build(deps): bump packaging from 26.0 to 26.1#20838
build(deps): bump packaging from 26.0 to 26.1#20838dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [packaging](https://github.com/pypa/packaging) from 26.0 to 26.1. - [Release notes](https://github.com/pypa/packaging/releases) - [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst) - [Commits](pypa/packaging@26.0...26.1) --- updated-dependencies: - dependency-name: packaging dependency-version: '26.1' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
Changed
dependabot
Bot
added
dependencies
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 9c59e4c. Configure here.
| filelock = ">=3.16.1" # For reading and writing config multiprocess and multithread safely (non-reentrant locks) | ||
| keyring = ">=25.5.0" # Store keys in MacOS Keychain, Windows Credential Locker | ||
| packaging = ">=24.0" | ||
| packaging = ">=26.1" |
There was a problem hiding this comment.
Minimum version constraint unnecessarily tightened from 24.0 to 26.1
Medium Severity
The packaging minimum version in pyproject.toml was raised from >=24.0 to >=26.1, but the codebase only uses packaging.version.Version — a feature available since much older versions. This Dependabot PR is meant to bump the lock file only, not tighten the minimum constraint. Raising it unnecessarily restricts compatibility for downstream consumers and environments that may not yet have packaging 26.1 available.
Reviewed by Cursor Bugbot for commit 9c59e4c. Configure here.
🤖 Cursor Dependency AnalysisSupply-Chain Malware ReviewVerdict: benign Why this looks safe
Residual risk (not malware)
If scanner and story disagreed: Here they don’t — workflow/subprocess hits are explained by full upstream delta and normal dev/test code, not by a minimal Dependabot manifest change being malicious. Compatibility AnalysisSearching the codebase for direct 1) Where
|
| Area | Role |
|---|---|
pyproject.toml |
Direct dependency: packaging = ">=26.1" (line 70). |
poetry.lock |
Resolved wheel/sdist for packaging (e.g. 26.1). |
| Application code | Only packaging.version: Version (and InvalidVersion in chia/util/chia_version.py). |
Files (excluding vendored .upstream-dependency):
from packaging.version import InvalidVersion, Version
- ```39:39:chia/full_node/full_node.py
from packaging.version import Version
from packaging.version import Version
- ```12:12:chia/farmer/farmer_api.py
from packaging.version import Version
from packaging.version import Version
- ```8:68:chia/cmds/dev/installers.py
import packaging.version
# ... packaging.version.Version(...) for CLI/installer checks
Uses: parse handshake / CLI version strings into Version, compare with literals (e.g. Version("0.0.35"), Version("2.6.0")), build short display strings via major / minor / micro / pre in chia_version.
Tests under chia/_tests/ mirror the same imports.
2) Overlap with 26.1 changes
No meaningful overlap.
26.1’s listed changes target markers (& / |), specifiers (PEP‑style ranges, SpecifierSet.*, prerelease/postrelease edge cases), wheel/tags/pylock, new modules (dependency_groups, direct_url, errors), parse_wheel_filename options, renaming format_full_version → _format_full_version, etc.
Chia does not import specifiers, requirements, markers, tags/utils, or private helpers. Its usage is limited to Version / InvalidVersion parsing and ordering for simple protocol-style strings.
The comparison / normalization fixes (e.g. dev+local, infinity edge cases, ASCII local segments) could only matter if you depended on quirky version strings or pickled Version objects; Chia’s paths are straightforward comparisons on normal semver-like literals.
3) Risks / unknowns
- Low: Tooling/other deps also use
packaging; that’s normal and exercised by CI. - Niche: Extremely unusual version strings (huge ints, exotic locals) might parse or compare differently due to PEP alignment and bugfixes—unlikely for handshake/protocol checks.
- No Chia code references the renamed private
format_full_version.
4) Recommendation
Merge.
The repo already declares packaging >= 26.1; bumping the lockfile to 26.0 → 26.1 matches that and touches APIs Chia does not use beyond packaging.version, which stays stable for this usage.
Optional caveat for the PR thread: behavior of ** specifier-oriented** PEP edge cases changed in upstream, but that does not apply to current Chia call sites unless you later add specifier-based parsing.
Malware Scan Summary
- Status: warn
- Warn only mode:
true - Changed upstream files scanned:
81 - Resolution strategy:
tag_range - Changed node/vendor paths:
0 - Changed lockfiles:
0 - Resolved upstream range:
3b77a26f5a27473ad3b08194d773f325d018a2d0..c1a88a3e035e8bfe47dbc957f4a2493e8a7b4f3c - Resolved refs: from=
3b77a26f5a27473ad3b08194d773f325d018a2d0to=c1a88a3e035e8bfe47dbc957f4a2493e8a7b4f3c - Unicode findings (post-allowlist):
2 - Confusable findings (post-allowlist):
0 - IOC findings (post-allowlist):
0 - Heuristic findings (post-allowlist):
26
Top findings
tests/test_metadata.py:1083unicode ::("Foo", "🕵️"),tests/test_metadata.py:1085unicode ::"Foo: 🕵️\n",tests/test_tags.py:8shell_process_spawn ::import subprocesstests/test_tags.py:351shell_process_spawn ::subprocess,tests/test_tags.py:353shell_process_spawn ::lambda *args, **kwargs: subprocess.CompletedProcess(tests/test_musllinux.py:4shell_process_spawn ::import subprocesstests/test_musllinux.py:82shell_process_spawn ::monkeypatch.setattr(_musllinux.subprocess, "run", run_recorder) # type: ignore[attr-defined]tests/test_musllinux.py:91shell_process_spawn ::stderr=subprocess.PIPE,tasks/check_frozen_revs.py:49shell_process_spawn ::stdout=asyncio.subprocess.PIPE,tasks/check_frozen_revs.py:50shell_process_spawn ::stderr=asyncio.subprocess.DEVNULL,noxfile.py:15shell_process_spawn ::import subprocessnoxfile.py:310shell_process_spawn ::result = subprocess.run(noxfile.py:461shell_process_spawn ::result = subprocess.run(noxfile.py:470shell_process_spawn ::result = subprocess.run(noxfile.py:480shell_process_spawn ::result = subprocess.run(noxfile.py:491shell_process_spawn ::result = subprocess.run(noxfile.py:514shell_process_spawn ::subprocess.run(["git", "add", str(file)], check=False)noxfile.py:515shell_process_spawn ::subprocess.run(["git", "commit", "-m", f"Bump for {kind}"], check=False)docs/conf.py:12shell_process_spawn ::exec(f.read(), ABOUT)src/packaging/tags.py:12shell_process_spawn ::import subprocess
Coverage Report for CI Build 25075868907Coverage decreased (-0.01%) to 91.179%Details
Uncovered ChangesNo uncovered changes found. Coverage Regressions23 previously-covered lines in 10 files lost coverage.
Coverage Stats
💛 - Coveralls |
Bumps packaging from 26.0 to 26.1.
Release notes
Sourced from packaging's releases.
... (truncated)
Changelog
Sourced from packaging's changelog.
... (truncated)
Commits
c1a88a3Bump for release702c25edocs: update changelog for 26.1 (#1156)3f4f5d4Implementis_unsatisfiableonSpecifierSetusing ranges (#1119)06c6555Propagate int-max-str-digits ValueError (#1155)905c90cfeat: option to validate compressed tag set sort order in `parse_wheel_filena...af0026cdocs(pylock): document select() method and PylockSelectError (#1153)668da86Rename format_full_version to _format_full_version to make it visibly private...f294d52tests: do not reload the tags module (#1152)2c6c7dffeat: add handling for Emscripten wheels tags per PEP 783 (#804)6762eeadocs(markers): document & and | operators for combining Marker objects (#1151)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Low Risk
Low risk dependency bump limited to Python packaging utilities; main risk is subtle behavior changes in version/specifier/tag parsing affecting build or dependency resolution.
Overview
Updates the
packagingdependency from26.0to26.1by raising the constraint inpyproject.tomland refreshingpoetry.lockwith the new wheel/sdist hashes and lockcontent-hash.Reviewed by Cursor Bugbot for commit 9c59e4c. Bugbot is set up for automated code reviews on this repo. Configure here.