chore(deps): consolidate Dependabot Python updates (pydantic-settings, msgpack)#1448
Merged
Conversation
Bump two transitive Python dependencies to their Dependabot target versions in uv.lock: - pydantic-settings 2.12.0 -> 2.14.2 (transitive via mcp extra) - msgpack 1.1.2 -> 1.2.1 (transitive via mashumaro/dbt) Both are lockfile-only changes; neither is a direct dependency in pyproject.toml and neither is imported by recce source code. Full test suite passes (1513 passed, 5 skipped). Closes #1444 Closes #1445 Signed-off-by: Jared Scott <jared.scott@datarecce.io>
wcchang1115
approved these changes
Jun 29, 2026
wcchang1115
left a comment
Collaborator
There was a problem hiding this comment.
Basic ut and it pass.
approved, thanks!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidates the open Dependabot Python dependency updates into a single branch.
mcpoptional extramashumaro(dbt)Both are lockfile-only changes (
uv.lock). Neither is a direct dependency inpyproject.toml, and neither is imported by recce source code — they are deep transitive deps exercised indirectly through the MCP server and dbt serialization.Closes #1444
Closes #1445
Testing
pytest tests, ~75s), exit 0.pytest-flake8plugin in the[dev]extra is incompatible with pytest 9.x (pre-existing, unrelated to this change); CI's tox env does not install it, so the run disabled that plugin to match CI's effective plugin set.Security review
Changeset is lockfile-only, two minor transitive bumps, no
security/CVE labels, no source or codemod changes — the routine tier. Focused supply-chain assessment: both are legitimate upstream releases of well-known packages; no new packages were introduced (only the two version lines changed plus msgpack platform-wheel hash churn). No findings.Not included — needs a decision (split out deliberately)
Two major babel bumps in the separate
/jspnpm workspace were intentionally left out of this consolidation:@babel/helpers7.29.7 -> 8.0.0@babel/runtime7.29.7 -> 8.0.0Reasons to handle these separately:
@babel/helpers@8while@babel/runtimestays at 7 risks a mixed babel 7/8 runtime; they should move together.@babel/helpers@8.0.0declaresengines: node ^22.18.0 || >=24.11.0, butjs/package.jsonsetsengines.node: >=24(24.0–24.10 would not satisfy it). Needs an engine-pin review.Recommendation: a follow-up
/jsPR bumping both babel packages to 8.x together, after confirming the node engine floor.Advisory dependency audit (no action taken)
Notable in-range direct-dep candidates for a future bump:
deepdiff8.6.2 -> 9.1.0 (pyproject allows<10.0),fastapi0.137.1 -> 0.138.0,posthog7.19.2 -> 7.20.5. Advisory only.