build(deps): bump types-aiofiles from 25.1.0.20251011 to 25.1.0.20260409

[dependabot]

Bumps types-aiofiles from 25.1.0.20251011 to 25.1.0.20260409.

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency-only change affecting optional dev type stubs; main runtime code paths are unchanged.

Overview
Updates the optional dev dependency types-aiofiles to 25.1.0.20260409 (from 25.1.0.20251011) and regenerates poetry.lock accordingly.

The lockfile metadata for types-aiofiles is updated (artifacts, hashes, and python-versions now >=3.10), along with the overall lock content-hash.

^{Reviewed by Cursor Bugbot for commit dac8206. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Gathering dependency metadata and lockfile context to complete the supply-chain review.

Verdict: benign

Classic obfuscation — No repo-side code change beyond manifests; types-aiofiles is the normal typeshed stub for aiofiles. Stub wheels are .pyi typing data, not runtime execution. Nothing in the lockfile suggests install hooks or bundled payloads.

Invisible Unicode — Malware report: unicode: [] after allowlist; no basis to flag Trojan Source or hidden characters in tracked files for this update.

Dependency integrity — poetry.lock pins types-aiofiles 25.1.0.20260409 with standard sha256 entries for wheel and sdist; optional dev extra only. The version jump (…20251011 → …20260409) matches typeshed’s dated stub releases, not a suspicious semver skip.

Scanner vs interpretation — The two heuristic hits are not evidence of compromise: ghost_version_or_missing_tag and maintainer_drift with pattern npm-maintainers are misfires when applied to a PyPI stub (no npm tags/maintainers). The report itself shows changed_files_count: 0 for upstream diff scanning and unicode/confusable/ioc: [].

Dependabot context — Expected surface: pyproject.toml / poetry.lock only; no node_modules, no workflow churn implied by this dependency class.

Action — Safe to treat as a routine typeshed stub refresh; optional sanity check is pip download / PyPI page for types-aiofiles==25.1.0.20260409 matching the same hashes as in poetry.lock if you want out-of-band confirmation.

Compatibility Analysis

Searching the repo for types-aiofiles / aiofiles usage and inspecting upstream stub changes.

1) Where it shows up

Runtime library aiofiles (declared in pyproject.toml, resolved in poetry.lock) is used in:

Location	Usage
chia/server/address_manager.py	aiofiles.open(..., "rb")
chia/consensus/block_height_map.py	aiofiles.open ("rb", "r+b", "wb")
chia/util/files.py	from aiofiles import tempfile → tempfile.NamedTemporaryFile(...)
tools/validate_rpcs.py	aiofiles.open(..., "rb")
benchmarks/address_manager_store.py	aiofiles.open(..., "rb")

types-aiofiles is only an optional dev typing extra (pyproject.toml + poetry.lock); it is not imported by application code. It exists so mypy can check calls into aiofiles.

2) Overlap with stub changes (Oct 2025 → Apr 2026)

In .upstream-dependency, commits on stubs/aiofiles/ between those snapshot dates are:

• METADATA.toml: field renames (underscores → dashes) — packaging metadata only.
• aiofiles.threadpool: add stub for wrap (_SingleDispatchCallable[Any]).

Chia does not use aiofiles.threadpool.wrap or import threadpool directly. It only uses aiofiles.open and aiofiles.tempfile.NamedTemporaryFile, which are unchanged by that diff.

3) Risks / unknowns

• Runtime / installs: Bumping types-aiofiles does not change runtime behavior; it only changes type information for tools like mypy. Actual I/O behavior still comes from aiofiles (already 25.1.0 in lockfile).
• Type-checking: The stub delta is additive; the main residual risk is an unexpected mypy/pyright regression elsewhere in the repo (unlikely from this small change). chia/util/files.py already uses type: ignore around NamedTemporaryFile usage, so that area is somewhat decoupled from stub precision.
• Malware-scan “ghost_version” / drift on this package: that reflects heuristic metadata checks, not evidence that the wheel is bad.

4) Recommendation

Merge — dev-only stub refresh; upstream changes between the two versions do not touch the APIs Chia uses, and there is no plausible runtime impact from this dependency bump. If CI runs mypy on PRs, a green typecheck is sufficient confirmation; if anything fails, it would likely be a narrow typing issue, not a production bug.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 0
• Resolution strategy: unresolved
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved refs: from=n/a to=n/a
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 2

Top findings

• types-aiofiles:0 ghost_version_or_missing_tag :: 25.1.0.20260409
• types-aiofiles:0 maintainer_drift :: 25.1.0.20251011->25.1.0.20260409

[coveralls-official]

Coverage Report for CI Build 24744658211

Coverage increased (+0.009%) to 91.186%

Details

• Coverage increased (+0.009%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 29 coverage regressions across 8 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

29 previously-covered lines in 8 files lost coverage.

File	Lines Losing Coverage	Coverage
chia/server/node_discovery.py	8	79.86%
chia/server/address_manager.py	7	92.83%
chia/server/server.py	4	86.1%
chia/full_node/full_node_api.py	3	86.55%
chia/data_layer/data_layer.py	2	85.68%
chia/full_node/full_node.py	2	87.5%
chia/_tests/core/test_farmer_harvester_rpc.py	2	98.06%
chia/_tests/simulation/test_simulation.py	1	96.49%

---

Coverage Stats

Relevant Lines:	117497
Covered Lines:	107306
Line Coverage:	91.33%
Relevant Branches:	11720
Covered Branches:	10522
Branch Coverage:	89.78%
Branches in Coverage %:	Yes
Coverage Strength:	1.83 hits per line

---

💛 - Coveralls