build(deps): bump importlib-resources from 6.5.2 to 7.1.0

[dependabot]

Bumps importlib-resources from 6.5.2 to 7.1.0.

Changelog

Sourced from importlib-resources's changelog.

v7.1.0

Features

• files() now provides a nicer error when main.spec is None. (#331)

v7.0.0

Deprecations and Removals

• Remove compatibility shim for deprecated parameter package in :func:importlib.resources.files. Patch by Semyon Moroz. (#332)

Commits

• 78c697d Finalize
• 5a2bffc A better error message from importlib.resources.files() when module spec is None
• d80822a Add news fragment.
• 6e2183f Revise the test for clarity and traceability.
• ee94f7c Merge branch 'main' into error-message-none-spec-module
• a542188 Extract method to encapsulate the validation.
• 74f308a Revert unrelated change to wrap_spec.
• c6773a1 Prefer bare asserts. They read better and they render nicer under pytest.
• 935b189 Replace UTF-16 BOM handling with a more direct helper.
• 4049971 Finalize
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency bump with no application code changes; main risk is runtime/test behavior differences from the updated library version.

Overview
Updates the importlib-resources dependency from 6.5.2 to 7.1.0 by raising the constraint in pyproject.toml and refreshing poetry.lock (including updated package metadata/extras and lockfile hash).

^{Reviewed by Cursor Bugbot for commit a55532f. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying how the dependency is declared and locked in the repo for the review.

Verdict: benign

Checklist (concise)

• Classic obfuscation / C2 / persistence / exfiltration: No indicators. This is the published python/importlib_resources backport; your lockfile pins normal PyPI artifacts with standard sha256 entries for 7.1.0 (poetry.lock around the importlib-resources [[package]] block). Chia uses the modern importlib_resources.files(...) pattern (e.g. chia/util/keychain.py, chia/wallet/puzzles/load_clvm.py), not suspicious dynamic loading.

• Invisible Unicode / Trojan Source: Scanner reports 0 unicode, 0 confusable, 0 IOC after allowlist — no evidence of hidden payloads.

• Dependency integrity: Direct dependency only; no unexpected transitive explosion in the lock snippet. The 7.x jump matches upstream v7.0.0 documented removal of the deprecated package argument to files(), not a “ghost” release. pyproject.toml already requires importlib-resources = ">=7.1.0", so the bump is consistent with declared intent.

• Scanner vs interpretation: The warn is from heuristics, not substance.

  • network_c2_indicator on README.rst is a shields.io badge using raw.githubusercontent.com (common; not package runtime).
  • workflow_path_touch reflects upstream repo files in the scanned tag range, not an expectation that your Dependabot PR edits Chia’s workflows.
  • version_jump_anomaly / maintainer_drift are semver / npm-style heuristics misfiring on a major PyPI bump of a long-established stdlib backport — not evidence of publisher compromise.

Actionable (compatibility, not malware): After merge, run tests on your minimum supported Python; if anything still called files(package=...), it would break on 7.x — your grep hits use positional anchors, which is the safe pattern.

Compatibility Analysis

Searching the codebase for importlib-resources usage and inspecting upstream changes for compatibility.

1) Where it’s used

Declared: pyproject.toml pins importlib-resources (workspace shows >=7.1.0); poetry.lock resolves the wheel.

Runtime / tests (direct API use):

Area	Pattern
chia/wallet/puzzles/load_clvm.py	importlib_resources.files(package_or_requirement) → joinpath, read_text
chia/util/keychain.py	files(parent_pkg).joinpath("english.txt").read_text(...)
chia/util/config.py	files(parent_pkg).joinpath(...).read_text(...)
chia/ssl/create_ssl.py	files(parent_pkg)
chia/_tests/util/benchmarks.py	files(...).joinpath("clvm_generator.bin")
chia/_tests/core/util/test_keychain.py	files(chia._tests.util.__name__).joinpath(...)
chia/_tests/cmds/wallet/test_wallet.py	files(...).joinpath(...), as_file(...)
chia/_tests/core/data_layer/test_data_store.py	importlib.resources → files, as_file

Elsewhere, importlib.metadata appears for package versions (e.g. chiapos); that is not this dependency.

---

2) Overlap with v7 changes

• v7.0.0: Removed the deprecated package= keyword on files(). In-tree code uses positional anchors only (strings like chia.wallet.puzzles / __name__-derived parents, or chia._tests.util.__name__). No files(package=...) usage → no intersection with the breaking change.
• v7.1.0: Clearer errors when a module’s __spec__ is None (e.g. odd __main__ cases). Behavioral tightening only for that edge case; normal package imports are unchanged.
• Upstream also adjusted UTF-16 / BOM handling in read paths; Chia uses read_text(encoding="utf-8") on hex/config-like assets → low relevance.

---

3) Risks / unknowns

• Frozen / bundled builds: load_clvm already branches on sys.frozen; resource layout there is a general packaging concern, not specific to 6→7.
• Test mixing importlib.resources (stdlib) vs importlib_resources (backport): Same call shapes on 3.10+; unlikely to diverge for files / as_file in your usage.
• Heuristic “major bump” / supply-chain tooling noise: Not a functional signal for this library given the actual API removal.

---

4) Recommendation

Merge — usage matches the current files(anchor) / as_file API; nothing in-repo relies on the removed package= shim. Run your normal CI/test matrix once on the PR branch for regression confidence (standard practice, not a blocker from code review).

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 22
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved upstream range: 7d3b2bfa1d8c53ecb64246ba16d8c632f8fcb6bf..78c697d65ae8517bd64d40c62d2085902d82b237
• Resolved refs: from=7d3b2bfa1d8c53ecb64246ba16d8c632f8fcb6bf to=78c697d65ae8517bd64d40c62d2085902d82b237
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 4

Top findings

• README.rst:10 network_c2_indicator :: .. image:: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json
• .github/workflows/main.yml:0 workflow_path_touch :: path-touch
• importlib-resources:0 version_jump_anomaly :: 6.5.2->7.1.0
• importlib-resources:0 maintainer_drift :: 6.5.2->7.1.0

[coveralls-official]

Coverage Report for CI Build 24744861593

Coverage decreased (-0.009%) to 91.168%

Details

• Coverage decreased (-0.009%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 30 coverage regressions across 8 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

30 previously-covered lines in 8 files lost coverage.

File	Lines Losing Coverage	Coverage
chia/server/address_manager.py	7	92.83%
chia/server/server.py	7	85.56%
chia/server/node_discovery.py	6	80.21%
chia/timelord/timelord.py	3	72.76%
chia/data_layer/data_layer.py	2	85.68%
chia/full_node/full_node_api.py	2	86.48%
chia/full_node/full_node.py	2	87.63%
chia/_tests/simulation/test_simulation.py	1	96.49%

---

Coverage Stats

Relevant Lines:	117497
Covered Lines:	107282
Line Coverage:	91.31%
Relevant Branches:	11720
Covered Branches:	10522
Branch Coverage:	89.78%
Branches in Coverage %:	Yes
Coverage Strength:	1.83 hits per line

---

💛 - Coveralls