RHAIENG-2509: chore(pyproject.toml): create Python metaprojects in odh-io/notebooks to group deps#2796
Merged
jiridanek merged 1 commit intoopendatahub-io:mainfrom Mar 31, 2026
Conversation
Contributor
|
Skipping CI for Draft Pull Request. |
Contributor
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited), Repository UI (inherited) Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (40)
Cache: Disabled due to data retention organization setting Knowledge base: Disabled due to data retention organization setting 🔥 Files not summarized due to errors (2)
📝 WalkthroughWalkthroughAdds three new meta-dependency projects under dependencies/: odh-notebooks-meta-db-connectors-deps, odh-notebooks-meta-jupyterlab-deps, and odh-notebooks-meta-jupyterlab-datascience-deps (each with pyproject.toml). Multiple notebook, runtime, and rstudio pyproject.toml files replace direct DB-connector and Jupyter-related package entries with those three meta-dependencies and add corresponding local [tool.uv.sources] path mappings. Numerous autogenerated uv lockfile header comments were updated (changed --no-emit-package lists and advanced --exclude-newer timestamps). scripts/pylocks_generator.py was updated to include the three new packages in NO_EMIT_PACKAGES. Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
github-actions
bot
added
the
review-requested
5 tasks
jiridanek
force-pushed
the
jd_subproject_deps_update_trusty
branch
from
2c9caeb to
92fbeb9
Compare
Member
Author
|
⏺ Here's my analysis of PR #2796: What PR #2796 intended to do It's a follow-up to PR #2795 (both by you, both draft). Together they aimed to:
Should it be salvaged? No, it's obsolete. Here's why:
|
jiridanek
changed the title
jiridanek
force-pushed
the
jd_subproject_deps_update_trusty
branch
from
92fbeb9 to
9dd7571
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2796 +/- ##
=====================================
Coverage 3.32% 3.32%
=====================================
Files 31 31
Lines 3550 3550
Branches 569 569
=====================================
Hits 118 118
Misses 3430 3430
Partials 2 2
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (6)
dependencies/odh-notebooks-meta-db-connectors-deps/pyproject.toml (1)
6-11: Unpinned dependencies increase supply chain risk.All four database connectors lack version constraints. While lockfiles resolve actual versions, consider adding minimum version bounds (e.g.,
pymongo>=4.0) to prevent accidental resolution to incompatible or known-vulnerable releases during lock regeneration.This is consistent with other meta-packages in this PR, so flagging as optional if this is intentional project policy.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@dependencies/odh-notebooks-meta-db-connectors-deps/pyproject.toml` around lines 6 - 11, The dependency list in pyproject.toml currently declares database connectors without version bounds ("pymongo", "psycopg", "pyodbc", "mysql-connector-python"), which raises supply-chain risk; update each dependency to include an appropriate minimum version constraint (for example "pymongo>=4.0") or another project-consistent bound to prevent accidental resolution to incompatible or vulnerable releases, ensuring the change is applied where the dependencies array is defined and keeping the package names ("pymongo", "psycopg", "pyodbc", "mysql-connector-python") as the identifiers to modify.jupyter/rocm/pytorch/ubi9-python-3.12/uv.lock.d/pylock.rocm.toml (2)
2-2: Future--exclude-newertimestamp degrades reproducibility.The
--exclude-newer=2026-03-31T09:08:33Zflag is set to a future date. If this lock file is regenerated before March 31, 2026, different team members could resolve different dependency versions depending on when they regenerate, breaking deterministic builds.Consider using the current date/time when generating lock files to ensure reproducible builds:
-# uv pip compile pyproject.toml --output-file uv.lock.d/pylock.rocm.toml --format pylock.toml --generate-hashes --emit-index-url --python-version=3.12 --universal --no-annotate --no-emit-package odh-notebooks-meta-db-connectors-deps --no-emit-package odh-notebooks-meta-jupyterlab-datascience-deps --no-emit-package odh-notebooks-meta-jupyterlab-deps --no-emit-package odh-notebooks-meta-llmcompressor-deps --no-emit-package odh-notebooks-meta-runtime-elyra-deps --no-emit-package odh-notebooks-meta-runtime-datascience-deps --no-emit-package odh-notebooks-meta-workbench-datascience-deps --constraints ../../../../dependencies/cve-constraints.txt --exclude-newer=2026-03-31T09:08:33Z --default-index=https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/rocm6.4-ubi9/simple/?format=json --index=https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/rocm6.4-ubi9/simple/?format=json --index=https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/cpu-ubi9/simple/?format=json --index-strategy=unsafe-best-match +# uv pip compile pyproject.toml --output-file uv.lock.d/pylock.rocm.toml --format pylock.toml --generate-hashes --emit-index-url --python-version=3.12 --universal --no-annotate --no-emit-package odh-notebooks-meta-db-connectors-deps --no-emit-package odh-notebooks-meta-jupyterlab-datascience-deps --no-emit-package odh-notebooks-meta-jupyterlab-deps --no-emit-package odh-notebooks-meta-llmcompressor-deps --no-emit-package odh-notebooks-meta-runtime-elyra-deps --no-emit-package odh-notebooks-meta-runtime-datascience-deps --no-emit-package odh-notebooks-meta-workbench-datascience-deps --constraints ../../../../dependencies/cve-constraints.txt --exclude-newer=$(date -u +%Y-%m-%dT%H:%M:%SZ) --default-index=https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/rocm6.4-ubi9/simple/?format=json --index=https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/rocm6.4-ubi9/simple/?format=json --index=https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/cpu-ubi9/simple/?format=json --index-strategy=unsafe-best-match🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@jupyter/rocm/pytorch/ubi9-python-3.12/uv.lock.d/pylock.rocm.toml` at line 2, The lock-generation command contains a future --exclude-newer=2026-03-31T09:08:33Z which undermines reproducibility; update the invocation that produces pylock.rocm.toml (the commented uv pip compile command) to remove the hardcoded future timestamp or set --exclude-newer to the current generation datetime (or omit the flag entirely) so regenerated lock files resolve deterministically for all developers.
1716-1718: Clarify excluded packages comment.The command specifies 7
--no-emit-packageflags, but the comment lists only 4 packages. This discrepancy (likely because only 4 were actual dependencies) could confuse developers reviewing the lock file.Consider revising the comment to clarify which packages were requested for exclusion vs. actually excluded:
# The following packages were excluded from the output: +# (from dependencies of this project) # odh-notebooks-meta-db-connectors-deps🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@jupyter/rocm/pytorch/ubi9-python-3.12/uv.lock.d/pylock.rocm.toml` around lines 1716 - 1718, Update the comment block that currently lists "# odh-notebooks-meta-db-connectors-deps", "# odh-notebooks-meta-jupyterlab-datascience-deps", and "# odh-notebooks-meta-jupyterlab-deps" to clarify the discrepancy between the seven --no-emit-package flags used and the four packages shown: state which packages were requested for exclusion (the seven --no-emit-package entries) and which packages were actually excluded (the four listed), e.g., by appending a short note like "requested exclusions: <list> — actually excluded: <list>" next to the existing comment lines so reviewers can see both sets without changing functionality.runtimes/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml (2)
1361-1361: Clarify excluded packages comment.The command specifies 7
--no-emit-packageflags, but the comment lists only 4 packages. This discrepancy (likely because only 4 were actual dependencies) could confuse developers reviewing the lock file.Consider revising the comment to clarify which packages were requested for exclusion vs. actually excluded.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@runtimes/pytorch`+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml at line 1361, The comment "# odh-notebooks-meta-db-connectors-deps" is ambiguous given the command uses seven "--no-emit-package" flags but the comment only names four packages; update the comment near that marker to explicitly state "requested exclusions" versus "actually excluded" (or list both), and enumerate the seven package names requested with "--no-emit-package" as well as the four that were actually present/omitted, so reviewers can see the discrepancy; refer to the occurrence of "--no-emit-package" flags in the same block to find where to edit.
2-2: Future--exclude-newertimestamp degrades reproducibility.The
--exclude-newer=2026-03-31T09:08:33Zflag is set to a future date. If this lock file is regenerated before March 31, 2026, different team members could resolve different dependency versions depending on when they regenerate, breaking deterministic builds.Consider using the current date/time when generating lock files to ensure reproducible builds.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@runtimes/pytorch`+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml at line 2, Replace the hard-coded future timestamp in the pip-compile invocation so lockfile generation uses the current date/time or a deterministic value; specifically update the command line that includes the --exclude-newer=2026-03-31T09:08:33Z flag in the pylock.cuda.toml entry (the string "--exclude-newer=2026-03-31T09:08:33Z") to either remove the flag, compute/insert the current ISO8601 timestamp at generation time, or replace it with a reproducible policy (e.g., a fixed past cutoff), and regenerate the lockfile so all contributors produce consistent dependency resolutions.runtimes/tensorflow/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml (1)
2-2: Lockfile generation includes unnecessary package exclusions.The
--no-emit-packageflags forodh-notebooks-meta-db-connectors-deps,odh-notebooks-meta-jupyterlab-deps, andodh-notebooks-meta-jupyterlab-datascience-depsare redundant if this tensorflow runtime doesn't declare these packages as dependencies. Excluding packages that aren't dependencies adds cognitive overhead and suggests the lockfile generator applies a blanket policy rather than being context-aware.Verify the corresponding
pyproject.tomlonly excludes packages it actually depends on. If these meta-packages aren't dependencies here, remove the unnecessary exclusion flags from the generation command for this lockfile.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@runtimes/tensorflow/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml` at line 2, The lockfile generation command in pylock.cuda.toml includes redundant --no-emit-package flags for odh-notebooks-meta-db-connectors-deps, odh-notebooks-meta-jupyterlab-deps, and odh-notebooks-meta-jupyterlab-datascience-deps; verify the runtime's pyproject.toml dependencies and if those meta-packages are not listed, remove those three --no-emit-package entries from the uv pip compile command in pylock.cuda.toml so the generation only excludes packages that are actual dependencies.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@jupyter/datascience/ubi9-python-3.12/pyproject.toml`:
- Around line 12-14: The pyproject entry is pulling three meta-dependency
projects ("odh-notebooks-meta-db-connectors-deps",
"odh-notebooks-meta-jupyterlab-deps",
"odh-notebooks-meta-jupyterlab-datascience-deps") that currently allow unbounded
transitive dependency ranges; update those meta projects to pin or add
conservative version bounds (==, ~=, <=/>= ranges as appropriate) for critical
runtime packages (e.g., pymongo, psycopg, jupyterlab) and then update this
pyproject to reference the resulting locked/meta versions, and re-run dependency
lock generation to ensure no unbounded specs remain (verify by checking each
meta project's project.dependencies for presence of comparison operators).
In `@jupyter/minimal/ubi9-python-3.12/uv.lock.d/pylock.cpu.toml`:
- Line 2: The lockfile generator is applying a global --no-emit-package list
instead of checking each project's declared dependencies; update
scripts/pylocks_generator.py so the routine that builds lock command arguments
(e.g., the function that currently assembles --no-emit-package flags, such as
generate_lock_args or build_lock_command) reads the target project's
pyproject.toml to get its declared dependencies and only adds --no-emit-package
for packages not present in that dependency set (implement a helper like
should_exclude_package(project_deps, package_name) that returns true only when
the package is not listed), and ensure for this lockfile the exclusion list
contains only odh-notebooks-meta-jupyterlab-deps.
---
Nitpick comments:
In `@dependencies/odh-notebooks-meta-db-connectors-deps/pyproject.toml`:
- Around line 6-11: The dependency list in pyproject.toml currently declares
database connectors without version bounds ("pymongo", "psycopg", "pyodbc",
"mysql-connector-python"), which raises supply-chain risk; update each
dependency to include an appropriate minimum version constraint (for example
"pymongo>=4.0") or another project-consistent bound to prevent accidental
resolution to incompatible or vulnerable releases, ensuring the change is
applied where the dependencies array is defined and keeping the package names
("pymongo", "psycopg", "pyodbc", "mysql-connector-python") as the identifiers to
modify.
In `@jupyter/rocm/pytorch/ubi9-python-3.12/uv.lock.d/pylock.rocm.toml`:
- Line 2: The lock-generation command contains a future
--exclude-newer=2026-03-31T09:08:33Z which undermines reproducibility; update
the invocation that produces pylock.rocm.toml (the commented uv pip compile
command) to remove the hardcoded future timestamp or set --exclude-newer to the
current generation datetime (or omit the flag entirely) so regenerated lock
files resolve deterministically for all developers.
- Around line 1716-1718: Update the comment block that currently lists "#
odh-notebooks-meta-db-connectors-deps", "#
odh-notebooks-meta-jupyterlab-datascience-deps", and "#
odh-notebooks-meta-jupyterlab-deps" to clarify the discrepancy between the seven
--no-emit-package flags used and the four packages shown: state which packages
were requested for exclusion (the seven --no-emit-package entries) and which
packages were actually excluded (the four listed), e.g., by appending a short
note like "requested exclusions: <list> — actually excluded: <list>" next to the
existing comment lines so reviewers can see both sets without changing
functionality.
In `@runtimes/pytorch`+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml:
- Line 1361: The comment "# odh-notebooks-meta-db-connectors-deps" is ambiguous
given the command uses seven "--no-emit-package" flags but the comment only
names four packages; update the comment near that marker to explicitly state
"requested exclusions" versus "actually excluded" (or list both), and enumerate
the seven package names requested with "--no-emit-package" as well as the four
that were actually present/omitted, so reviewers can see the discrepancy; refer
to the occurrence of "--no-emit-package" flags in the same block to find where
to edit.
- Line 2: Replace the hard-coded future timestamp in the pip-compile invocation
so lockfile generation uses the current date/time or a deterministic value;
specifically update the command line that includes the
--exclude-newer=2026-03-31T09:08:33Z flag in the pylock.cuda.toml entry (the
string "--exclude-newer=2026-03-31T09:08:33Z") to either remove the flag,
compute/insert the current ISO8601 timestamp at generation time, or replace it
with a reproducible policy (e.g., a fixed past cutoff), and regenerate the
lockfile so all contributors produce consistent dependency resolutions.
In `@runtimes/tensorflow/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml`:
- Line 2: The lockfile generation command in pylock.cuda.toml includes redundant
--no-emit-package flags for odh-notebooks-meta-db-connectors-deps,
odh-notebooks-meta-jupyterlab-deps, and
odh-notebooks-meta-jupyterlab-datascience-deps; verify the runtime's
pyproject.toml dependencies and if those meta-packages are not listed, remove
those three --no-emit-package entries from the uv pip compile command in
pylock.cuda.toml so the generation only excludes packages that are actual
dependencies.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited), Repository UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: a21036e7-9f95-4501-a5f3-9e99309e398a
📒 Files selected for processing (40)
codeserver/ubi9-python-3.12/uv.lock.d/pylock.cpu.tomldependencies/odh-notebooks-meta-db-connectors-deps/pyproject.tomldependencies/odh-notebooks-meta-jupyterlab-datascience-deps/pyproject.tomldependencies/odh-notebooks-meta-jupyterlab-deps/pyproject.tomljupyter/datascience/ubi9-python-3.12/pyproject.tomljupyter/datascience/ubi9-python-3.12/uv.lock.d/pylock.cpu.tomljupyter/minimal/ubi9-python-3.12/pyproject.tomljupyter/minimal/ubi9-python-3.12/uv.lock.d/pylock.cpu.tomljupyter/minimal/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomljupyter/minimal/ubi9-python-3.12/uv.lock.d/pylock.rocm.tomljupyter/pytorch+llmcompressor/ubi9-python-3.12/pyproject.tomljupyter/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomljupyter/pytorch/ubi9-python-3.12/pyproject.tomljupyter/pytorch/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomljupyter/rocm/pytorch/ubi9-python-3.12/pyproject.tomljupyter/rocm/pytorch/ubi9-python-3.12/uv.lock.d/pylock.rocm.tomljupyter/rocm/tensorflow/ubi9-python-3.12/pylock.tomljupyter/rocm/tensorflow/ubi9-python-3.12/pyproject.tomljupyter/tensorflow/ubi9-python-3.12/pyproject.tomljupyter/tensorflow/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomljupyter/trustyai/ubi9-python-3.12/pyproject.tomljupyter/trustyai/ubi9-python-3.12/uv.lock.d/pylock.cpu.tomlrstudio/c9s-python-3.12/uv.lock.d/pylock.cpu.tomlrstudio/c9s-python-3.12/uv.lock.d/pylock.cuda.tomlrstudio/rhel9-python-3.12/uv.lock.d/pylock.cpu.tomlrstudio/rhel9-python-3.12/uv.lock.d/pylock.cuda.tomlruntimes/datascience/ubi9-python-3.12/pyproject.tomlruntimes/datascience/ubi9-python-3.12/uv.lock.d/pylock.cpu.tomlruntimes/minimal/ubi9-python-3.12/uv.lock.d/pylock.cpu.tomlruntimes/pytorch+llmcompressor/ubi9-python-3.12/pyproject.tomlruntimes/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomlruntimes/pytorch/ubi9-python-3.12/pyproject.tomlruntimes/pytorch/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomlruntimes/rocm-pytorch/ubi9-python-3.12/pyproject.tomlruntimes/rocm-pytorch/ubi9-python-3.12/uv.lock.d/pylock.rocm.tomlruntimes/rocm-tensorflow/ubi9-python-3.12/pylock.tomlruntimes/rocm-tensorflow/ubi9-python-3.12/pyproject.tomlruntimes/tensorflow/ubi9-python-3.12/pyproject.tomlruntimes/tensorflow/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomlscripts/pylocks_generator.py
👮 Files not reviewed due to content moderation or server errors (2)
- jupyter/rocm/tensorflow/ubi9-python-3.12/pylock.toml
- runtimes/rocm-tensorflow/ubi9-python-3.12/pylock.toml
| @@ -1,5 +1,5 @@ | |||
| # This file was autogenerated by uv via the following command: | |||
| # uv pip compile pyproject.toml --output-file uv.lock.d/pylock.cpu.toml --format pylock.toml --generate-hashes --emit-index-url --python-version=3.12 --universal --no-annotate --no-emit-package odh-notebooks-meta-llmcompressor-deps --no-emit-package odh-notebooks-meta-runtime-elyra-deps --no-emit-package odh-notebooks-meta-runtime-datascience-deps --no-emit-package odh-notebooks-meta-workbench-datascience-deps --constraints ../../../dependencies/cve-constraints.txt --exclude-newer=2026-03-31T07:52:14Z --default-index=https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/cpu-ubi9/simple/?format=json --index=https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/cpu-ubi9/simple/?format=json | |||
| # uv pip compile pyproject.toml --output-file uv.lock.d/pylock.cpu.toml --format pylock.toml --generate-hashes --emit-index-url --python-version=3.12 --universal --no-annotate --no-emit-package odh-notebooks-meta-db-connectors-deps --no-emit-package odh-notebooks-meta-jupyterlab-datascience-deps --no-emit-package odh-notebooks-meta-jupyterlab-deps --no-emit-package odh-notebooks-meta-llmcompressor-deps --no-emit-package odh-notebooks-meta-runtime-elyra-deps --no-emit-package odh-notebooks-meta-runtime-datascience-deps --no-emit-package odh-notebooks-meta-workbench-datascience-deps --constraints ../../../dependencies/cve-constraints.txt --exclude-newer=2026-03-31T09:08:33Z --default-index=https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/cpu-ubi9/simple/?format=json --index=https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/cpu-ubi9/simple/?format=json | |||
Contributor
There was a problem hiding this comment.
🛠️ Refactor suggestion | 🟠 Major
Lockfile excludes packages that are not declared dependencies.
The --no-emit-package flags include odh-notebooks-meta-db-connectors-deps and odh-notebooks-meta-jupyterlab-datascience-deps, but the corresponding pyproject.toml (see relevant code snippet) declares ONLY odh-notebooks-meta-jupyterlab-deps as a dependency. Excluding packages that aren't dependencies is unnecessary and indicates the lockfile generator applies a global exclusion list without verifying each project's actual dependencies.
Update the lockfile generation script (scripts/pylocks_generator.py) to apply --no-emit-package flags selectively based on each project's declared dependencies, rather than applying a blanket global exclusion list. For this specific lockfile, only odh-notebooks-meta-jupyterlab-deps should be excluded. As per coding guidelines, "Review priorities: ... Architectural issues and anti-patterns" — this blanket policy is an architectural issue in the build system.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@jupyter/minimal/ubi9-python-3.12/uv.lock.d/pylock.cpu.toml` at line 2, The
lockfile generator is applying a global --no-emit-package list instead of
checking each project's declared dependencies; update
scripts/pylocks_generator.py so the routine that builds lock command arguments
(e.g., the function that currently assembles --no-emit-package flags, such as
generate_lock_args or build_lock_command) reads the target project's
pyproject.toml to get its declared dependencies and only adds --no-emit-package
for packages not present in that dependency set (implement a helper like
should_exclude_package(project_deps, package_name) that returns true only when
the package is not listed), and ensure for this lockfile the exclusion list
contains only odh-notebooks-meta-jupyterlab-deps.
ide-developer
approved these changes
Mar 31, 2026
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ide-developer The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
jiridanek
force-pushed
the
jd_subproject_deps_update_trusty
branch
from
9dd7571 to
4c76a36
Compare
Contributor
|
New changes are detected. LGTM label has been removed. |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@jupyter/tensorflow/ubi9-python-3.12/pyproject.toml`:
- Around line 18-20: The listed meta-package dependencies in pyproject.toml are
unpinned and allow transitive supply-chain drift; update the dependencies
declared in the three meta-package pyproject.toml files
(odh-notebooks-meta-db-connectors-deps, odh-notebooks-meta-jupyterlab-deps,
odh-notebooks-meta-jupyterlab-datascience-deps) to add explicit version bounds
(e.g., caret or ~= ranges or both lower and safe upper bounds) for each
transitive package (pymongo, psycopg, pyodbc, mysql-connector-python,
jupyterlab, jupyter-server, jupyter-server-proxy, jupyter-server-terminals,
jupyterlab-git, nbdime, nbgitpuller, odh-jupyter-trash-cleanup, odh-elyra,
jupyter-bokeh, jupyterlab-lsp, jupyterlab-widgets, jupyter-resource-usage); edit
the corresponding dependencies/odh-notebooks-meta-*/pyproject.toml files to
replace unversioned entries with the chosen bounded version specifiers and run
dependency lock regeneration to verify no unintended upgrades.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited), Repository UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 7b963470-708a-437f-bac0-ac82859002f0
📒 Files selected for processing (40)
codeserver/ubi9-python-3.12/uv.lock.d/pylock.cpu.tomldependencies/odh-notebooks-meta-db-connectors-deps/pyproject.tomldependencies/odh-notebooks-meta-jupyterlab-datascience-deps/pyproject.tomldependencies/odh-notebooks-meta-jupyterlab-deps/pyproject.tomljupyter/datascience/ubi9-python-3.12/pyproject.tomljupyter/datascience/ubi9-python-3.12/uv.lock.d/pylock.cpu.tomljupyter/minimal/ubi9-python-3.12/pyproject.tomljupyter/minimal/ubi9-python-3.12/uv.lock.d/pylock.cpu.tomljupyter/minimal/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomljupyter/minimal/ubi9-python-3.12/uv.lock.d/pylock.rocm.tomljupyter/pytorch+llmcompressor/ubi9-python-3.12/pyproject.tomljupyter/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomljupyter/pytorch/ubi9-python-3.12/pyproject.tomljupyter/pytorch/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomljupyter/rocm/pytorch/ubi9-python-3.12/pyproject.tomljupyter/rocm/pytorch/ubi9-python-3.12/uv.lock.d/pylock.rocm.tomljupyter/rocm/tensorflow/ubi9-python-3.12/pylock.tomljupyter/rocm/tensorflow/ubi9-python-3.12/pyproject.tomljupyter/tensorflow/ubi9-python-3.12/pyproject.tomljupyter/tensorflow/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomljupyter/trustyai/ubi9-python-3.12/pyproject.tomljupyter/trustyai/ubi9-python-3.12/uv.lock.d/pylock.cpu.tomlrstudio/c9s-python-3.12/uv.lock.d/pylock.cpu.tomlrstudio/c9s-python-3.12/uv.lock.d/pylock.cuda.tomlrstudio/rhel9-python-3.12/uv.lock.d/pylock.cpu.tomlrstudio/rhel9-python-3.12/uv.lock.d/pylock.cuda.tomlruntimes/datascience/ubi9-python-3.12/pyproject.tomlruntimes/datascience/ubi9-python-3.12/uv.lock.d/pylock.cpu.tomlruntimes/minimal/ubi9-python-3.12/uv.lock.d/pylock.cpu.tomlruntimes/pytorch+llmcompressor/ubi9-python-3.12/pyproject.tomlruntimes/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomlruntimes/pytorch/ubi9-python-3.12/pyproject.tomlruntimes/pytorch/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomlruntimes/rocm-pytorch/ubi9-python-3.12/pyproject.tomlruntimes/rocm-pytorch/ubi9-python-3.12/uv.lock.d/pylock.rocm.tomlruntimes/rocm-tensorflow/ubi9-python-3.12/pylock.tomlruntimes/rocm-tensorflow/ubi9-python-3.12/pyproject.tomlruntimes/tensorflow/ubi9-python-3.12/pyproject.tomlruntimes/tensorflow/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomlscripts/pylocks_generator.py
✅ Files skipped from review due to trivial changes (16)
- dependencies/odh-notebooks-meta-db-connectors-deps/pyproject.toml
- jupyter/minimal/ubi9-python-3.12/pyproject.toml
- rstudio/rhel9-python-3.12/uv.lock.d/pylock.cuda.toml
- rstudio/rhel9-python-3.12/uv.lock.d/pylock.cpu.toml
- runtimes/minimal/ubi9-python-3.12/uv.lock.d/pylock.cpu.toml
- rstudio/c9s-python-3.12/uv.lock.d/pylock.cuda.toml
- runtimes/pytorch/ubi9-python-3.12/pyproject.toml
- runtimes/tensorflow/ubi9-python-3.12/pyproject.toml
- jupyter/pytorch/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml
- dependencies/odh-notebooks-meta-jupyterlab-datascience-deps/pyproject.toml
- dependencies/odh-notebooks-meta-jupyterlab-deps/pyproject.toml
- rstudio/c9s-python-3.12/uv.lock.d/pylock.cpu.toml
- jupyter/trustyai/ubi9-python-3.12/uv.lock.d/pylock.cpu.toml
- runtimes/tensorflow/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml
- runtimes/datascience/ubi9-python-3.12/uv.lock.d/pylock.cpu.toml
- jupyter/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml
🚧 Files skipped from review as they are similar to previous changes (16)
- runtimes/datascience/ubi9-python-3.12/pyproject.toml
- jupyter/minimal/ubi9-python-3.12/uv.lock.d/pylock.rocm.toml
- jupyter/rocm/tensorflow/ubi9-python-3.12/pyproject.toml
- jupyter/trustyai/ubi9-python-3.12/pyproject.toml
- jupyter/tensorflow/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml
- runtimes/rocm-tensorflow/ubi9-python-3.12/pyproject.toml
- runtimes/pytorch/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml
- jupyter/minimal/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml
- runtimes/pytorch+llmcompressor/ubi9-python-3.12/pyproject.toml
- runtimes/rocm-pytorch/ubi9-python-3.12/pyproject.toml
- codeserver/ubi9-python-3.12/uv.lock.d/pylock.cpu.toml
- jupyter/rocm/pytorch/ubi9-python-3.12/pyproject.toml
- jupyter/pytorch/ubi9-python-3.12/pyproject.toml
- jupyter/pytorch+llmcompressor/ubi9-python-3.12/pyproject.toml
- runtimes/rocm-pytorch/ubi9-python-3.12/uv.lock.d/pylock.rocm.toml
- runtimes/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml
👮 Files not reviewed due to content moderation or server errors (2)
- jupyter/rocm/tensorflow/ubi9-python-3.12/pylock.toml
- runtimes/rocm-tensorflow/ubi9-python-3.12/pylock.toml
Comment on lines
+18
to
+20
| "odh-notebooks-meta-db-connectors-deps", | ||
| "odh-notebooks-meta-jupyterlab-deps", | ||
| "odh-notebooks-meta-jupyterlab-datascience-deps", |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify meta-project dependencies have version bounds
python3 - <<'PY'
import re, pathlib
targets = [
"dependencies/odh-notebooks-meta-db-connectors-deps/pyproject.toml",
"dependencies/odh-notebooks-meta-jupyterlab-deps/pyproject.toml",
"dependencies/odh-notebooks-meta-jupyterlab-datascience-deps/pyproject.toml",
]
spec = re.compile(r'(===|==|~=|!=|<=|>=|<|>)')
for t in targets:
p = pathlib.Path(t)
if not p.exists():
print(f"{t}: FILE NOT FOUND")
continue
content = p.read_text()
# Simple extraction of dependencies section
in_deps = False
unbounded = []
for line in content.splitlines():
if line.strip().startswith("dependencies"):
in_deps = True
continue
if in_deps:
if line.strip().startswith("]"):
break
dep = line.strip().strip('",')
if dep and not dep.startswith("#") and not spec.search(dep.split(';', 1)[0]):
unbounded.append(dep)
print(f"{t}")
print(f" {'UNBOUNDED: ' + ', '.join(unbounded) if unbounded else 'OK - all bounded'}")
PYRepository: opendatahub-io/notebooks
Length of output: 583
Add version bounds to meta-package dependencies to mitigate supply-chain drift (CWE-1104).
Lines 18-20 reference meta-packages that declare unversioned transitive dependencies. Verification confirms all three have unbounded packages:
odh-notebooks-meta-db-connectors-deps: pymongo, psycopg, pyodbc, mysql-connector-pythonodh-notebooks-meta-jupyterlab-deps: jupyterlab, jupyter-server, jupyter-server-proxy, jupyter-server-terminals, jupyterlab-git, nbdime, nbgitpuller, odh-jupyter-trash-cleanupodh-notebooks-meta-jupyterlab-datascience-deps: odh-elyra, jupyter-bokeh, jupyterlab-lsp, jupyterlab-widgets, jupyter-resource-usage
A compromised or breaking upstream release propagates during lock regeneration. Add version constraints to dependencies/odh-notebooks-meta-*/pyproject.toml:
Example fix for db-connectors-deps
dependencies = [
- "pymongo",
- "psycopg",
- "pyodbc",
- "mysql-connector-python",
+ "pymongo>=4.10,<5",
+ "psycopg>=3.2,<4",
+ "pyodbc>=5.0,<6",
+ "mysql-connector-python>=8.2,<9",
...
]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@jupyter/tensorflow/ubi9-python-3.12/pyproject.toml` around lines 18 - 20, The
listed meta-package dependencies in pyproject.toml are unpinned and allow
transitive supply-chain drift; update the dependencies declared in the three
meta-package pyproject.toml files (odh-notebooks-meta-db-connectors-deps,
odh-notebooks-meta-jupyterlab-deps,
odh-notebooks-meta-jupyterlab-datascience-deps) to add explicit version bounds
(e.g., caret or ~= ranges or both lower and safe upper bounds) for each
transitive package (pymongo, psycopg, pyodbc, mysql-connector-python,
jupyterlab, jupyter-server, jupyter-server-proxy, jupyter-server-terminals,
jupyterlab-git, nbdime, nbgitpuller, odh-jupyter-trash-cleanup, odh-elyra,
jupyter-bokeh, jupyterlab-lsp, jupyterlab-widgets, jupyter-resource-usage); edit
the corresponding dependencies/odh-notebooks-meta-*/pyproject.toml files to
replace unversioned entries with the chosen bounded version specifiers and run
dependency lock regeneration to verify no unintended upgrades.
atheo89
reviewed
Mar 31, 2026
Member
atheo89
left a comment
atheo89
left a comment
There was a problem hiding this comment.
Thanks for re-initialize this work Jiri.
Let's move codeflare-sdk and feast as well under meta-jupyterlab-datascience-dep as well as under meta-runtime-datascience-dep
…cience deps into subprojects Add 3 new dependency subprojects to reduce duplication across pyproject.toml files: - odh-notebooks-meta-db-connectors-deps (pymongo, psycopg, pyodbc, mysql-connector-python) - odh-notebooks-meta-jupyterlab-deps (jupyterlab, jupyter-server, extensions) - odh-notebooks-meta-jupyterlab-datascience-deps (odh-elyra, jupyter-bokeh, jupyterlab-lsp, etc.) Existing subprojects are unchanged. Updated 14 pyproject.toml files and regenerated lock files. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jiridanek
force-pushed
the
jd_subproject_deps_update_trusty
branch
from
4c76a36 to
c713f9a
Compare
jiridanek
commented
Mar 31, 2026
Member
Author
There was a problem hiding this comment.
Thanks for re-initialize this work Jiri.
Let's move codeflare-sdk and feast as well under meta-jupyterlab-datascience-dep as well as under meta-> runtime-datascience-dep
@coderabbitai yes, will make note about this in jira
Contributor
There was a problem hiding this comment.
@jiridanek Acknowledged — thanks for tracking that. When the Jira item is picked up, codeflare-sdk and feast should be added to the dependencies list of both odh-notebooks-meta-jupyterlab-datascience-deps/pyproject.toml and whatever meta-package covers runtime-datascience-deps, with corresponding --no-emit-package entries added in scripts/pylocks_generator.py and the consuming pyproject.toml files updated to drop the direct pins.
📝 Learnings were identified and not saved (knowledge base disabled). Enable
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://redhat.atlassian.net/browse/RHAIENG-2509
Follows-up on
Description
3.0.5to4.0.5trustyai-explainability/trustyai-explainability-python#224Should we move kfp and codeflare-sdk out of odh-notebooks-meta-workbench-datascience-deps into the new jupyterlab-datascience subproject, or keep existing subprojects completely untouched and only add new
ones?
❯ 1. Additive only (Recommended)
Only create 3 new subprojects (db-connectors, jupyterlab, jupyterlab-datascience) without modifying existing meta-packages. Simpler, lower risk.
2. Refactor existing too
Also reorganize existing subprojects (move kfp/codeflare-sdk, merge workbench+runtime datascience). Cleaner end state but larger change.
3. Type something.
How Has This Been Tested?
⏺ Net reduction of ~100 lines. All
gmake testtests pass, all lock files regenerate cleanly without unexpected diffs. The refactoring is complete:Self checklist (all need to be checked):
make test(gmakeon macOS) before asking for reviewDockerfile.konfluxfiles should be done inodh/notebooksand automatically synced torhds/notebooks. For Konflux-specific changes, modifyDockerfile.konfluxfiles directly inrhds/notebooksas these require special attention in the downstream repository and flow to the upcoming RHOAI release.Merge criteria:
Summary by CodeRabbit
New Features
Chores