diff --git a/.github/workflows/dependency-audit.yml b/.github/workflows/dependency-audit.yml index d47ab10..3e3e063 100644 --- a/.github/workflows/dependency-audit.yml +++ b/.github/workflows/dependency-audit.yml @@ -32,7 +32,7 @@ jobs: python-version: "3.11" - name: Install uv - uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9 # v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 - name: Install audit tools run: pip install pip-audit==2.9.0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5fae00c..76f43d7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,7 +22,7 @@ jobs: python-version: "3.12" - name: Install uv - uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9 # v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 - name: Run tests run: uv run pytest tests/ -v diff --git a/.github/workflows/update-lockfile.yml b/.github/workflows/update-lockfile.yml index b297d90..65b6fbe 100644 --- a/.github/workflows/update-lockfile.yml +++ b/.github/workflows/update-lockfile.yml @@ -22,7 +22,7 @@ jobs: python-version: "3.11" - name: Install uv - uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9 # v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 - name: Regenerate requirements.lock run: uv pip compile requirements.txt -o requirements.lock --generate-hashes diff --git a/pyproject.toml b/pyproject.toml index 851b380..9ecb9ea 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "coda" -version = "0.18.2" +version = "0.18.3" description = "CoDA - Coding Agents on Databricks Apps" requires-python = ">=3.10" dependencies = [ @@ -11,16 +11,28 @@ dependencies = [ "databricks-sdk>=0.106.0", "mlflow-skinny==3.12.0", "requests", - "cryptography>=46.0.7", + "cryptography>=48.0.0", # Security floors — make CVE-driven minimums explicit so future resolves # can't silently downgrade. See PR description for advisory IDs. "gitpython>=3.1.49", - "python-multipart>=0.0.27", + "python-multipart>=0.0.29", # Upper bound is forced by our transitive ecosystem: both mlflow-skinny 3.11.x # AND opentelemetry-api 1.41.x cap importlib-metadata<8.8. Dependabot tried # to bump it to 9.0.0 (PR #3) and broke every deploy — explicit ceiling so # the bot won't try again until upstream widens its caps. "importlib-metadata<8.8", + # Upper bound is forced by databricks-sdk: 0.106.0 declares + # `protobuf!=5.26.*,...,<7.0,>=4.25.8`. Dependabot tried to bump to + # protobuf 7.34.1 (PR #60) and broke `pip install -r requirements.txt`. + # Explicit ceiling so the bot won't try again until databricks-sdk lifts + # its <7.0 cap. + "protobuf<7", + # Upper bound is forced by mlflow-skinny: 3.12.0 declares `starlette<1`. + # Dependabot tried to bump to starlette 1.0.0 (PR #59) — the pin worked + # with `uv pip sync` but `uv pip compile pyproject.toml` rejected it via + # mlflow-skinny's transitive cap. Explicit ceiling so the bot won't try + # again until mlflow-skinny lifts its <1 cap. + "starlette<1", ] [dependency-groups] diff --git a/requirements.txt b/requirements.txt index a009bcc..e3f4107 100644 --- a/requirements.txt +++ b/requirements.txt @@ -42,7 +42,7 @@ click==8.3.3 # uvicorn cloudpickle==3.1.2 # via mlflow-skinny -cryptography==46.0.7 +cryptography==48.0.0 # via # coda (pyproject.toml) # google-auth @@ -122,6 +122,7 @@ packaging==26.2 # via mlflow-skinny protobuf==6.33.6 # via + # coda (pyproject.toml) # databricks-sdk # mlflow-skinny # opentelemetry-proto @@ -139,7 +140,7 @@ pydantic==2.13.3 # pydantic-settings pydantic-core==2.46.3 # via pydantic -pydantic-settings==2.14.0 +pydantic-settings==2.14.1 # via mcp pyjwt==2.12.1 # via mcp @@ -149,7 +150,7 @@ python-dotenv==1.2.2 # pydantic-settings python-engineio==4.13.1 # via python-socketio -python-multipart==0.0.27 +python-multipart==0.0.29 # via # coda (pyproject.toml) # mcp @@ -182,6 +183,7 @@ sse-starlette==3.3.4 # via mcp starlette==0.52.1 # via + # coda (pyproject.toml) # fastapi # mcp # mlflow-skinny