From a07a0c3414d78f79b887271ad9cbd48d654d3b06 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 24 May 2026 19:53:27 +0000 Subject: [PATCH 01/11] chore(deps): bump pydantic-settings from 2.14.0 to 2.14.1 Bumps [pydantic-settings](https://github.com/pydantic/pydantic-settings) from 2.14.0 to 2.14.1. - [Release notes](https://github.com/pydantic/pydantic-settings/releases) - [Commits](https://github.com/pydantic/pydantic-settings/compare/v2.14.0...v2.14.1) --- updated-dependencies: - dependency-name: pydantic-settings dependency-version: 2.14.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index a009bcc..f826da6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -139,7 +139,7 @@ pydantic==2.13.3 # pydantic-settings pydantic-core==2.46.3 # via pydantic -pydantic-settings==2.14.0 +pydantic-settings==2.14.1 # via mcp pyjwt==2.12.1 # via mcp From 09b1ec4cbb5d6a5114d06c35e3ae7056a6813943 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 24 May 2026 19:53:23 +0000 Subject: [PATCH 02/11] chore(deps): bump python-multipart from 0.0.27 to 0.0.29 Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.27 to 0.0.29. - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](https://github.com/Kludex/python-multipart/compare/0.0.27...0.0.29) --- updated-dependencies: - dependency-name: python-multipart dependency-version: 0.0.29 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pyproject.toml | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 851b380..3a0cdf6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -15,7 +15,7 @@ dependencies = [ # Security floors — make CVE-driven minimums explicit so future resolves # can't silently downgrade. See PR description for advisory IDs. "gitpython>=3.1.49", - "python-multipart>=0.0.27", + "python-multipart>=0.0.29", # Upper bound is forced by our transitive ecosystem: both mlflow-skinny 3.11.x # AND opentelemetry-api 1.41.x cap importlib-metadata<8.8. Dependabot tried # to bump it to 9.0.0 (PR #3) and broke every deploy — explicit ceiling so diff --git a/requirements.txt b/requirements.txt index f826da6..e0bfded 100644 --- a/requirements.txt +++ b/requirements.txt @@ -149,7 +149,7 @@ python-dotenv==1.2.2 # pydantic-settings python-engineio==4.13.1 # via python-socketio -python-multipart==0.0.27 +python-multipart==0.0.29 # via # coda (pyproject.toml) # mcp From b0b41f301c5bee3d5d92e92aeef2ff4031896ac5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 10 May 2026 19:52:59 +0000 Subject: [PATCH 03/11] chore(deps): bump astral-sh/setup-uv Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 94527f2e458b27549849d47d273a16bec83a01e9 to 37802adc94f370d6bfd71619e3f0bf239e1f3b78. - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](https://github.com/astral-sh/setup-uv/compare/94527f2e458b27549849d47d273a16bec83a01e9...37802adc94f370d6bfd71619e3f0bf239e1f3b78) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 37802adc94f370d6bfd71619e3f0bf239e1f3b78 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- .github/workflows/dependency-audit.yml | 2 +- .github/workflows/test.yml | 2 +- .github/workflows/update-lockfile.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dependency-audit.yml b/.github/workflows/dependency-audit.yml index d47ab10..3e3e063 100644 --- a/.github/workflows/dependency-audit.yml +++ b/.github/workflows/dependency-audit.yml @@ -32,7 +32,7 @@ jobs: python-version: "3.11" - name: Install uv - uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9 # v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 - name: Install audit tools run: pip install pip-audit==2.9.0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5fae00c..76f43d7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,7 +22,7 @@ jobs: python-version: "3.12" - name: Install uv - uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9 # v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 - name: Run tests run: uv run pytest tests/ -v diff --git a/.github/workflows/update-lockfile.yml b/.github/workflows/update-lockfile.yml index b297d90..65b6fbe 100644 --- a/.github/workflows/update-lockfile.yml +++ b/.github/workflows/update-lockfile.yml @@ -22,7 +22,7 @@ jobs: python-version: "3.11" - name: Install uv - uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9 # v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 - name: Regenerate requirements.lock run: uv pip compile requirements.txt -o requirements.lock --generate-hashes From 22113e60f146dcb6827545db34a69916d64c9110 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 24 May 2026 19:53:01 +0000 Subject: [PATCH 04/11] chore(deps): bump cryptography from 46.0.7 to 48.0.0 Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.7 to 48.0.0. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/46.0.7...48.0.0) --- updated-dependencies: - dependency-name: cryptography dependency-version: 48.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- pyproject.toml | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 3a0cdf6..24daaa1 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -11,7 +11,7 @@ dependencies = [ "databricks-sdk>=0.106.0", "mlflow-skinny==3.12.0", "requests", - "cryptography>=46.0.7", + "cryptography>=48.0.0", # Security floors — make CVE-driven minimums explicit so future resolves # can't silently downgrade. See PR description for advisory IDs. "gitpython>=3.1.49", diff --git a/requirements.txt b/requirements.txt index e0bfded..4b190b1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -42,7 +42,7 @@ click==8.3.3 # uvicorn cloudpickle==3.1.2 # via mlflow-skinny -cryptography==46.0.7 +cryptography==48.0.0 # via # coda (pyproject.toml) # google-auth From 9f7d85b0a8d9646ae8dcf475e2177a9c1cceabc9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 24 May 2026 19:53:10 +0000 Subject: [PATCH 05/11] chore(deps): bump starlette from 0.52.1 to 1.0.0 Bumps [starlette](https://github.com/Kludex/starlette) from 0.52.1 to 1.0.0. - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](https://github.com/Kludex/starlette/compare/0.52.1...1.0.0) --- updated-dependencies: - dependency-name: starlette dependency-version: 1.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 4b190b1..e214766 100644 --- a/requirements.txt +++ b/requirements.txt @@ -180,7 +180,7 @@ sqlparse==0.5.5 # via mlflow-skinny sse-starlette==3.3.4 # via mcp -starlette==0.52.1 +starlette==1.0.0 # via # fastapi # mcp From eb11a0cc93ca67775a266f1efa7603ab7d68dbe0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 24 May 2026 19:53:19 +0000 Subject: [PATCH 06/11] chore(deps): bump protobuf from 6.33.6 to 7.34.1 Bumps [protobuf](https://github.com/protocolbuffers/protobuf) from 6.33.6 to 7.34.1. - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](https://github.com/protocolbuffers/protobuf/commits) --- updated-dependencies: - dependency-name: protobuf dependency-version: 7.34.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index e214766..bcb763a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -120,7 +120,7 @@ opentelemetry-semantic-conventions==0.62b1 # via opentelemetry-sdk packaging==26.2 # via mlflow-skinny -protobuf==6.33.6 +protobuf==7.34.1 # via # databricks-sdk # mlflow-skinny From 702f1251c8e82f7ad41cf2f7eb68046d76f51227 Mon Sep 17 00:00:00 2001 From: Sathish Gangichetty Date: Mon, 25 May 2026 18:12:48 -0400 Subject: [PATCH 07/11] Revert "chore(deps): bump protobuf from 6.33.6 to 7.34.1" This reverts commit eb11a0cc93ca67775a266f1efa7603ab7d68dbe0. --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index bcb763a..e214766 100644 --- a/requirements.txt +++ b/requirements.txt @@ -120,7 +120,7 @@ opentelemetry-semantic-conventions==0.62b1 # via opentelemetry-sdk packaging==26.2 # via mlflow-skinny -protobuf==7.34.1 +protobuf==6.33.6 # via # databricks-sdk # mlflow-skinny From 0b15cee9e8da87d1ef22a1f9b4bcfb792845d303 Mon Sep 17 00:00:00 2001 From: Sathish Gangichetty Date: Mon, 25 May 2026 18:14:28 -0400 Subject: [PATCH 08/11] =?UTF-8?q?chore(deps):=20cap=20protobuf<7=20?= =?UTF-8?q?=E2=80=94=20databricks-sdk=200.106.0=20incompatible=20with=20pr?= =?UTF-8?q?otobuf=207?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Dependabot proposed protobuf 6.33.6 → 7.34.1 in #60, but databricks-sdk 0.106.0 transitively requires protobuf<7.0. The bump broke `pip install -r requirements.txt` with a resolver conflict. Adds an explicit ceiling matching the existing importlib-metadata<8.8 pattern so dependabot stops re-proposing the bump until databricks-sdk lifts its cap. --- pyproject.toml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pyproject.toml b/pyproject.toml index 24daaa1..3966dd0 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -21,6 +21,12 @@ dependencies = [ # to bump it to 9.0.0 (PR #3) and broke every deploy — explicit ceiling so # the bot won't try again until upstream widens its caps. "importlib-metadata<8.8", + # Upper bound is forced by databricks-sdk: 0.106.0 declares + # `protobuf!=5.26.*,...,<7.0,>=4.25.8`. Dependabot tried to bump to + # protobuf 7.34.1 (PR #60) and broke `pip install -r requirements.txt`. + # Explicit ceiling so the bot won't try again until databricks-sdk lifts + # its <7.0 cap. + "protobuf<7", ] [dependency-groups] From f90b34df77554ff8d6ca682cd295af5df0ebfe8f Mon Sep 17 00:00:00 2001 From: Sathish Gangichetty Date: Mon, 25 May 2026 18:20:51 -0400 Subject: [PATCH 09/11] Revert "chore(deps): bump starlette from 0.52.1 to 1.0.0" This reverts commit 9f7d85b0a8d9646ae8dcf475e2177a9c1cceabc9. --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index e214766..4b190b1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -180,7 +180,7 @@ sqlparse==0.5.5 # via mlflow-skinny sse-starlette==3.3.4 # via mcp -starlette==1.0.0 +starlette==0.52.1 # via # fastapi # mcp From ab7b2923a85be07c81d9d2863dea5607eb1d5c34 Mon Sep 17 00:00:00 2001 From: Sathish Gangichetty Date: Mon, 25 May 2026 18:21:31 -0400 Subject: [PATCH 10/11] chore(deps): cap starlette<1 + regenerate requirements.txt MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit mlflow-skinny 3.12.0 declares starlette<1 in its requirements. The dependabot bump in #59 only worked with 'uv pip sync requirements.txt' which is permissive; the canonical 'uv pip compile pyproject.toml' was silently reverting the pin to 0.52.1. Adds an explicit ceiling matching the existing protobuf<7 and importlib-metadata<8.8 patterns so dependabot stops re-proposing the bump until mlflow-skinny lifts its <1 cap. Also regenerates requirements.txt from pyproject so the file is fully consistent — adds 'coda (pyproject.toml)' to the via lists of protobuf and starlette, reflecting the new explicit constraints. --- pyproject.toml | 6 ++++++ requirements.txt | 2 ++ 2 files changed, 8 insertions(+) diff --git a/pyproject.toml b/pyproject.toml index 3966dd0..1c1bded 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -27,6 +27,12 @@ dependencies = [ # Explicit ceiling so the bot won't try again until databricks-sdk lifts # its <7.0 cap. "protobuf<7", + # Upper bound is forced by mlflow-skinny: 3.12.0 declares `starlette<1`. + # Dependabot tried to bump to starlette 1.0.0 (PR #59) — the pin worked + # with `uv pip sync` but `uv pip compile pyproject.toml` rejected it via + # mlflow-skinny's transitive cap. Explicit ceiling so the bot won't try + # again until mlflow-skinny lifts its <1 cap. + "starlette<1", ] [dependency-groups] diff --git a/requirements.txt b/requirements.txt index 4b190b1..e3f4107 100644 --- a/requirements.txt +++ b/requirements.txt @@ -122,6 +122,7 @@ packaging==26.2 # via mlflow-skinny protobuf==6.33.6 # via + # coda (pyproject.toml) # databricks-sdk # mlflow-skinny # opentelemetry-proto @@ -182,6 +183,7 @@ sse-starlette==3.3.4 # via mcp starlette==0.52.1 # via + # coda (pyproject.toml) # fastapi # mcp # mlflow-skinny From b226422555b11a4a47592989d08cff061bdd9d2a Mon Sep 17 00:00:00 2001 From: Sathish Gangichetty Date: Mon, 25 May 2026 18:24:50 -0400 Subject: [PATCH 11/11] =?UTF-8?q?chore:=20bump=20version=20to=200.18.3=20?= =?UTF-8?q?=E2=80=94=20dependency=20consolidation=20release?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Marks the dependency-bump consolidation (PR #63): - cryptography 46.0.7 -> 48.0.0 - python-multipart 0.0.27 -> 0.0.29 - pydantic-settings 2.14.0 -> 2.14.1 (transitive) - astral-sh/setup-uv action SHA pin - protobuf<7 ceiling (blocks dependabot until databricks-sdk lifts cap) - starlette<1 ceiling (blocks dependabot until mlflow-skinny lifts cap) app.py auto-reads APP_VERSION from pyproject.toml at startup, so no other file needs editing. --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 1c1bded..9ecb9ea 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "coda" -version = "0.18.2" +version = "0.18.3" description = "CoDA - Coding Agents on Databricks Apps" requires-python = ">=3.10" dependencies = [