enable resolves_to_uploaded_prior_to for our own lockfile(s)#23440
enable resolves_to_uploaded_prior_to for our own lockfile(s)#23440cburroughs wants to merge 8 commits into
Conversation
There is obviously no perfect delay, I thought 2 days balanced safety with being able to update projects we track more closely the same week they are released. Notice: An LLM pointed out the pattern we already had in generate_builtin_lockfiles.py
Lockfile diff: 3rdparty/python/user_reqs.lock [python-default] == Upgraded dependencies == anyio 4.13.0 --> 4.14.0 certifi 2026.4.22 --> 2026.6.17 click 8.3.2 --> 8.4.1 cross-web 0.6.0 --> 0.7.0 cryptography 46.0.7 --> 49.0.0 googleapis-common-protos 1.74.0 --> 1.75.0 graphql-core 3.2.8 --> 3.2.11 httptools 0.7.1 --> 0.8.0 idna 3.12 --> 3.18 librt 0.9.0 --> 0.11.0 pathspec 1.0.4 --> 1.1.1 pydantic 2.13.3 --> 2.13.4 pydantic-core 2.46.3 --> 2.46.4 pyelftools 0.32 --> 0.33 pyjwt 2.12.1 --> 2.13.0 python-multipart 0.0.26 --> 0.0.32 soupsieve 2.8.3 --> 2.8.4 ujson 5.12.0 --> 5.13.0 urllib3 2.6.3 --> 2.7.0 watchfiles 1.1.1 --> 1.2.0 zipp 3.23.1 --> 4.1.0 Lockfile diff: 3rdparty/python/pytest.lock [pytest] == Upgraded dependencies == asttokens 3.0.0 --> 3.0.1 coverage 7.11.3 --> 7.14.2 decorator 5.2.1 --> 5.3.1 icdiff 2.0.7 --> 2.0.10 ipython 9.7.0 --> 9.14.1 jedi 0.19.2 --> 0.20.0 matplotlib-inline 0.2.1 --> 0.2.2 packaging 25.0 --> 26.2 parso 0.8.5 --> 0.8.7 pygments 2.19.2 --> 2.20.0 pytest-asyncio 1.3.0 --> 1.4.0 pytest-html 4.1.1 --> 4.2.0 traitlets 5.14.3 --> 5.15.1 wcwidth 0.2.14 --> 0.8.1 == Added dependencies == psutil 7.2.2 Lockfile diff: 3rdparty/python/mypy.lock [mypy] == Upgraded dependencies == librt 0.8.1 --> 0.11.0 pathspec 1.0.4 --> 1.1.1 Lockfile diff: 3rdparty/python/external-tool-upgrade.lock [external-tool-upgrade] == Upgraded dependencies == certifi 2026.1.4 --> 2026.6.17 charset-normalizer 3.4.4 --> 3.4.7 idna 3.11 --> 3.18 pygments 2.19.2 --> 2.20.0 urllib3 2.6.3 --> 2.7.0
Lockfile diff: elfdeps.lock [elfdeps] == Upgraded dependencies == pyelftools 0.32 --> 0.33 Lockfile diff: pylint.lock [pylint] == Upgraded dependencies == astroid 4.0.2 --> 4.0.4 dill 0.4.0 --> 0.4.1 isort 7.0.0 --> 8.0.1 platformdirs 4.5.0 --> 4.10.0 pylint 4.0.3 --> 4.0.6 tomli 2.3.0 --> 2.4.1 tomlkit 0.13.3 --> 0.15.0 Lockfile diff: black.lock [black] == Upgraded dependencies == packaging 25.0 --> 26.2 pathspec 0.12.1 --> 1.1.1 tomli 2.3.0 --> 2.4.1 Lockfile diff: helm-post-renderer.lock [helm-post-renderer] == Upgraded dependencies == ruamel-yaml-clib 0.2.14 --> 0.2.15 Lockfile diff: sqlfluff.lock [sqlfluff] == Upgraded dependencies == diff-cover 9.7.2 --> 10.0.0 exceptiongroup 1.3.0 --> 1.3.1 packaging 25.0 --> 26.2 pathspec 0.12.1 --> 1.1.1 pygments 2.19.2 --> 2.20.0 regex 2025.11.3 --> 2026.1.15 tomli 2.3.0 --> 2.4.1 tqdm 4.67.1 --> 4.68.3 Lockfile diff: mypy.lock [mypy] == Upgraded dependencies == librt 0.7.8 --> 0.11.0 pathspec 1.0.4 --> 1.1.1 tomli 2.4.0 --> 2.4.1 Lockfile diff: setuptools.lock [setuptools] == Upgraded dependencies == setuptools 80.9.0 --> 82.0.1 wheel 0.45.1 --> 0.47.0 == Added dependencies == packaging 26.2 Lockfile diff: helm-k8s-parser.lock [helm-k8s-parser] == Upgraded dependencies == certifi 2025.11.12 --> 2026.6.17 charset-normalizer 3.4.4 --> 3.4.7 idna 3.11 --> 3.18 kubernetes 34.1.0 --> 35.0.0 packaging 25.0 --> 26.2 pathspec 0.12.1 --> 1.1.1 ruamel-yaml 0.18.16 --> 0.19.1 tomli 2.3.0 --> 2.4.1 urllib3 2.3.0 --> 2.6.3 == Removed dependencies == cachetools 6.2.2 google-auth 2.43.0 pyasn1 0.6.1 pyasn1-modules 0.4.2 rsa 4.9.1 ruamel-yaml-clib 0.2.14 Lockfile diff: yamllint.lock [yamllint] == Upgraded dependencies == pathspec 0.12.1 --> 1.1.1 Lockfile diff: pytype.lock [pytype] == Upgraded dependencies == attrs 25.4.0 --> 26.1.0 immutabledict 4.2.2 --> 4.3.1 msgspec 0.19.0 --> 0.20.0 pyparsing 3.2.5 --> 3.3.2 Lockfile diff: pydocstyle.lock [pydocstyle] == Upgraded dependencies == snowballstemmer 3.0.1 --> 3.1.1 tomli 2.3.0 --> 2.4.1 Lockfile diff: autoflake.lock [autoflake] == Upgraded dependencies == tomli 2.3.0 --> 2.4.1 Lockfile diff: mypy-protobuf.lock [mypy-protobuf] == Upgraded dependencies == mypy-protobuf 3.6.0 --> 3.7.0 protobuf 6.33.1 --> 6.33.6 types-protobuf 6.32.1.20251105 --> 6.32.1.20251210 Lockfile diff: pytest.lock [pytest] == Upgraded dependencies == exceptiongroup 1.3.0 --> 1.3.1 packaging 25.0 --> 26.2 pygments 2.19.2 --> 2.20.0 tomli 2.3.0 --> 2.4.1 Lockfile diff: twine.lock [twine] == Upgraded dependencies == certifi 2025.11.12 --> 2026.6.17 charset-normalizer 3.4.4 --> 3.4.7 docutils 0.22.3 --> 0.23 idna 3.11 --> 3.18 jaraco-context 6.0.1 --> 6.1.1 jaraco-functools 4.3.0 --> 4.4.0 keyring 25.6.0 --> 25.7.0 nh3 0.3.2 --> 0.3.6 pygments 2.19.2 --> 2.20.0 rich 14.2.0 --> 15.0.0 urllib3 2.5.0 --> 2.6.3 zipp 3.23.0 --> 3.23.1 Lockfile diff: setuptools-scm.lock [setuptools-scm] == Upgraded dependencies == packaging 25.0 --> 26.2 setuptools 80.9.0 --> 82.0.1 tomli 2.3.0 --> 2.4.1 Lockfile diff: python-grpclib-protobuf.lock [python-grpclib-protobuf] == Upgraded dependencies == multidict 6.7.0 --> 6.7.1 protobuf 6.33.1 --> 6.33.6 Lockfile diff: yapf.lock [yapf] == Upgraded dependencies == tomli 2.3.0 --> 2.4.1 Lockfile diff: semgrep.lock [semgrep] == Upgraded dependencies == attrs 25.4.0 --> 26.1.0 certifi 2025.11.12 --> 2026.6.17 charset-normalizer 3.4.4 --> 3.4.7 face 24.0.0 --> 26.0.0 googleapis-common-protos 1.72.0 --> 1.75.0 idna 3.11 --> 3.18 importlib-metadata 8.7.0 --> 8.7.1 packaging 25.0 --> 26.2 peewee 3.18.3 --> 3.19.0 protobuf 5.29.5 --> 5.29.6 pygments 2.19.2 --> 2.20.0 rich 14.2.0 --> 15.0.0 ruamel-yaml-clib 0.2.14 --> 0.2.15 urllib3 2.5.0 --> 2.6.3 zipp 3.23.0 --> 3.23.1 Lockfile diff: ipython.lock [ipython] == Upgraded dependencies == asttokens 3.0.0 --> 3.0.1 decorator 5.2.1 --> 5.3.1 exceptiongroup 1.3.0 --> 1.3.1 matplotlib-inline 0.2.1 --> 0.2.2 parso 0.8.5 --> 0.8.7 pygments 2.19.2 --> 2.20.0 traitlets 5.14.3 --> 5.15.1 wcwidth 0.2.14 --> 0.8.1 Lockfile diff: coverage-py.lock [coverage-py] == Upgraded dependencies == tomli 2.3.0 --> 2.4.1 Lockfile diff: bandit.lock [bandit] == Upgraded dependencies == gitpython 3.1.45 --> 3.1.50 pygments 2.19.2 --> 2.20.0 rich 14.2.0 --> 15.0.0 setuptools 80.9.0 --> 82.0.1 smmap 5.0.2 --> 5.0.3
|
Internal Lockfile changes: |
|
bundled lockfile changes: |
| "pex_version": "2.69.1", | ||
| "pip_version": "25.3", | ||
| "pex_version": "2.95.1", | ||
| "pip_version": "20.3.4-patched", |
There was a problem hiding this comment.
sigh okay I see what happened here. This is an artifact of Pip dropping 3.9 support. That was the next thing I was going to tackle, but it is going to be cleaner to re-sequence and do that first.
|
I hate lockfile update PRs. I think the idea is good - I noticed a couple of cases where the pip metadata went from 25.x to 20.x-patched. I made a comment on one, clangformat had one too I think. Any idea what happened there? |
|
Bike shedding - 7 days appears to be the per-language standards for updating "late enough" but "soon enough". Though, that feels like it could be completely arbitrary. I have no strong feelings on this though. Our dependabot cooldown is also 7 days, but again, I think I just exposed a default value. |
There is obviously no perfect delay, I thought 2 days balanced safety
with being able to update projects we track more closely the same week
they are released.
See #22986 for prior discussion on the brittleness of some of these tests with regards to
packagingand pypa/packaging#935NOTE: This adds resolve toggle to
generate_builtin_lockfiles.pyso we can split apart "switching touv" from the next needed generation.Notice: An LLM pointed out the pattern we already had in
generate_builtin_lockfiles.py
closes #23231