build(deps): bump build from 1.4.2 to 1.4.3

[dependabot]

Bumps build from 1.4.2 to 1.4.3.

Release notes

Sourced from build's releases.

1.4.3

What's Changed

• 🐛 fix(api): resolve thread-safety races in build API by @​gaborbernat in pypa/build#1015
• 🐛 fix(builder): validate backend-path entries exist on disk by @​gaborbernat in pypa/build#1016
• test: cover config settings build paths by @​terminalchai in pypa/build#992
• Add kind=(step, ) for root messages with * by @​abitrolly in pypa/build#973
• fix: correct changelog category ordering by @​gaborbernat in pypa/build#1017
• 🐛 fix(cli): show full dependency chain in missing deps error by @​gaborbernat in pypa/build#1019
• tests: fully annotate by @​henryiii in pypa/build#1020
• chore: lazy imports by @​henryiii in pypa/build#1021
• chore: adding more ruff codes by @​henryiii in pypa/build#1022
• tests: improve annotations by @​henryiii in pypa/build#1023
• 🧪 test(coverage): achieve 100% test coverage by @​gaborbernat in pypa/build#1018
• chore: add ruff PT by @​henryiii in pypa/build#1025
• chore: add ruff PYI by @​henryiii in pypa/build#1026
• chore: add ruff SIM/RET by @​henryiii in pypa/build#1028
• 🐛 fix(env): strip PYTHONPATH from isolated builds by @​gaborbernat in pypa/build#1024
• chore: use ruff ALL by @​henryiii in pypa/build#1029
• 🐛 fix(env): prevent pip credential hang with private indexes by @​gaborbernat in pypa/build#1030
• 🐛 fix(check_dependency): verify URL reqs via PEP 610 by @​gaborbernat in pypa/build#1027

New Contributors

• @​terminalchai made their first contribution in pypa/build#992

Full Changelog: pypa/build@1.4.2...1.4.3

Changelog

Sourced from build's changelog.

#################### 1.4.3 (2026-04-10) ####################

---

Features

---

• Add kind parameter to log messages to separate semantic and representation - by :user:abitrolly (:issue:973)

---

Bugfixes

---

• Strip PYTHONPATH from the environment during isolated builds to prevent host packages from leaking into the build
  • by :user:gaborbernat (:issue:405)
• Pass --no-input to pip to prevent hidden credential prompts that cause hangs, and automatically set PIP_KEYRING_PROVIDER=subprocess (or UV_KEYRING_PROVIDER=subprocess for the uv installer) when the keyring CLI is on PATH -- by :user:gaborbernat (:issue:409)
• check_dependency now reports URL requirements as unmet instead of silently accepting them when a package with the same name is installed - by :user:gaborbernat (:issue:860)
• Fix misleading missing dependency error display where transitive dependency chains showed the top-level package on a separate line, making it appear as if the top-level package itself was missing - by :user:gaborbernat (:issue:875)
• Fix towncrier template to generate changelog categories in definition order - by :user:gaborbernat (:issue:1007)
• Resolve thread-safety races in the build API - by :user:gaborbernat (:issue:1015)
• Validate backend-path entries exist on disk with a clear error - by :user:gaborbernat (:issue:1016)

---

Miscellaneous

---

• :issue:1020, :issue:1021

#################### 1.4.2 (2026-03-25) ####################

---

Bugfixes

---

• Ensure the uv installer uses the current version of Python, avoiding an issue if UV_PYTHON is set, for example. (:issue:977)
• Fix _has_valid_outer_pip returning True when pip is missing, causing build to try using a non-existent pip instead of falling back to virtualenv. (:issue:1003)

#################### 1.4.1 (2026-03-24) ####################

... (truncated)

Commits

• 130b043 chore: prepare for 1.4.3
• 7642efe 🐛 fix(check_dependency): verify URL reqs via PEP 610 (#1027)
• d407530 🐛 fix(env): prevent pip credential hang with private indexes (#1030)
• b3dc114 chore: use ruff ALL (#1029)
• 27b67b2 🐛 fix(env): strip PYTHONPATH from isolated builds (#1024)
• c1454fd chore: add ruff SIM/RET (#1028)
• 0b1ca1c chore: add ruff PYI (#1026)
• f1dfe82 chore: add ruff PT (#1025)
• 4348292 🧪 test(coverage): achieve 100% test coverage (#1018)
• 5d3390b tests: improve annotations (#1023)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency bump limited to the optional build dev tool, with only lockfile/hash updates and no runtime code changes.

Overview
Updates the optional dev dependency build to >=1.4.3 in pyproject.toml and refreshes poetry.lock to pin build==1.4.3 (including new artifact hashes and the keyring extra entry).

^{Reviewed by Cursor Bugbot for commit bc31262. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Checking how the project declares the build dependency for context.

Verdict: benign

Why this looks safe

• Source and scope: The dependency is pypa/build (official PyPA packaging tool). The jump is a patch (1.4.2 → 1.4.3) with a normal tagged release and a public changelog; nothing suggests typosquatting or a “ghost” version.

• Scanner vs. meaning of “heuristic”: The report shows 0 Unicode/confusable/IOC hits. The 59 shell_process_spawn hits match what this package does (invoking pip/backends via subprocess). Those are expected noise, not evidence of malicious process abuse.

• Checklist items: No reported obfuscation, hidden Unicode, credential exfiltration, or npm lifecycle issues. Upstream changes include .github/workflows/* in the upstream tag range; for PyPA projects that is often routine CI maintenance in the same release, not by itself a supply-chain red flag—especially with no IOC/Unicode findings.

• Chia usage: In this repo, build appears as a dev optional dependency in pyproject.toml (not runtime node package.json scripts).

Actionable note: If you want extra assurance, compare the PR diff to only the files Dependabot should touch (e.g. lockfile / constraint pins) and ensure nothing unrelated was bundled—but on the evidence given, approve from a malware/supply-chain perspective.

Compatibility Analysis

Searching the repository for how the build package is declared and used.

1) Where build appears

• Declared dependency: pyproject.toml — optional Poetry dep build = { version = ">=1.4.3", optional = true } and listed in the dev extra ([project.optional-dependencies]).
• Runtime usage in this repo: None — no import build / from build... under application code (only unrelated names like build_merkle_tree).
• Actual invocation: .github/workflows/upload-pypi-source.yml runs python -m build --outdir dist . after installing the dev environment (so build is available there).

2) Overlap with 1.4.3 changes

• You only use the python -m build CLI for a normal Poetry/pyproject.toml project with build-backend = "poetry_dynamic_versioning.backend" — no backend-path, no in-repo use of ProjectBuilder, DefaultIsolatedEnv, check_dependency, or log kind APIs.
• 1.4.3 items (thread-safety in the library API, backend-path existence checks, log kind, stricter URL requirement checks, PYTHONPATH stripping, pip/keyring behavior) affect internals or edge cases. They do not map to anything Chia imports or calls directly.

3) Risks / unknowns

• Low: Stripping PYTHONPATH in isolated builds could break unusual setups that depended on leaking host paths into the build env; standard Chia CI/build is unlikely to rely on that.
• Low: Stricter URL / PEP 610 dependency handling only matters if [build-system] requires used exotic URL pins in a way that previously “passed” incorrectly; your requires are normal PyPI-style pins.
• Residual: Same as any patch — rely on CI for the upload workflow; no API contract risk for this repo.

4) Recommendation

Merge — patch bump, usage is CLI-only for publishing, no programmatic build API usage, and your [build-system] layout does not hit the main behavior changes called out in the release notes.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 34
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved upstream range: 7b7ae078aa1dabff33ea72d07ed15dd298acf80a..130b043d1a1c1a12a0558f2598430b769f074690
• Resolved refs: from=7b7ae078aa1dabff33ea72d07ed15dd298acf80a to=130b043d1a1c1a12a0558f2598430b769f074690
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 59

Top findings

• tests/test_ctx_logger.py:52 shell_process_spawn :: (1, [('subprocess', 'cmd'), ('subprocess', 'stdout')]),
• tasks/release.py:6 shell_process_spawn :: from subprocess import call, check_call
• tests/test_env.py:8 shell_process_spawn :: import subprocess
• tests/test_env.py:53 shell_process_spawn :: subprocess.check_call([sys.executable, '-c', 'import build.env'])
• tests/test_env.py:55 shell_process_spawn :: with build.env.DefaultIsolatedEnv() as env, pytest.raises(subprocess.CalledProcessError):
• tests/test_env.py:56 shell_process_spawn :: subprocess.check_call([env.python_executable, '-c', f'{debug} import build.env'])
• tests/test_env.py:141 shell_process_spawn :: version = subprocess.check_output(
• tests/test_env.py:516 shell_process_spawn :: assert result['PIP_KEYRING_PROVIDER'] == 'subprocess'
• tests/test_env.py:544 shell_process_spawn :: assert install_call.kwargs['env']['PIP_KEYRING_PROVIDER'] == 'subprocess'
• tests/test_env.py:559 shell_process_spawn :: assert install_call.kwargs['env']['UV_KEYRING_PROVIDER'] == 'subprocess'
• tests/test_env.py:592 shell_process_spawn :: assert subprocess.check_call([env.python_executable, '-c', 'import flit_core']) == 0
• tests/test_self_packaging.py:5 shell_process_spawn :: import subprocess
• tests/test_self_packaging.py:78 shell_process_spawn :: subprocess.run(
• tests/test_self_packaging.py:103 shell_process_spawn :: subprocess.run(
• CHANGELOG.rst:18 shell_process_spawn :: PIP_KEYRING_PROVIDER=subprocess (or UV_KEYRING_PROVIDER=subprocess for the uv installer) when the keyring
• tests/test_integration.py:11 shell_process_spawn :: import subprocess
• tests/test_integration.py:146 shell_process_spawn :: subprocess.check_call(call + args)
• src/build/__main__.py:16 shell_process_spawn :: 'subprocess',
• src/build/__main__.py:31 shell_process_spawn :: import subprocess
• src/build/__main__.py:116 shell_process_spawn :: elif kind[0] == 'subprocess':

[coveralls-official]

Coverage Report for CI Build 24744840002

Coverage decreased (-0.02%) to 91.161%

Details

• Coverage decreased (-0.02%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 25 coverage regressions across 8 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

25 previously-covered lines in 8 files lost coverage.

File	Lines Losing Coverage	Coverage
chia/server/address_manager.py	7	92.83%
chia/server/node_discovery.py	5	80.38%
chia/server/server.py	4	86.1%
chia/full_node/full_node_api.py	3	86.55%
chia/data_layer/data_layer.py	2	85.68%
chia/_tests/core/test_farmer_harvester_rpc.py	2	98.06%
chia/full_node/full_node.py	1	87.59%
chia/_tests/simulation/test_simulation.py	1	96.49%

---

Coverage Stats

Relevant Lines:	117497
Covered Lines:	107277
Line Coverage:	91.3%
Relevant Branches:	11720
Covered Branches:	10518
Branch Coverage:	89.74%
Branches in Coverage %:	Yes
Coverage Strength:	1.83 hits per line

---

💛 - Coveralls