Skip to content

build(deps): bump filelock from 3.25.2 to 3.29.0#20839

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/filelock-3.29.0
Open

build(deps): bump filelock from 3.25.2 to 3.29.0#20839
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/filelock-3.29.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 28, 2026
edited by cursor Bot
Loading

Bumps filelock from 3.25.2 to 3.29.0.

Release notes

Sourced from filelock's releases.

3.29.0

What's Changed

Full Changelog: tox-dev/filelock@3.28.0...3.29.0

3.28.0

What's Changed

Full Changelog: tox-dev/filelock@3.27.0...3.28.0

3.27.0

What's Changed

Full Changelog: tox-dev/filelock@3.26.1...3.27.0

3.26.1

What's Changed

New Contributors

Full Changelog: tox-dev/filelock@3.26.0...3.26.1

3.26.0

What's Changed

Full Changelog: tox-dev/filelock@3.25.2...3.26.0

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

3.29.0 (2026-04-19)

  • ✨ feat(soft): enable stale lock detection on Windows :pr:534
  • 🐛 fix(async): use single-thread executor for lock consistency :pr:533
  • build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 :pr:530 - by :user:dependabot[bot]

3.28.0 (2026-04-14)

  • 🐛 fix(ci): unbreak release workflow, publish to PyPI again :pr:529

3.26.1 (2026-04-09)

  • 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handling :pr:518 - by :user:naarob
  • build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 :pr:525 - by :user:dependabot[bot]

3.26.0 (2026-04-06)

  • ✨ feat(soft): add PID inspection and lock breaking :pr:524
  • [pre-commit.ci] pre-commit autoupdate :pr:523 - by :user:pre-commit-ci[bot]
  • build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 :pr:522 - by :user:dependabot[bot]
  • Remove persist-credentials: false from release job :pr:520
  • [pre-commit.ci] pre-commit autoupdate :pr:519 - by :user:pre-commit-ci[bot]
  • 🔒 ci(workflows): add zizmor security auditing :pr:517
  • [pre-commit.ci] pre-commit autoupdate :pr:516 - by :user:pre-commit-ci[bot]
  • [pre-commit.ci] pre-commit autoupdate :pr:514 - by :user:pre-commit-ci[bot]

3.25.2 (2026-03-11)

  • 🐛 fix(unix): suppress EIO on close in Docker bind mounts :pr:513

3.25.1 (2026-03-09)

  • [pre-commit.ci] pre-commit autoupdate :pr:510 - by :user:pre-commit-ci[bot]
  • 🐛 fix(win): restore best-effort lock file cleanup on release :pr:511

... (truncated)

Commits
  • 469b47f Release 3.29.0
  • e85d072 ✨ feat(soft): enable stale lock detection on Windows (#534)
  • f5ee171 🐛 fix(async): use single-thread executor for lock consistency (#533)
  • 2a95458 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#530)
  • 55de20c Release 3.28.0
  • 476b0e4 🐛 fix(ci): unbreak release workflow, publish to PyPI again (#529)
  • 824713e ✨ feat(rw): add SoftReadWriteLock for NFS and HPC clusters (#528)
  • 9879de9 [pre-commit.ci] pre-commit autoupdate (#527)
  • 4cfab49 Release 3.26.1
  • 734c9f2 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handli...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Medium Risk
Dependency-only change, but filelock impacts cross-process/config locking behavior and this bump includes async and Windows lock-handling changes that could affect runtime concurrency edge cases.

Overview
Updates the filelock dependency requirement to >=3.29.0 and refreshes poetry.lock accordingly (new filelock artifacts and lockfile content-hash).

No application code changes; the PR is solely a dependency version bump affecting how file-based locking is provided at runtime.

Reviewed by Cursor Bugbot for commit 435a03b. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
build(deps): bump filelock from 3.25.2 to 3.29.0
435a03b 
Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.25.2 to 3.29.0.
- [Release notes](https://github.com/tox-dev/py-filelock/releases)
- [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst)
- [Commits](tox-dev/filelock@3.25.2...3.29.0)

---
updated-dependencies:
- dependency-name: filelock
  dependency-version: 3.29.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 28, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 28, 2026 20:26
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code Changed Required label for PR that categorizes merge commit message as "Changed" for changelog labels Apr 28, 2026
cursor[bot]
cursor Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 435a03b. Configure here.

Comment thread pyproject.toml
dnslib = ">=0.9.25" # dns lib
dnspython = ">=2.6.1" # Query DNS seeds
filelock = ">=3.16.1" # For reading and writing config multiprocess and multithread safely (non-reentrant locks)
filelock = ">=3.29.0" # For reading and writing config multiprocess and multithread safely (non-reentrant locks)
Copy link
Copy Markdown

@cursor cursor Bot Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minimum filelock version floor unnecessarily raised to 3.29.0

Low Severity

The minimum version constraint for filelock in pyproject.toml was bumped from >=3.16.1 to >=3.29.0, but the codebase only uses FileLock, BaseFileLock, and Timeout — APIs that have been stable since well before 3.16.1. No new 3.29.0 features (like SoftReadWriteLock or stale lock detection) are used anywhere. Raising the floor version unnecessarily tightens the dependency constraint and could cause resolution conflicts for downstream consumers or co-installed packages that depend on an older compatible filelock.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 435a03b. Configure here.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 28, 2026

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying how Chia uses filelock to assess compatibility with upstream changes.

Verdict: benign

Why this reads as a normal upgrade

  • Identity / typosquatting: The dependency is the established tox-dev/py-filelock project on PyPI, not a name-squat package.
  • Classic obfuscation / exfiltration: Nothing in your materials points to eval/encoded payloads, mystery hosts, or install-time scripts; filelock is a pure library with no npm-style lifecycle hooks.
  • Invisible Unicode (“GlassWorm”): The scanner hits are visible emoji in upstream GitHub workflow names and docs (e.g. step titles with emoji, ⚠️ in RST). That matches the reported regex (variation selectors often ride along with emoji). This is not the same class of attack as zero-width/bidi/homoglyph identifiers in shipped code. Treat these unicode findings as noise, not compromise.
  • Workflow file changes: Those edits are in the upstream repo’s .github/workflows/, not in the installed wheel/sdist consumers get from PyPI. They reflect normal maintainer CI churn, not something Dependabot is injecting into Chia’s tree unless the PR itself edits workflows (typical Dependabot PRs do not).
  • Process / spawn heuristics: Matches are test code (multiprocessing spawn) and config comments (S603 / subprocess)—generic patterns, not IOCs.
  • maintainer_drift: The payload is the version range string (3.25.2->3.29.0), not independent evidence of publisher account takeover.
  • Integrity / semver: 3.25.2 → 3.29.0 is a series of documented releases with public tags/commits you already summarized; not a “ghost” version.
  • Chia usage: The tree uses synchronous FileLock / BaseFileLock (e.g. chia/util/lock.py, tests)—consistent with the stated non-reentrant config locking; upstream async/soft-lock changes don’t expand attack surface for that usage pattern.

Scanner vs. interpretation: The report is warn-only with no IOCs; the items that look “scary” in a checklist (unicode, workflows, spawn) are consistent with benign upstream development once you separate repo CI/docs from published package contents. No conflict strong enough to overturn a benign verdict.

Compatibility Analysis

Searching the codebase for filelock usage and checking how it aligns with upstream changes.

1) Where filelock is used

Location Usage
pyproject.toml Declared as filelock = ">=3.29.0" (comment: config read/write across processes/threads).
poetry.lock Resolved to 3.29.0.
chia/util/lock.py FileLock, BaseFileLock (typing), Timeoutacquire(timeout=..., poll_interval=...), release(), context manager.
chia/simulator/block_tools.py with FileLock(...): (plot setup).
chia/_tests/util/plot_cache.py, chia/_tests/util/blockchain.py Same FileLock context-manager pattern.
chia/_tests/conftest.py Log level tweak for logger name "filelock" only.

No AsyncFileLock, SoftFileLock, SoftReadWriteLock, or private filelock._* imports in chia/.

2) Overlap with changed APIs (3.25.2 → 3.29.0)

Upstream changes called out in the PR are mostly async (BaseAsyncFileLock / single-thread executor — PR #533), soft locks (stale detection on Windows — #534), SoftReadWriteLock (#528), and SoftFileLock PID / breaking (#524, #518).

Chia only uses synchronous FileLock plus Timeout and the stable acquire / release / context manager surface. That does not map to the async or soft-read/write APIs above. FileLock’s public contract is unchanged in the notes; updates are fixes/features on other code paths.

Edge case: On some Unix setups, FileLock can fall back to SoftFileLock (e.g. when flock is unavailable). Soft-lock behavior has evolved (stale/PID-related work). That could theoretically affect unusual filesystems, not the normal Windows WindowsFileLock / Unix flock path.

3) Risks / unknowns

  • Low: No direct use of APIs that were heavily reworked in the changelog.
  • Residual: Rare Unix → soft fallback or NFS-ish config/plot paths might see slightly different soft-lock behavior; still in the direction of bug fixes, not intentional breaking changes.
  • Build: Same requires-python band; filelock remains pure Python / standard wheel — no new native deps indicated.

4) Recommendation

Merge (or merge with minor caveats: if you have CI or manual checks on NFS-mounted chia dirs, a quick smoke test of config/plot locking is enough; not a reason to hold the bump).

Summary: Usage is narrow and sync-only; 3.25.2→3.29.0 churn is largely outside that surface. Proceed with the dependency bump.

Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 27
  • Resolution strategy: tag_range
  • Changed node/vendor paths: 0
  • Changed lockfiles: 0
  • Resolved upstream range: 5b9872c523b20db569d8832da4fb640e9c175ce6..469b47f192b0a9f8c8b795d9b9f57212c716959b
  • Resolved refs: from=5b9872c523b20db569d8832da4fb640e9c175ce6 to=469b47f192b0a9f8c8b795d9b9f57212c716959b
  • Unicode findings (post-allowlist): 9
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 9

Top findings

  • .github/workflows/release.yaml:60 unicode :: - name: 🏷️ Create temporary tag for hatch-vcs
  • .github/workflows/release.yaml:114 unicode :: - name: ⬇️ Download all the dists
  • docs/concepts.rst:325 unicode :: lock = FileLock("data.txt") # ⚠️ Wrong!
  • docs/tutorials.rst:154 unicode :: FileLock("my.lock").acquire() # ⚠️ Don't do this
  • .github/workflows/check.yaml:1 unicode :: name: "🛠️ check"
  • .github/workflows/check.yaml:53 unicode :: - name: "⚙️ Setup test suite"
  • .github/workflows/check.yaml:101 unicode :: - name: "⚙️ Setup coverage tool"
  • .github/workflows/check.yaml:105 unicode :: - name: "⬇️ Download coverage data"
  • .github/workflows/check.yaml:148 unicode :: - name: "⚙️ Setup test suite"
  • tests/soft_rw/test_soft_rw_sync.py:613 shell_process_spawn :: # multiprocessing.spawn startup, the heartbeat thread scheduling, and the parent's mtime resolution
  • tests/soft_rw/test_soft_rw_sync.py:847 shell_process_spawn :: ctx = mp.get_context("spawn")
  • tests/soft_rw/test_soft_rw_sync.py:859 shell_process_spawn :: ctx = mp.get_context("spawn")
  • tests/soft_rw/test_soft_rw_sync.py:871 shell_process_spawn :: ctx = mp.get_context("spawn")
  • pyproject.toml:136 shell_process_spawn :: "S603", # subprocess call: check for execution of untrusted input
  • pyproject.toml:151 shell_process_spawn :: "S603", # subprocess call: check for execution of untrusted input
  • .github/workflows/check.yaml:0 workflow_path_touch :: path-touch
  • .github/workflows/release.yaml:0 workflow_path_touch :: path-touch
  • filelock:0 maintainer_drift :: 3.25.2->3.29.0

@coveralls-official
Copy link
Copy Markdown

coveralls-official Bot commented Apr 28, 2026

Coverage Report for CI Build 25075893407

Coverage increased (+0.01%) to 91.203%

Details

  • Coverage increased (+0.01%) from the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • 16 coverage regressions across 8 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

16 previously-covered lines in 8 files lost coverage.

File Lines Losing Coverage Coverage
chia/rpc/rpc_server.py 3 90.94%
chia/simulator/setup_services.py 3 96.3%
chia/data_layer/data_layer.py 2 85.68%
chia/full_node/full_node.py 2 87.59%
chia/server/node_discovery.py 2 80.38%
chia/timelord/timelord.py 2 73.08%
chia/_tests/core/util/test_file_keyring_synchronization.py 1 96.88%
chia/_tests/simulation/test_simulation.py 1 96.49%

Coverage Stats

Coverage Status
Relevant Lines: 117671
Covered Lines: 107484
Line Coverage: 91.34%
Relevant Branches: 11731
Covered Branches: 10534
Branch Coverage: 89.8%
Branches in Coverage %: Yes
Coverage Strength: 1.83 hits per line
💛 - Coveralls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants