Update dependency s3transfer to v0.19.0#1332
Conversation
602e372 to
a29d469
Compare
a29d469 to
bf6c585
Compare
ca3055e to
8db1b22
Compare
8db1b22 to
e0684a5
Compare
|
🤖 Review · Started 12:09 PM UTC |
|
Looks good to me Previous runReviewFindingsCritical
Previous run (2)ReviewFindingsCritical
Previous run (3)ReviewFindingsNo findings. Previous run (4)ReviewFindingsMedium
Info
|
|
🤖 Finished Review · ✅ Success · Started 12:09 PM UTC · Completed 12:15 PM UTC |
e0684a5 to
7fc2840
Compare
|
🤖 Finished Review · ✅ Success · Started 6:07 PM UTC · Completed 6:11 PM UTC |
7fc2840 to
4c2e3fb
Compare
|
🤖 Finished Review · ✅ Success · Started 12:14 AM UTC · Completed 12:22 AM UTC |
| s3transfer==0.16.1 \ | ||
| --hash=sha256:61bcd00ccb83b21a0fe7e91a553fff9729d46c83b4e0106e7c314a733891f7c2 \ | ||
| --hash=sha256:8e424355754b9ccb32467bdc568edf55be82692ef2002d934b1311dbb3b9e524 | ||
| s3transfer==0.19.0 \ |
There was a problem hiding this comment.
[critical] api-contract
s3transfer is bumped to 0.19.0 while boto3 remains pinned at 1.42.96 and botocore at 1.42.96. boto3 constrains s3transfer with a strict upper bound (typically s3transfer>=0.x.0,<0.(x+1).0). boto3 1.42.96 currently resolves to s3transfer 0.16.1, implying a constraint of >=0.16.0,<0.17.0. Installing s3transfer 0.19.0 alongside boto3 1.42.96 will produce a dependency conflict and pip will refuse to install, breaking the build. The same issue exists in requirements-test.txt. Renovate pip_requirements manager bumps individual pins directly without running pip-compile, so it cannot detect transitive dependency conflicts that pip-compile would catch.
Suggested fix: Update boto3 and botocore to versions that declare compatibility with s3transfer >=0.19.0 (likely boto3 >=1.38.x), or run pip-compile to regenerate consistent, hash-pinned requirements files rather than accepting Renovate single-dependency bump.
4c2e3fb to
94b833f
Compare
|
🤖 Finished Review · ✅ Success · Started 5:33 PM UTC · Completed 5:41 PM UTC |
| s3transfer==0.16.1 \ | ||
| --hash=sha256:61bcd00ccb83b21a0fe7e91a553fff9729d46c83b4e0106e7c314a733891f7c2 \ | ||
| --hash=sha256:8e424355754b9ccb32467bdc568edf55be82692ef2002d934b1311dbb3b9e524 | ||
| s3transfer==0.19.0 \ |
There was a problem hiding this comment.
[critical] api-contract
s3transfer is being upgraded from 0.16.1 to 0.19.0 while boto3 remains pinned at 1.42.96. boto3 1.42.96 declares s3transfer>=0.16.0,<0.17.0 as its dependency constraint. s3transfer 0.19.0 falls outside this allowed range and pip will refuse to install the incompatible combination. The same issue applies to requirements-test.txt.
Suggested fix: Either (a) upgrade boto3 and botocore to versions that declare compatibility with s3transfer 0.19.0, or (b) keep s3transfer at 0.16.1 to remain compatible with the current boto3 1.42.96 pin.
94b833f to
ba71c16
Compare
|
🤖 Finished Review · ✅ Success · Started 2:41 PM UTC · Completed 2:45 PM UTC |
This PR contains the following updates:
==0.16.1→==0.19.0Release Notes
boto/s3transfer (s3transfer)
v0.19.0Compare Source
======
s3: Update multi-part copy logic to match single-part behavior for TaggingDirective and AnnotationDirectives3: Warn when Metadata or Tagging is supplied to a copy without the corresponding directive set to REPLACE, in which case the supplied value is silently ignored. This matches the CopyObject behavior.v0.18.0Compare Source
======
v0.17.1Compare Source
======
s3: Skip the HEAD request during S3 downloads when the client is configured withresponse_checksum_validation='when_required', reducing latency for small-object transfers. The HEAD request remains in place by default to enable full-object checksum validation.v0.17.0Compare Source
======
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.