enable resolves_to_uploaded_prior_to for our own lockfile(s)#23440
Open
cburroughs wants to merge 8 commits into
Open
enable resolves_to_uploaded_prior_to for our own lockfile(s)#23440cburroughs wants to merge 8 commits into
cburroughs wants to merge 8 commits into
Conversation
There is obviously no perfect delay, I thought 2 days balanced safety with being able to update projects we track more closely the same week they are released. Notice: An LLM pointed out the pattern we already had in generate_builtin_lockfiles.py
Lockfile diff: 3rdparty/python/user_reqs.lock [python-default] == Upgraded dependencies == anyio 4.13.0 --> 4.14.0 certifi 2026.4.22 --> 2026.6.17 click 8.3.2 --> 8.4.1 cross-web 0.6.0 --> 0.7.0 cryptography 46.0.7 --> 49.0.0 googleapis-common-protos 1.74.0 --> 1.75.0 graphql-core 3.2.8 --> 3.2.11 httptools 0.7.1 --> 0.8.0 idna 3.12 --> 3.18 librt 0.9.0 --> 0.11.0 pathspec 1.0.4 --> 1.1.1 pydantic 2.13.3 --> 2.13.4 pydantic-core 2.46.3 --> 2.46.4 pyelftools 0.32 --> 0.33 pyjwt 2.12.1 --> 2.13.0 python-multipart 0.0.26 --> 0.0.32 soupsieve 2.8.3 --> 2.8.4 ujson 5.12.0 --> 5.13.0 urllib3 2.6.3 --> 2.7.0 watchfiles 1.1.1 --> 1.2.0 zipp 3.23.1 --> 4.1.0 Lockfile diff: 3rdparty/python/pytest.lock [pytest] == Upgraded dependencies == asttokens 3.0.0 --> 3.0.1 coverage 7.11.3 --> 7.14.2 decorator 5.2.1 --> 5.3.1 icdiff 2.0.7 --> 2.0.10 ipython 9.7.0 --> 9.14.1 jedi 0.19.2 --> 0.20.0 matplotlib-inline 0.2.1 --> 0.2.2 packaging 25.0 --> 26.2 parso 0.8.5 --> 0.8.7 pygments 2.19.2 --> 2.20.0 pytest-asyncio 1.3.0 --> 1.4.0 pytest-html 4.1.1 --> 4.2.0 traitlets 5.14.3 --> 5.15.1 wcwidth 0.2.14 --> 0.8.1 == Added dependencies == psutil 7.2.2 Lockfile diff: 3rdparty/python/mypy.lock [mypy] == Upgraded dependencies == librt 0.8.1 --> 0.11.0 pathspec 1.0.4 --> 1.1.1 Lockfile diff: 3rdparty/python/external-tool-upgrade.lock [external-tool-upgrade] == Upgraded dependencies == certifi 2026.1.4 --> 2026.6.17 charset-normalizer 3.4.4 --> 3.4.7 idna 3.11 --> 3.18 pygments 2.19.2 --> 2.20.0 urllib3 2.6.3 --> 2.7.0
Lockfile diff: elfdeps.lock [elfdeps] == Upgraded dependencies == pyelftools 0.32 --> 0.33 Lockfile diff: pylint.lock [pylint] == Upgraded dependencies == astroid 4.0.2 --> 4.0.4 dill 0.4.0 --> 0.4.1 isort 7.0.0 --> 8.0.1 platformdirs 4.5.0 --> 4.10.0 pylint 4.0.3 --> 4.0.6 tomli 2.3.0 --> 2.4.1 tomlkit 0.13.3 --> 0.15.0 Lockfile diff: black.lock [black] == Upgraded dependencies == packaging 25.0 --> 26.2 pathspec 0.12.1 --> 1.1.1 tomli 2.3.0 --> 2.4.1 Lockfile diff: helm-post-renderer.lock [helm-post-renderer] == Upgraded dependencies == ruamel-yaml-clib 0.2.14 --> 0.2.15 Lockfile diff: sqlfluff.lock [sqlfluff] == Upgraded dependencies == diff-cover 9.7.2 --> 10.0.0 exceptiongroup 1.3.0 --> 1.3.1 packaging 25.0 --> 26.2 pathspec 0.12.1 --> 1.1.1 pygments 2.19.2 --> 2.20.0 regex 2025.11.3 --> 2026.1.15 tomli 2.3.0 --> 2.4.1 tqdm 4.67.1 --> 4.68.3 Lockfile diff: mypy.lock [mypy] == Upgraded dependencies == librt 0.7.8 --> 0.11.0 pathspec 1.0.4 --> 1.1.1 tomli 2.4.0 --> 2.4.1 Lockfile diff: setuptools.lock [setuptools] == Upgraded dependencies == setuptools 80.9.0 --> 82.0.1 wheel 0.45.1 --> 0.47.0 == Added dependencies == packaging 26.2 Lockfile diff: helm-k8s-parser.lock [helm-k8s-parser] == Upgraded dependencies == certifi 2025.11.12 --> 2026.6.17 charset-normalizer 3.4.4 --> 3.4.7 idna 3.11 --> 3.18 kubernetes 34.1.0 --> 35.0.0 packaging 25.0 --> 26.2 pathspec 0.12.1 --> 1.1.1 ruamel-yaml 0.18.16 --> 0.19.1 tomli 2.3.0 --> 2.4.1 urllib3 2.3.0 --> 2.6.3 == Removed dependencies == cachetools 6.2.2 google-auth 2.43.0 pyasn1 0.6.1 pyasn1-modules 0.4.2 rsa 4.9.1 ruamel-yaml-clib 0.2.14 Lockfile diff: yamllint.lock [yamllint] == Upgraded dependencies == pathspec 0.12.1 --> 1.1.1 Lockfile diff: pytype.lock [pytype] == Upgraded dependencies == attrs 25.4.0 --> 26.1.0 immutabledict 4.2.2 --> 4.3.1 msgspec 0.19.0 --> 0.20.0 pyparsing 3.2.5 --> 3.3.2 Lockfile diff: pydocstyle.lock [pydocstyle] == Upgraded dependencies == snowballstemmer 3.0.1 --> 3.1.1 tomli 2.3.0 --> 2.4.1 Lockfile diff: autoflake.lock [autoflake] == Upgraded dependencies == tomli 2.3.0 --> 2.4.1 Lockfile diff: mypy-protobuf.lock [mypy-protobuf] == Upgraded dependencies == mypy-protobuf 3.6.0 --> 3.7.0 protobuf 6.33.1 --> 6.33.6 types-protobuf 6.32.1.20251105 --> 6.32.1.20251210 Lockfile diff: pytest.lock [pytest] == Upgraded dependencies == exceptiongroup 1.3.0 --> 1.3.1 packaging 25.0 --> 26.2 pygments 2.19.2 --> 2.20.0 tomli 2.3.0 --> 2.4.1 Lockfile diff: twine.lock [twine] == Upgraded dependencies == certifi 2025.11.12 --> 2026.6.17 charset-normalizer 3.4.4 --> 3.4.7 docutils 0.22.3 --> 0.23 idna 3.11 --> 3.18 jaraco-context 6.0.1 --> 6.1.1 jaraco-functools 4.3.0 --> 4.4.0 keyring 25.6.0 --> 25.7.0 nh3 0.3.2 --> 0.3.6 pygments 2.19.2 --> 2.20.0 rich 14.2.0 --> 15.0.0 urllib3 2.5.0 --> 2.6.3 zipp 3.23.0 --> 3.23.1 Lockfile diff: setuptools-scm.lock [setuptools-scm] == Upgraded dependencies == packaging 25.0 --> 26.2 setuptools 80.9.0 --> 82.0.1 tomli 2.3.0 --> 2.4.1 Lockfile diff: python-grpclib-protobuf.lock [python-grpclib-protobuf] == Upgraded dependencies == multidict 6.7.0 --> 6.7.1 protobuf 6.33.1 --> 6.33.6 Lockfile diff: yapf.lock [yapf] == Upgraded dependencies == tomli 2.3.0 --> 2.4.1 Lockfile diff: semgrep.lock [semgrep] == Upgraded dependencies == attrs 25.4.0 --> 26.1.0 certifi 2025.11.12 --> 2026.6.17 charset-normalizer 3.4.4 --> 3.4.7 face 24.0.0 --> 26.0.0 googleapis-common-protos 1.72.0 --> 1.75.0 idna 3.11 --> 3.18 importlib-metadata 8.7.0 --> 8.7.1 packaging 25.0 --> 26.2 peewee 3.18.3 --> 3.19.0 protobuf 5.29.5 --> 5.29.6 pygments 2.19.2 --> 2.20.0 rich 14.2.0 --> 15.0.0 ruamel-yaml-clib 0.2.14 --> 0.2.15 urllib3 2.5.0 --> 2.6.3 zipp 3.23.0 --> 3.23.1 Lockfile diff: ipython.lock [ipython] == Upgraded dependencies == asttokens 3.0.0 --> 3.0.1 decorator 5.2.1 --> 5.3.1 exceptiongroup 1.3.0 --> 1.3.1 matplotlib-inline 0.2.1 --> 0.2.2 parso 0.8.5 --> 0.8.7 pygments 2.19.2 --> 2.20.0 traitlets 5.14.3 --> 5.15.1 wcwidth 0.2.14 --> 0.8.1 Lockfile diff: coverage-py.lock [coverage-py] == Upgraded dependencies == tomli 2.3.0 --> 2.4.1 Lockfile diff: bandit.lock [bandit] == Upgraded dependencies == gitpython 3.1.45 --> 3.1.50 pygments 2.19.2 --> 2.20.0 rich 14.2.0 --> 15.0.0 setuptools 80.9.0 --> 82.0.1 smmap 5.0.2 --> 5.0.3
Contributor
Author
|
Internal Lockfile changes: |
Contributor
Author
|
bundled lockfile changes: |
sureshjoshi
reviewed
Jun 24, 2026
| "pex_version": "2.69.1", | ||
| "pip_version": "25.3", | ||
| "pex_version": "2.95.1", | ||
| "pip_version": "20.3.4-patched", |
Contributor
Author
There was a problem hiding this comment.
sigh okay I see what happened here. This is an artifact of Pip dropping 3.9 support. That was the next thing I was going to tackle, but it is going to be cleaner to re-sequence and do that first.
Member
|
I hate lockfile update PRs. I think the idea is good - I noticed a couple of cases where the pip metadata went from 25.x to 20.x-patched. I made a comment on one, clangformat had one too I think. Any idea what happened there? |
Member
|
Bike shedding - 7 days appears to be the per-language standards for updating "late enough" but "soon enough". Though, that feels like it could be completely arbitrary. I have no strong feelings on this though. Our dependabot cooldown is also 7 days, but again, I think I just exposed a default value. |
This was referenced Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
There is obviously no perfect delay, I thought 2 days balanced safety
with being able to update projects we track more closely the same week
they are released.
See #22986 for prior discussion on the brittleness of some of these tests with regards to
packagingand pypa/packaging#935NOTE: This adds resolve toggle to
generate_builtin_lockfiles.pyso we can split apart "switching touv" from the next needed generation.Notice: An LLM pointed out the pattern we already had in
generate_builtin_lockfiles.py
closes #23231