Skip to content

chore(deps): consolidate all Renovate dependency updates#10

Merged
oranheim merged 3 commits into
masterfrom
chore/consolidated-dependency-updates
Jun 18, 2026
Merged

chore(deps): consolidate all Renovate dependency updates#10
oranheim merged 3 commits into
masterfrom
chore/consolidated-dependency-updates

Conversation

@oranheim

@oranheim oranheim commented Jun 18, 2026

Copy link
Copy Markdown
Member

Consolidates all open Renovate PRs into a single branch, as requested. Each package was checked for breaking changes (context7 + upstream release notes) and verified against the full test suite.

What's included

Renovate PR Update Type
#4 GitHub Actions majors (see below) major
#5 starlette → 1.3.1 security
#6 Lock file maintenance lockfile
#7 Lock file maintenance (python deps) lockfile
#8 pygments → 2.20.0 security
#9 pytest → 9.x security

The lock file was regenerated with uv lock --upgrade, which captures the security updates and the lock-maintenance bumps in one consistent resolution (pyproject >= floors unchanged). Highlights: fastapi 0.116→0.137, starlette 0.47→1.3.1, uvicorn 0.35→0.49, websockets 15→16, pytest 8.4→9.x, pytest-asyncio 1.1→1.4, ruff 0.12→0.15.

GitHub Actions (#4)

  • actions/checkout v4 → v7
  • actions/setup-python v5 → v6
  • astral-sh/setup-uv v6 → v8.2.0 (v8 dropped moving tags, so the full version is required — already pinned by Renovate)
  • codecov/codecov-action v5 → v7
  • actions/attest-build-provenance v2 → v4

Breaking-change review

  • pytest 9[tool.pytest.ini_options] is still supported, so no config change. The new "test returns non-None / yields → error" rules only affect test_* functions; all return/yield here are in route handlers, fixtures, and lifespans. Confirmed by a green run.
  • pytest-asyncio 1.4 — only breaking item is the deprecated event_loop_policy override, which this project does not use.
  • websockets 16 — the library client already uses the modern websockets.asyncio.client API. The remaining websockets.legacy deprecation warnings come from uvicorn's server-side implementation, not our code, and are harmless.
  • GitHub Actions — basic usage needs no YAML changes beyond the version bumps; runners are GitHub-hosted.

Code adaptation

  • tests/test_server.py: ItemStatus(str, Enum)enum.StrEnum to satisfy ruff 0.15's stabilized UP042.

Verification

  • ✅ 58/58 tests pass
  • ruff check clean, ruff format --check clean
  • uv build succeeds, uv lock --check consistent

Supersedes #4, #5, #6, #7, #8, #9.


Update: full hydration + floor bump (2nd commit)

After consolidation, raised every pyproject.toml floor to the latest release that still supports the minimum Python (>=3.11), and verified the full stack imports cleanly under Python 3.11.13. Resolved versions are unchanged from the first commit — the lock delta is only the embedded constraint metadata.

  • runtime: fastapi>=0.137.2, starlette>=1.3.1, uvicorn>=0.49.0, websockets>=16.0 (httpx already latest at 0.28.1)
  • dev: pytest>=9.1.0, pytest-asyncio>=1.4.0, pytest-cov>=7.1.0, pydantic>=2.13.4, ruff>=0.15.17, restructuredtext-lint>=2.0.2, pygments>=2.20.0
  • build: hatchling>=1.30.1

Pinned-version audit

  • No == pins exist in pyproject.toml (all >= floors).
  • CI uv pin: UV_VERSION was 0.5.11, which cannot parse the current revision = 3 lockfile — bumped to 0.11.13 (the version that generated the lock). Also defined UV_VERSION in release.yml, where it was previously referenced but never set.
  • .gitignore: now ignores .DS_Store.

Note: PYTHON_VERSION stays at 3.13 (build-test) / 3.11 (release) — left as-is intentionally.

Combines all open Renovate PRs (#4-#9) into a single branch:

- GitHub Actions majors (#4): checkout v4->v7, setup-python v5->v6,
  setup-uv v6->v8.2.0, codecov-action v5->v7, attest-build-provenance v2->v4
- Security updates: starlette ->1.3.1 (#5), pygments ->2.20.0 (#8),
  pytest ->9.x (#9)
- Lock file maintenance (#6, #7): full `uv lock --upgrade`

Adapt tests/test_server.py for ruff 0.15 (new UP042): use enum.StrEnum
instead of the (str, Enum) mixin.

All 58 tests pass; ruff check, ruff format, and build are clean.
The library's WebSocket client already uses the modern websockets
API; remaining deprecation warnings originate inside uvicorn.
oranheim added 2 commits June 18, 2026 18:00
Full hydration follow-up to the consolidated dependency update. Bumps
every pyproject floor to the latest version that still supports the
project's minimum Python (>=3.11), verified by a clean import of the
full stack under 3.11:

- runtime: fastapi>=0.137.2, starlette>=1.3.1, uvicorn>=0.49.0,
  websockets>=16.0 (httpx already latest at 0.28.1)
- dev: pytest>=9.1.0, pytest-asyncio>=1.4.0, pytest-cov>=7.1.0,
  pydantic>=2.13.4, ruff>=0.15.17, restructuredtext-lint>=2.0.2,
  pygments>=2.20.0
- build: hatchling>=1.30.1

CI: bump pinned uv 0.5.11 -> 0.11.13 (0.5.11 cannot parse the current
revision=3 lockfile) and define UV_VERSION in release.yml, which
previously referenced it undefined.

gitignore: ignore .DS_Store.

Resolved versions unchanged from the prior commit; lock delta is only
the embedded constraint metadata. 58 tests pass; ruff and build clean.
Add a pull_request trigger (PRs never ran CI before; the workflow only
fired on push to master) plus a concurrency group to cancel superseded
runs on the same ref.
@codecov

codecov Bot commented Jun 18, 2026

Copy link
Copy Markdown

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️

@oranheim oranheim merged commit 79f40dc into master Jun 18, 2026
4 checks passed
@oranheim oranheim deleted the chore/consolidated-dependency-updates branch June 18, 2026 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant