tensorlake from 0.4.0 to 0.4.4

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Note

Medium Risk
Dependency bumps include httpx (HTTP/SSL behavior changes) and boto3/botocore (AWS API surface), which can subtly affect runtime networking and cloud interactions despite no application code changes.

Overview
Updates Indexify’s Python deps: httpx 0.27.20.28.1, boto3/botocore 1.42.571.42.59, and tensorlake 0.4.00.4.4.

Regenerates poetry.lock with Poetry 2.2.1, including updated dependency markers/extras resolution (e.g., platform-conditional extras), and removing sniffio from the resolved lock set.

Written by Cursor Bugbot for commit fafc301. This will update automatically on new commits. Configure here.

@dependabot
Bump the minor-and-patch-updates group across 1 directory with 3 updates
fafc301 
Bumps the minor-and-patch-updates group with 3 updates in the /indexify directory: [httpx](https://github.com/encode/httpx), [boto3](https://github.com/boto/boto3) and [tensorlake](https://github.com/tensorlakeai/tensorlake).


Updates `httpx` from 0.27.2 to 0.28.1
- [Release notes](https://github.com/encode/httpx/releases)
- [Changelog](https://github.com/encode/httpx/blob/master/CHANGELOG.md)
- [Commits](encode/httpx@0.27.2...0.28.1)

Updates `boto3` from 1.42.57 to 1.42.59
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.42.57...1.42.59)

Updates `tensorlake` from 0.4.0 to 0.4.4
- [Commits](https://github.com/tensorlakeai/tensorlake/commits)

---
updated-dependencies:
- dependency-name: httpx
  dependency-version: 0.28.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch-updates
- dependency-name: boto3
  dependency-version: 1.42.59
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch-updates
- dependency-name: tensorlake
  dependency-version: 0.4.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Mar 2, 2026
cursor[bot]
cursor bot reviewed Mar 2, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Free Tier Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

indexify/pyproject.toml
aiohttp = "^3.13.3"
# mTLS support for httpx 0.28.1 is broken, wait for 0.28.2 to see if the bug is fixed
httpx = { version = "0.27.2", extras = ["http2"] }
httpx = { version = "0.28.1", extras = ["http2"] }
Copy link

@cursor cursor bot Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upgrading httpx to version with known broken mTLS

High Severity

The comment on line 23 explicitly warns that "mTLS support for httpx 0.28.1 is broken, wait for 0.28.2 to see if the bug is fixed," yet the dependency on line 24 is being bumped to exactly 0.28.1. The previous version 0.27.2 was intentionally pinned to avoid this known issue. This Dependabot-generated upgrade directly contradicts the human-written safeguard, and will break mTLS functionality (the cert parameter is deprecated in 0.28.x and the SSL behavior changed). The tensorlake dependency also uses httpx with http2 extras, so this affects the broader dependency chain.

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants