Skip to content

chore(deps): consolidate Dependabot Python updates (pydantic-settings, msgpack)#1448

Merged
wcchang1115 merged 2 commits into
mainfrom
chore/dependabot-20260625-104156
Jun 29, 2026
Merged

chore(deps): consolidate Dependabot Python updates (pydantic-settings, msgpack)#1448
wcchang1115 merged 2 commits into
mainfrom
chore/dependabot-20260625-104156

Conversation

@gcko

@gcko gcko commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Consolidates the open Dependabot Python dependency updates into a single branch.

Package From To Kind Pulled in via
pydantic-settings 2.12.0 2.14.2 minor (transitive) mcp optional extra
msgpack 1.1.2 1.2.1 minor (transitive) mashumaro (dbt)

Both are lockfile-only changes (uv.lock). Neither is a direct dependency in pyproject.toml, and neither is imported by recce source code — they are deep transitive deps exercised indirectly through the MCP server and dbt serialization.

Closes #1444
Closes #1445

Testing

  • Full backend suite: 1513 passed, 5 skipped (pytest tests, ~75s), exit 0.
  • The pytest-flake8 plugin in the [dev] extra is incompatible with pytest 9.x (pre-existing, unrelated to this change); CI's tox env does not install it, so the run disabled that plugin to match CI's effective plugin set.
  • Env verified at target versions: pydantic_settings 2.14.2, msgpack 1.2.1.

Security review

Changeset is lockfile-only, two minor transitive bumps, no security/CVE labels, no source or codemod changes — the routine tier. Focused supply-chain assessment: both are legitimate upstream releases of well-known packages; no new packages were introduced (only the two version lines changed plus msgpack platform-wheel hash churn). No findings.

Not included — needs a decision (split out deliberately)

Two major babel bumps in the separate /js pnpm workspace were intentionally left out of this consolidation:

Reasons to handle these separately:

  1. Major version (7 -> 8) — needs deliberate verification, not auto-consolidation.
  2. Split across two PRs — landing @babel/helpers@8 while @babel/runtime stays at 7 risks a mixed babel 7/8 runtime; they should move together.
  3. @babel/helpers@8.0.0 declares engines: node ^22.18.0 || >=24.11.0, but js/package.json sets engines.node: >=24 (24.0–24.10 would not satisfy it). Needs an engine-pin review.
  4. Different ecosystem/toolchain (Next.js + pnpm) — warrants its own build + vitest run.

Recommendation: a follow-up /js PR bumping both babel packages to 8.x together, after confirming the node engine floor.

Advisory dependency audit (no action taken)

Notable in-range direct-dep candidates for a future bump: deepdiff 8.6.2 -> 9.1.0 (pyproject allows <10.0), fastapi 0.137.1 -> 0.138.0, posthog 7.19.2 -> 7.20.5. Advisory only.

gcko added 2 commits June 25, 2026 10:47
Bump two transitive Python dependencies to their Dependabot target
versions in uv.lock:

- pydantic-settings 2.12.0 -> 2.14.2 (transitive via mcp extra)
- msgpack 1.1.2 -> 1.2.1 (transitive via mashumaro/dbt)

Both are lockfile-only changes; neither is a direct dependency in
pyproject.toml and neither is imported by recce source code. Full test
suite passes (1513 passed, 5 skipped).

Closes #1444
Closes #1445

Signed-off-by: Jared Scott <jared.scott@datarecce.io>
@gcko gcko self-assigned this Jun 29, 2026
@gcko gcko requested a review from wcchang1115 June 29, 2026 02:44

@wcchang1115 wcchang1115 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Basic ut and it pass.
approved, thanks!

@wcchang1115 wcchang1115 merged commit 2b6d854 into main Jun 29, 2026
15 checks passed
@wcchang1115 wcchang1115 deleted the chore/dependabot-20260625-104156 branch June 29, 2026 03:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants