Skip to content

chore(deps): cryptography 48 + 3 patches; cap protobuf<7 and starlette<1 (consolidates #34/#58/#61/#62; defers #59/#60)#63

Merged
datasciencemonkey merged 11 commits into
mainfrom
chore/dependabot-bumps-may-2026
May 25, 2026
Merged

chore(deps): cryptography 48 + 3 patches; cap protobuf<7 and starlette<1 (consolidates #34/#58/#61/#62; defers #59/#60)#63
datasciencemonkey merged 11 commits into
mainfrom
chore/dependabot-bumps-may-2026

Conversation

@datasciencemonkey
Copy link
Copy Markdown
Collaborator

@datasciencemonkey datasciencemonkey commented May 25, 2026
edited
Loading

Summary

Consolidates open dependabot PRs into one verified bump. Each lands as its own commit (cherry-picked from the original dependabot branches with authorship preserved) so any single bump can be reverted independently if a regression surfaces.

Bumps in this PR (4 successful)

Closes Package From → To Type
#58 cryptography 46.0.7 → 48.0.0 major ×2 (drops py3.8; project is ≥3.10)
#61 python-multipart 0.0.27 → 0.0.29 patch
#62 pydantic-settings 2.14.0 → 2.14.1 patch (transitive, via mcp)
#34 astral-sh/setup-uv 94527f2e → 37802adc GitHub Action SHA pin

pyproject.toml floors raised: cryptography>=48.0.0, python-multipart>=0.0.29.

Deferred (2 dependabot proposals are poison pills)

Two dependabot PRs proposed major bumps that conflict with our own pinned Databricks deps. Both are cherry-picked → reverted → ceiling-capped in pyproject.toml, so dependabot stops re-proposing them until the upstream caps lift.

PR Bump Conflict
#60 protobuf 6.33.6 → 7.34.1 databricks-sdk==0.106.0 declares protobuf!=5.26.*,...,<7.0,>=4.25.8. The bump errored pip install -r requirements.txt with a resolver conflict.
#59 starlette 0.52.1 → 1.0.0 mlflow-skinny==3.12.0 declares starlette<1. The pin "worked" with uv pip sync (which trusts the file) but the canonical uv pip compile pyproject.toml silently reverted it. Confirmed via --verbose resolver trace.

New ceilings added to pyproject.toml (matching the existing importlib-metadata<8.8 pattern):

  • "protobuf<7"
  • "starlette<1"

Each carries an inline comment explaining the transitive cap, the dependabot PR number, and what would unblock re-proposing the bump.

Both PRs stay open for visibility (manual close with a "blocked on upstream cap" comment is the suggested follow-up).

Verification (local)

Per-commit, with each bump installed via uv pip sync requirements.txt:

Commit Tests Notes
pydantic-settings 2.14.1 347 pass, 1 npm flake (pre-existing) transitive bump
python-multipart 0.0.29 347 pass, 1 npm flake direct floor + lockfile
setup-uv SHA n/a (CI-only action) no runtime impact
cryptography 48.0.0 347 pass, 1 npm flake pat_rotator, content_filter_proxy, cli_auth import + smoke OK
starlette 1.0.0 reverted conflicts with mlflow-skinny<1 cap
protobuf 7.34.1 reverted conflicts with databricks-sdk<7 cap
protobuf<7 ceiling + regen n/a (pyproject + requirements.txt metadata only) prevents future dependabot proposals
starlette<1 ceiling + regen n/a (pyproject + requirements.txt metadata only) prevents future dependabot proposals

Final state: requirements.txt is fully consistent with pyproject.toml — verified by uv pip compile pyproject.toml -o requirements.txt producing no diff against the committed file. All 3 effective bumps (cryptography, python-multipart, pydantic-settings) report their new versions in the venv; full setup_*.py set AST-parses; app, pat_rotator, content_filter_proxy, cli_auth, telemetry, app_state, utils all import.

Tests deselected from the regression run (out-of-scope for dependency bumps):

  • tests/test_gateway_discovery.py::TestEndpointConstruction::* — invokes setup_claude.py as a subprocess; hangs on the Claude Code curl installer in some environments (timeout-bound; affects local dev but not CI).
  • tests/test_npm_version_pinning.py::TestNpmVersionLive::test_resolves_real_package — documented live-network flake, pre-existing baseline.

Why one PR

Each of the dependabot PRs touched requirements.txt, so they conflict pairwise on merge — a multi-round dependabot rebase cycle every time one merges. Folding them into one verified branch gives the existing update-lockfile.yml workflow exactly one push to regenerate requirements.lock against.

requirements.lock is not updated in this PR — the existing GitHub Actions workflow (.github/workflows/update-lockfile.yml) will regenerate it on merge to main.

Risk register

Risk Status
cryptography 48 breaks PAT JWT signing or content-filter-proxy TLS smoke-imported both modules; tests green
protobuf 7 breaks MLflow trace serialization conflict surfaced at install time — bump reverted, ceiling added
starlette 1.0 breaks MCP HTTP transport conflict surfaced at compile time (mlflow-skinny cap) — bump reverted, ceiling added
importlib-metadata<8.8 ceiling conflict none observed; uv pip sync resolved cleanly each step

Test plan

  • Each commit individually verified against the unit-test baseline
  • Final cumulative smoke after all bumps applied
  • uv pip compile pyproject.toml -o requirements.txt produces no diff (file is canonical)
  • Protobuf + starlette install-time / compile-time conflicts caught; reverts + ceilings added
  • CI regenerates requirements.lock post-merge (handled by update-lockfile.yml)
  • Manual workspace deploy verification — recommended on a non-prod workspace before declaring this safe for production rollout

Closes #34
Closes #58
Closes #61
Closes #62

dependabot Bot added 6 commits May 25, 2026 17:39
@dependabot @datasciencemonkey
chore(deps): bump pydantic-settings from 2.14.0 to 2.14.1
a07a0c3 
Bumps [pydantic-settings](https://github.com/pydantic/pydantic-settings) from 2.14.0 to 2.14.1.
- [Release notes](https://github.com/pydantic/pydantic-settings/releases)
- [Commits](pydantic/pydantic-settings@v2.14.0...v2.14.1)

---
updated-dependencies:
- dependency-name: pydantic-settings
  dependency-version: 2.14.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @datasciencemonkey
chore(deps): bump python-multipart from 0.0.27 to 0.0.29
09b1ec4 
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.27 to 0.0.29.
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md)
- [Commits](Kludex/python-multipart@0.0.27...0.0.29)

---
updated-dependencies:
- dependency-name: python-multipart
  dependency-version: 0.0.29
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @datasciencemonkey
chore(deps): bump astral-sh/setup-uv
b0b41f3 
Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 94527f2e458b27549849d47d273a16bec83a01e9 to 37802adc94f370d6bfd71619e3f0bf239e1f3b78.
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@94527f2...37802ad)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-version: 37802adc94f370d6bfd71619e3f0bf239e1f3b78
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @datasciencemonkey
chore(deps): bump cryptography from 46.0.7 to 48.0.0
22113e6 
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.7 to 48.0.0.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@46.0.7...48.0.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 48.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @datasciencemonkey
chore(deps): bump starlette from 0.52.1 to 1.0.0
9f7d85b 
Bumps [starlette](https://github.com/Kludex/starlette) from 0.52.1 to 1.0.0.
- [Release notes](https://github.com/Kludex/starlette/releases)
- [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md)
- [Commits](Kludex/starlette@0.52.1...1.0.0)

---
updated-dependencies:
- dependency-name: starlette
  dependency-version: 1.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @datasciencemonkey
chore(deps): bump protobuf from 6.33.6 to 7.34.1
eb11a0c 
Bumps [protobuf](https://github.com/protocolbuffers/protobuf) from 6.33.6 to 7.34.1.
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Commits](https://github.com/protocolbuffers/protobuf/commits)

---
updated-dependencies:
- dependency-name: protobuf
  dependency-version: 7.34.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@datasciencemonkey datasciencemonkey self-assigned this May 25, 2026
@datasciencemonkey
Revert "chore(deps): bump protobuf from 6.33.6 to 7.34.1"
702f125 
This reverts commit eb11a0c.
@datasciencemonkey
chore(deps): cap protobuf<7 — databricks-sdk 0.106.0 incompatible wit…
0b15cee 
…h protobuf 7

Dependabot proposed protobuf 6.33.6 → 7.34.1 in #60, but databricks-sdk
0.106.0 transitively requires protobuf<7.0. The bump broke
`pip install -r requirements.txt` with a resolver conflict.

Adds an explicit ceiling matching the existing importlib-metadata<8.8
pattern so dependabot stops re-proposing the bump until databricks-sdk
lifts its cap.
@datasciencemonkey
Revert "chore(deps): bump starlette from 0.52.1 to 1.0.0"
f90b34d 
This reverts commit 9f7d85b.
@datasciencemonkey
chore(deps): cap starlette<1 + regenerate requirements.txt
ab7b292 
mlflow-skinny 3.12.0 declares starlette<1 in its requirements. The
dependabot bump in #59 only worked with 'uv pip sync requirements.txt'
which is permissive; the canonical 'uv pip compile pyproject.toml' was
silently reverting the pin to 0.52.1.

Adds an explicit ceiling matching the existing protobuf<7 and
importlib-metadata<8.8 patterns so dependabot stops re-proposing the
bump until mlflow-skinny lifts its <1 cap.

Also regenerates requirements.txt from pyproject so the file is fully
consistent — adds 'coda (pyproject.toml)' to the via lists of protobuf
and starlette, reflecting the new explicit constraints.
@datasciencemonkey datasciencemonkey changed the title chore(deps): consolidate dependabot bumps — cryptography 48, starlette 1.0, protobuf 7, multipart 0.0.29, pydantic-settings 2.14.1, setup-uv chore(deps): cryptography 48 + 3 patches; cap protobuf<7 and starlette<1 (consolidates #34/#58/#61/#62; defers #59/#60) May 25, 2026
@datasciencemonkey
chore: bump version to 0.18.3 — dependency consolidation release
b226422 
Marks the dependency-bump consolidation (PR #63):
  - cryptography 46.0.7 -> 48.0.0
  - python-multipart 0.0.27 -> 0.0.29
  - pydantic-settings 2.14.0 -> 2.14.1 (transitive)
  - astral-sh/setup-uv action SHA pin
  - protobuf<7 ceiling (blocks dependabot until databricks-sdk lifts cap)
  - starlette<1 ceiling (blocks dependabot until mlflow-skinny lifts cap)

app.py auto-reads APP_VERSION from pyproject.toml at startup, so no
other file needs editing.
@datasciencemonkey datasciencemonkey merged commit 3ad3379 into main May 25, 2026
This was referenced May 25, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@datasciencemonkey datasciencemonkey

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@datasciencemonkey