build(deps): bump boto3 from 1.42.80 to 1.42.92

[dependabot]

Bumps boto3 from 1.42.80 to 1.42.92.

Commits

• d431bb0 Merge branch 'release-1.42.92'
• 5cb8aa5 Bumping version to 1.42.92
• c594900 Add changelog entries from botocore
• 7eff2b3 Update presigned URL docs to include addressing style config (#4768)
• d5b7391 Merge branch 'release-1.42.91'
• c050610 Merge branch 'release-1.42.91' into develop
• f8d1385 Bumping version to 1.42.91
• 3e83422 Add changelog entries from botocore
• ac298d4 Merge branch 'release-1.42.90'
• 1a92783 Merge branch 'release-1.42.90' into develop
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency-only change limited to boto3/botocore version bumps; potential impact is confined to AWS/S3 integration behavior changes from upstream releases.

Overview
Bumps the boto3 dependency requirement in pyproject.toml to >=1.42.92.

Regenerates poetry.lock to pin boto3 1.42.92 and update its botocore constraint/version accordingly (plus updated lockfile hashes).

^{Reviewed by Cursor Bugbot for commit 1313d4a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​botocore@​1.42.85 ⏵ 1.42.97	+1
	pypi/​boto3@​1.42.80 ⏵ 1.42.92

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1313d4a. Configure here.}

[cursor]

Minimum boto3 version unnecessarily raised from 1.35 to 1.42

Medium Severity

The minimum version constraint for boto3 in pyproject.toml was raised from >=1.35.43 to >=1.42.92. For a routine Dependabot patch bump (1.42.80 → 1.42.92), only the lock file needs updating — the floor specifier in the project metadata needn't change unless a new API is actually required. This tightening forces all consumers and downstream environments to use boto3 ≥ 1.42.92, breaking compatibility with any setup running boto3 between 1.35.43 and 1.42.91.

 

^{Reviewed by Cursor Bugbot for commit 1313d4a. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verdict: benign

Why this looks safe

• Package & source: boto3 is the official AWS Python SDK; the PR tracks boto/boto3 from 1.42.80 → 1.42.92 (same 1.42 line), which is a normal maintenance cadence, not a typosquat or a wild version jump.
• Scanner vs reality: The report shows 0 unicode, confusable, and IOC hits after allowlisting. The 15 heuristic hits are consistent with noise: long CHANGELOG.rst lines mentioning AWS APIs (“execute-command”, “fetch … tokens”, Secrets Manager, “base64 encoding”), path-touch on boto3’s own .github/workflows/ (upstream repo maintenance), and maintainer_drift on the version range string—these are not evidence of compromise in the wheel you install from PyPI.
• What actually lands in Chia: A dependency bump updates manifests/lockfile and pulls the published boto3 distribution; it does not merge boto3’s GitHub workflow YAML into this repo. Your usage is localized (e.g. chia/data_layer/s3_plugin_service.py + import boto3), which matches typical S3 usage.
• Integrity: poetry.lock entries for boto3-1.42.92 with standard PyPI wheel/sdist + sha256 are the expected shape; nothing in the supplied context suggests lockfile corruption or mystery transitives beyond normal botocore pairing.

Actionable note: If CI fails, treat it as compatibility/regression, not malware—re-run tests; the changelog/commits point at botocore sync + docs (e.g. presigned URL docs #4768), not suspicious install-time behavior.

Where scanner and “malicious PR” intuition disagree: Workflow and changelog hits flag upstream repo diffs, not a trojaned PyPI artifact; for this bump, that disagreement favors benign.

Compatibility Analysis

Searching the codebase for boto3 usage and inspecting upstream changes between 1.42.80 and 1.42.92.

1) Where boto3 is used

• Dependency: pyproject.toml — boto3 = ">=1.42.92" with comment AWS S3 for Data Layer S3 plugin.
• Application code: only chia/data_layer/s3_plugin_service.py:
  • boto3.resource("s3", region_name=..., aws_access_key_id=..., aws_secret_access_key=...)
  • S3 resource usage: Bucket, upload_file, download_file, objects.all(), ObjectSummary
  • Errors: botocore.exceptions.ClientError (not boto3.exceptions)
• Tests: No chia tests under tests/ reference s3_plugin_service or boto3 (no in-repo automated coverage for this plugin).

2) Overlap with likely changes (1.42.80 → 1.42.92)

• PR-listed code change is #4768 — presigned URL docs (addressing style). That is documentation, not a runtime API change.
• Other commits are version bumps and “Add changelog entries from botocore” — i.e. routine botocore sync in a patch line.
• Chia’s usage is S3 resource upload/download/list, not presigned URLs, not transfer/CRT helpers, not low-level client-only paths highlighted in those commits.

So there is no meaningful intersection between this bump’s highlighted changes and the code paths Chia uses.

3) Risks / unknowns

• Low: Same minor line (1.42.x); no indicated breaking boto3 API for your calls.
• Residual: Any botocore bump can change retries, signing edge cases, or S3 service JSON — usually invisible to Bucket.upload_file / download_file, but not impossible in odd environments.
• Gap: No tests exercise the S3 plugin here; regressions would show up in integration / manual use of chia_data_layer_s3_plugin.

4) Recommendation

Merge — maintenance patch within 1.42.x, doc-only feature in the PR thread, and Chia’s surface area is narrow and stable. Optional merge-with-caveats only if you treat the untested S3 plugin as production-critical: then confirm CI green and, if you have a staging bucket, a quick upload/download smoke test.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 28
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved upstream range: d66479d40f800c50151b5588ab8ca4ed5089f919..d431bb03c76582926b04618b3704302b55579a45
• Resolved refs: from=d66479d40f800c50151b5588ab8ca4ed5089f919 to=d431bb03c76582926b04618b3704302b55579a45
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 15

Top findings

• CHANGELOG.rst:13981 shell_process_spawn :: * api-change:ecs: [botocore] This is for ecs exec feature release which includes two new APIs - execute-command and update-cluster and an AWS CLI customization for execute-command API
• CHANGELOG.rst:1309 credential_exfil_indicator :: * api-change:signin: [botocore] AWS Sign-In manages authentication for AWS services. This service provides secure authentication flows for accessing AWS resources from the console and developer tools. This release adds the CreateOAuth2Token API, which can be used to fetch OAuth2 access tokens and refresh tokens from Sign-In.
• CHANGELOG.rst:2744 credential_exfil_indicator :: * enhancement:sso: [botocore] Updates legacy token auth flow to check if cached legacy tokens are expired according to the local clock. If expired, it will raise an UnauthorizedSSOTokenError instead of sending an expired token to Identity Center's GetRoleCredentials API.
• CHANGELOG.rst:5788 credential_exfil_indicator :: * api-change:firehose: [botocore] Adds integration with Secrets Manager for Redshift, Splunk, HttpEndpoint, and Snowflake destinations
• CHANGELOG.rst:7212 credential_exfil_indicator :: * api-change:secretsmanager: [botocore] AWS Secrets Manager has released the BatchGetSecretValue API, which allows customers to fetch up to 20 Secrets with a single request using a list of secret names or filters.
• CHANGELOG.rst:10618 credential_exfil_indicator :: * api-change:cognito-idp: [botocore] This change is being made simply to fix the public documentation based on the models. We have included the PasswordChange and ResendCode events, along with the Pass, Fail and InProgress status. We have removed the Success and Failure status which are never returned by our APIs.
• CHANGELOG.rst:3400 obfuscation_indicator :: * api-change:bedrock-runtime: [botocore] You can now reference images and documents stored in Amazon S3 when using InvokeModel and Converse APIs with Amazon Nova Lite and Nova Pro. This enables direct integration of S3-stored multimedia assets in your model requests without manual downloading or base64 encoding.
• .github/workflows/codeql.yml:0 workflow_path_touch :: path-touch
• .github/workflows/issue-regression-labeler.yml:0 workflow_path_touch :: path-touch
• .github/workflows/lint.yml:0 workflow_path_touch :: path-touch
• .github/workflows/pull-request-build.yml:0 workflow_path_touch :: path-touch
• .github/workflows/run-crt-test.yml:0 workflow_path_touch :: path-touch
• .github/workflows/run-tests.yml:0 workflow_path_touch :: path-touch
• .github/workflows/zizmor.yml:0 workflow_path_touch :: path-touch
• boto3:0 maintainer_drift :: 1.42.80->1.42.92

[coveralls-official]

Coverage Report for CI Build 25075844764

Coverage decreased (-0.02%) to 91.169%

Details

• Coverage decreased (-0.02%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 30 coverage regressions across 12 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

30 previously-covered lines in 12 files lost coverage.

Top 10 Files by Coverage Loss	Lines Losing Coverage	Coverage
chia/server/node_discovery.py	5	79.86%
chia/wallet/wallet_node.py	5	86.61%
chia/rpc/rpc_server.py	3	90.94%
chia/server/server.py	3	85.56%
chia/simulator/setup_services.py	3	96.3%
chia/data_layer/data_layer.py	2	85.68%
chia/full_node/full_node.py	2	87.59%
chia/_tests/core/test_farmer_harvester_rpc.py	2	98.06%
chia/timelord/timelord.py	2	73.08%
chia/full_node/full_node_api.py	1	86.4%

---

Coverage Stats

Relevant Lines:	117671
Covered Lines:	107445
Line Coverage:	91.31%
Relevant Branches:	11731
Covered Branches:	10530
Branch Coverage:	89.76%
Branches in Coverage %:	Yes
Coverage Strength:	1.83 hits per line

---

💛 - Coveralls