build(deps): bump types-setuptools from 82.0.0.20260210 to 82.0.0.20260408

[dependabot]

Bumps types-setuptools from 82.0.0.20260210 to 82.0.0.20260408.

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency metadata update limited to dev typing stubs; no runtime code paths are affected aside from potential mypy/type-checking differences.

Overview
Updates the types-setuptools dev dependency to 82.0.0.20260408 by raising the version constraint in pyproject.toml and refreshing poetry.lock (new artifact hashes and lock content-hash).

^{Reviewed by Cursor Bugbot for commit 0dd3049. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 0dd3049. Configure here.}

[cursor]

Minimum version constraint raised unnecessarily high

Low Severity

The minimum version for types-setuptools was raised from >=75.5.0.20241122 to >=82.0.0.20260408, pinning the floor to the exact newly resolved version. This is more restrictive than necessary — a lock file update alone would suffice. Other type-stub deps like types-aiofiles and types-pyyaml keep their original lower bounds. This needlessly narrows the acceptable version range and could cause resolution conflicts for consumers or downstream tooling that had a compatible older version.

 

^{Reviewed by Cursor Bugbot for commit 0dd3049. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying how types-setuptools is declared and what the scanner heuristics mean for this Python stub package.

Verdict: benign

Why this looks safe

• types-setuptools is the official typing stubs package for setuptools, published from the typeshed ecosystem (same family as types-pyyaml / types-aiofiles already in your dev extras). It is not application/runtime code for end users; it exists so mypy can type-check setuptools usage.

• Version shape is normal: 82.0.0.20260408 is the usual setuptools major + dated snapshot pattern. The bump from …20260210 to …20260408 is a small, same-line stub refresh, not a suspicious semver leap or typosquat.

• Lockfile looks standard: poetry.lock lists the wheel/sdist with normal PyPI-style hashes and metadata (typing stubs for setuptools, optional, dev extra). Nothing here suggests obfuscated payloads, extra mystery dependencies, or lifecycle scripts (those are npm-centric concerns; this is pip/Poetry).

Scanner report vs interpretation

• ghost_version_or_missing_tag: Likely means the scanner could not verify a tag/ref in its resolution path (your report says 0 changed upstream files, unresolved strategy). That is a tooling gap, not proof the PyPI release is fake.

• maintainer_drift / npm-maintainers: This is almost certainly a false positive for a PyPI package—the heuristic name points at npm maintainer checks, which do not map cleanly to PyPI publishing.

Classic checklist (short): No evidence of obfuscation, unexpected hosts, persistence, or install-script abuse in this kind of stub-only dependency; the PR scope is consistent with a routine typeshed stub bump.

Actionable note: If you want extra assurance, manually confirm on PyPI that 82.0.0.20260408 exists and that the sdist/wheel hashes match your poetry.lock entries—then treat the scanner warn as non-blocking for this update.

Compatibility Analysis

Analyzing how types-setuptools is used in the repo and what changed upstream.

1) Where types-setuptools shows up

• Declared as an optional dev dependency in pyproject.toml (types-setuptools in the dev extra alongside mypy, types-*, etc.).
• Locked in poetry.lock as part of the dev dependency set.
• Not imported anywhere in first-party Python under chia/, tools/, build_scripts/, or benchmarks/ — there are no setuptools / pkg_resources usages in those trees.
• Related but different: the project uses importlib.metadata in a few places (e.g. chia/__init__.py, tests); that is stdlib typing, not types-setuptools.
• Practical role: supply PEP 561 stubs so mypy can resolve types if anything in the checked graph imports setuptools (your mypy.ini.template does not special-case setuptools).

2) Overlap with likely stub changes (upstream window)

In .upstream-dependency, commits between the two snapshot dates that touch stubs/setuptools are small:

• METADATA.toml: field renames (requires → dependencies, underscores → dashes) — packaging metadata only, not Python API.
• setuptools/command/test.pyi and setuptools/installer.pyi: only formatting of @deprecated(...) string arguments (same text, different line breaks).
• @tests/stubtest_allowlist.txt: typeshed test allowlist for stubtest, not consumer API.

So there is no meaningful intersection with this repo’s code, which does not reference setuptools APIs in typed sources.

3) Risks / unknowns

• Runtime / production: None — stub-only package; it is not part of the shipped application unless someone incorrectly added it to a non-dev install path.
• CI / mypy: Very low — no signature changes found in the relevant upstream delta; worst case would be new mypy noise if something indirectly imported setuptools, which you do not appear to do in first-party code.
• Malware-scan noise (ghost_version_or_missing_tag, maintainer_drift): typical heuristic false positives for PyPI stub snapshot versions; not a signal against merging on its own.

4) Recommendation

Merge — dev-only stub refresh with no substantive API churn in the upstream diff reviewed and no first-party setuptools usage to break. Green CI (especially mypy) is still the authoritative check.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 0
• Resolution strategy: unresolved
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved refs: from=n/a to=n/a
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 2

Top findings

• types-setuptools:0 ghost_version_or_missing_tag :: 82.0.0.20260408
• types-setuptools:0 maintainer_drift :: 82.0.0.20260210->82.0.0.20260408

[coveralls-official]

Coverage Report for CI Build 24744621372

Coverage increased (+0.003%) to 91.18%

Details

• Coverage increased (+0.003%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 26 coverage regressions across 8 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

26 previously-covered lines in 8 files lost coverage.

File	Lines Losing Coverage	Coverage
chia/server/address_manager.py	7	92.83%
chia/server/node_discovery.py	5	80.38%
chia/server/server.py	4	86.1%
chia/full_node/full_node_api.py	3	86.55%
chia/data_layer/data_layer.py	2	85.68%
chia/full_node/full_node.py	2	87.5%
chia/_tests/core/test_farmer_harvester_rpc.py	2	98.06%
chia/_tests/simulation/test_simulation.py	1	96.49%

---

Coverage Stats

Relevant Lines:	117497
Covered Lines:	107300
Line Coverage:	91.32%
Relevant Branches:	11720
Covered Branches:	10520
Branch Coverage:	89.76%
Branches in Coverage %:	Yes
Coverage Strength:	1.83 hits per line

---

💛 - Coveralls