Skip to content

Commit 95a998e

Browse files
committed
chore(deps): bump dependencies, lock ffi submodule, and expose uv_ffi version
- Locked `uv` submodule to the latest FFI target isolation commit (v0.10.8.post4). - Added dynamic `__version__` resolution in `uv_ffi/__init__.py` via importlib. - Bumped `cryptography` (>=46.0.7) and `authlib` (>=1.6.9) to patch recent CVEs for modern Python versions. - Added explicit dependency tracking notes for Python 3.7 LTS backports. - Regenerated pip-compile lockfiles. Modified: • src/omnipkg/_vendor/uv_ffi/__init__.py (+6/-0 lines) • pyproject.toml (+8/-1 lines) • requirements-trace.txt (+7/-5 lines) • requirements.txt (+12/-3 lines) [gitship-generated]
1 parent 6396bcf commit 95a998e

5 files changed

Lines changed: 34 additions & 10 deletions

File tree

pyproject.toml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ dependencies = [
7373
"dataclasses>=0.6; python_version == '3.7'",
7474

7575
# Authlib - version split by Python
76-
"authlib>=1.6.5; python_version >= '3.9'", # Patched for recent CVEs
76+
"authlib>=1.6.9; python_version >= '3.9'", # Patched for recent CVEs
7777
"authlib>=1.3.2,<1.4.0; python_version == '3.8'", # Max support for 3.8
7878
"authlib>=1.2.1,<1.3.0; python_version == '3.7'", # Last known stable for 3.7
7979
# TODO: Create authlib-lts to backport security fixes for Python 3.7-3.8
@@ -84,6 +84,13 @@ dependencies = [
8484
"aiohttp>=3.10.11,<3.11.0; python_version == '3.8'", # Last Py3.8 version (9 known CVEs)
8585
"aiohttp>=3.13.5; python_version >= '3.9'", # Latest with all patches
8686
#aiohttp-lts on to-do list for pythons 3.7 and 3.8
87+
88+
# cryptography - version split by Python
89+
# Python 3.7: stuck at 45.0.7 (upstream dropped 3.7 before 46.x)
90+
# CVEs unresolved: CVE-2026-26007 (HIGH), CVE-2026-34073 (LOW), CVE-2026-39892 (MODERATE)
91+
# TODO: cryptography-lts needed for py37 to backport fixes landing in 46.0.5–46.0.7
92+
"cryptography>=45.0.7,<46.0; python_version == '3.7'", # UNSAFE: 3 open CVEs, best available
93+
"cryptography>=46.0.7; python_version >= '3.8'", # fully patched
8794

8895
# Security scanning
8996
# safety moved to optional 'audit' extra due to CVE-2025-14009 in nltk dependency

requirements-trace.txt

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
# This file is autogenerated by pip-compile with Python 3.11
33
# by the following command:
44
#
5-
# pip-compile --output-file=requirements-trace.txt pyproject.toml
5+
# pip-compile --output-file=requirements-trace.txt --strip-extras pyproject.toml
66
#
77
aiohappyeyeballs==2.6.1
88
# via aiohttp
@@ -20,7 +20,7 @@ blinker==1.9.0
2020
# via flask
2121
boolean-py==5.0
2222
# via license-expression
23-
cachecontrol[filecache]==0.14.4
23+
cachecontrol==0.14.4
2424
# via
2525
# cachecontrol
2626
# pip-audit
@@ -34,8 +34,10 @@ click==8.3.1
3434
# via
3535
# flask
3636
# typer
37-
cryptography==46.0.5
38-
# via authlib
37+
cryptography==46.0.7 ; python_version >= "3.8"
38+
# via
39+
# authlib
40+
# omnipkg (pyproject.toml)
3941
cyclonedx-python-lib==11.7.0
4042
# via pip-audit
4143
defusedxml==0.7.1
@@ -138,7 +140,7 @@ urllib3==2.6.3 ; python_version >= "3.10"
138140
# requests
139141
uv==0.10.11 ; python_version >= "3.8"
140142
# via omnipkg (pyproject.toml)
141-
uv-ffi==0.10.8.post2 ; python_version >= "3.8" and python_version <= "3.14"
143+
uv-ffi==0.10.8.post3 ; python_version >= "3.8" and python_version <= "3.14"
142144
# via omnipkg (pyproject.toml)
143145
werkzeug==3.1.6 ; python_version >= "3.9"
144146
# via

requirements.txt

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,9 @@
1+
#
2+
# This file is autogenerated by pip-compile with Python 3.11
3+
# by the following command:
4+
#
5+
# pip-compile --no-annotate --output-file=requirements.txt --strip-extras pyproject.toml
6+
#
17
aiohappyeyeballs==2.6.1
28
aiohttp==3.13.5 ; python_version >= "3.9"
39
aiosignal==1.4.0
@@ -6,12 +12,12 @@ attrs==25.4.0
612
authlib==1.6.9 ; python_version >= "3.9"
713
blinker==1.9.0
814
boolean-py==5.0
9-
cachecontrol[filecache]==0.14.4
15+
cachecontrol==0.14.4
1016
certifi==2026.2.25
1117
cffi==2.0.0
1218
charset-normalizer==3.4.6
1319
click==8.3.1
14-
cryptography==46.0.5
20+
cryptography==46.0.7 ; python_version >= "3.8"
1521
cyclonedx-python-lib==11.7.0
1622
defusedxml==0.7.1
1723
filelock==3.25.2 ; python_version >= "3.10"
@@ -49,6 +55,9 @@ typer==0.24.1
4955
typing-extensions==4.15.0
5056
urllib3==2.6.3 ; python_version >= "3.10"
5157
uv==0.10.11 ; python_version >= "3.8"
52-
uv-ffi==0.10.8.post2 ; python_version >= "3.8" and python_version <= "3.14"
58+
uv-ffi==0.10.8.post3 ; python_version >= "3.8" and python_version <= "3.14"
5359
werkzeug==3.1.6 ; python_version >= "3.9"
5460
yarl==1.23.0
61+
62+
# The following packages are considered to be unsafe in a requirements file:
63+
# pip

src/omnipkg/_vendor/uv_ffi/__init__.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,12 @@ def run(cmd: str) -> tuple:
1515

1616
run_capture = run
1717

18+
try:
19+
from importlib.metadata import version as _meta_version
20+
__version__ = _meta_version("uv_ffi")
21+
except Exception:
22+
__version__ = "unknown"
23+
1824
# ── Optional exports: present only if the .so was built with them ────────────
1925
# Imported lazily so that an older .so without these functions doesn't cause
2026
# an ImportError on the whole module and break FFI availability detection.

0 commit comments

Comments
 (0)