Skip to content

Update dependency s3transfer to v0.19.0#1332

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/s3transfer-0.x
Open

Update dependency s3transfer to v0.19.0#1332
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/s3transfer-0.x

Conversation

@renovate

@renovate renovate Bot commented May 14, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
s3transfer ==0.16.1==0.19.0 age adoption passing confidence

Release Notes

boto/s3transfer (s3transfer)

v0.19.0

Compare Source

======

  • feature:s3: Update multi-part copy logic to match single-part behavior for TaggingDirective and AnnotationDirective
  • enhancement:s3: Warn when Metadata or Tagging is supplied to a copy without the corresponding directive set to REPLACE, in which case the supplied value is silently ignored. This matches the CopyObject behavior.

v0.18.0

Compare Source

======

  • feature:Copy: By default, preserve source object metadata during multipart copies to match single CopyObject behavior.

v0.17.1

Compare Source

======

  • enhancement:s3: Skip the HEAD request during S3 downloads when the client is configured with response_checksum_validation='when_required', reducing latency for small-object transfers. The HEAD request remains in place by default to enable full-object checksum validation.

v0.17.0

Compare Source

======

  • feature:Python: End of support for Python 3.9

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team May 14, 2026 01:13
@renovate renovate Bot force-pushed the renovate/s3transfer-0.x branch from 602e372 to a29d469 Compare May 14, 2026 14:13
@renovate renovate Bot changed the title Update dependency s3transfer to v0.17.0 Update dependency s3transfer to v0.17.1 May 26, 2026
@renovate renovate Bot force-pushed the renovate/s3transfer-0.x branch from a29d469 to bf6c585 Compare May 26, 2026 21:39
@renovate renovate Bot changed the title Update dependency s3transfer to v0.17.1 Update dependency s3transfer to v0.18.0 May 28, 2026
@renovate renovate Bot force-pushed the renovate/s3transfer-0.x branch 2 times, most recently from ca3055e to 8db1b22 Compare June 4, 2026 08:34
@renovate renovate Bot force-pushed the renovate/s3transfer-0.x branch from 8db1b22 to e0684a5 Compare June 9, 2026 12:08
@fullsend-ai-review

Copy link
Copy Markdown

🤖 Review · Started 12:09 PM UTC
Commit: e686f8c · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 9, 2026

Copy link
Copy Markdown

Looks good to me

Previous run

Review

Findings

Critical

  • [api-contract] requirements.txt:1065 — s3transfer is being upgraded from 0.16.1 to 0.19.0 while boto3 remains pinned at 1.42.96. boto3 1.42.96 declares s3transfer>=0.16.0,<0.17.0 as its dependency constraint. s3transfer 0.19.0 falls outside this allowed range and pip will refuse to install the incompatible combination (or the hash-checking mode in these requirements files will fail). The same issue applies to requirements-test.txt.
    Remediation: Either (a) upgrade boto3 and botocore to versions that declare compatibility with s3transfer 0.19.0, or (b) keep s3transfer at 0.16.1 to remain compatible with the current boto3 1.42.96 pin.
Previous run (2)

Review

Findings

Critical

  • [api-contract] requirements.txt:1065 — s3transfer is bumped to 0.19.0 while boto3 remains pinned at 1.42.96 and botocore at 1.42.96. boto3 constrains s3transfer with a strict upper bound (typically s3transfer>=0.x.0,<0.(x+1).0). boto3 1.42.96 currently resolves to s3transfer 0.16.1, implying a constraint of >=0.16.0,<0.17.0. Installing s3transfer 0.19.0 alongside boto3 1.42.96 will produce a dependency conflict and pip will refuse to install, breaking the build. The same issue exists in requirements-test.txt. Renovate's pip_requirements manager bumps individual pins directly without running pip-compile, so it cannot detect transitive dependency conflicts that pip-compile would catch.
    Remediation: Update boto3 and botocore to versions that declare compatibility with s3transfer >=0.19.0 (likely boto3 >=1.38.x), or run pip-compile to regenerate consistent, hash-pinned requirements files rather than accepting Renovate's single-dependency bump.
Previous run (3)

Review

Findings

No findings.

Previous run (4)

Review

Findings

Medium

  • [api-contract] requirements.txt:1065, requirements-test.txt:1272 — s3transfer is bumped from 0.16.1 to 0.18.0 via text substitution in pip-compile-generated lockfiles, bypassing the dependency resolver. boto3 (pinned at 1.42.96) is known to declare tight upper-bound constraints on s3transfer (e.g., s3transfer>=0.X.0,<0.Y.0). A two-minor-version jump without re-running pip-compile risks violating boto3's declared compatibility range. If the constraint is violated, pip install will fail at CI time, but the lockfile state would still be invalid.
    Remediation: Re-run pip-compile --generate-hashes --output-file=requirements.txt and the corresponding command for requirements-test.txt to let the resolver validate the full dependency graph. Alternatively, verify that boto3 1.42.96 declares compatibility with s3transfer >=0.18.0 before merging.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable. Given this is a mechanical version bump in lockfiles, no style findings are expected.

@fullsend-ai-review fullsend-ai-review Bot added the requires-manual-review Review requires human judgment label Jun 9, 2026
@fullsend-ai-review

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:09 PM UTC · Completed 12:15 PM UTC
Commit: e686f8c · View workflow run →

@renovate renovate Bot force-pushed the renovate/s3transfer-0.x branch from e0684a5 to 7fc2840 Compare June 16, 2026 18:05
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 16, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 6:07 PM UTC · Completed 6:11 PM UTC
Commit: 45f7743 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed requires-manual-review Review requires human judgment labels Jun 16, 2026
@renovate renovate Bot changed the title Update dependency s3transfer to v0.18.0 Update dependency s3transfer to v0.19.0 Jun 17, 2026
@renovate renovate Bot force-pushed the renovate/s3transfer-0.x branch from 7fc2840 to 4c2e3fb Compare June 17, 2026 00:13
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 17, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:14 AM UTC · Completed 12:22 AM UTC
Commit: 45f7743 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

Comment thread requirements.txt
s3transfer==0.16.1 \
--hash=sha256:61bcd00ccb83b21a0fe7e91a553fff9729d46c83b4e0106e7c314a733891f7c2 \
--hash=sha256:8e424355754b9ccb32467bdc568edf55be82692ef2002d934b1311dbb3b9e524
s3transfer==0.19.0 \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] api-contract

s3transfer is bumped to 0.19.0 while boto3 remains pinned at 1.42.96 and botocore at 1.42.96. boto3 constrains s3transfer with a strict upper bound (typically s3transfer>=0.x.0,<0.(x+1).0). boto3 1.42.96 currently resolves to s3transfer 0.16.1, implying a constraint of >=0.16.0,<0.17.0. Installing s3transfer 0.19.0 alongside boto3 1.42.96 will produce a dependency conflict and pip will refuse to install, breaking the build. The same issue exists in requirements-test.txt. Renovate pip_requirements manager bumps individual pins directly without running pip-compile, so it cannot detect transitive dependency conflicts that pip-compile would catch.

Suggested fix: Update boto3 and botocore to versions that declare compatibility with s3transfer >=0.19.0 (likely boto3 >=1.38.x), or run pip-compile to regenerate consistent, hash-pinned requirements files rather than accepting Renovate single-dependency bump.

@fullsend-ai-review fullsend-ai-review Bot removed the ready-for-merge All reviewers approved — ready to merge label Jun 17, 2026
@renovate renovate Bot force-pushed the renovate/s3transfer-0.x branch from 4c2e3fb to 94b833f Compare June 18, 2026 17:30
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 18, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 5:33 PM UTC · Completed 5:41 PM UTC
Commit: f930a4c · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

Comment thread requirements.txt
s3transfer==0.16.1 \
--hash=sha256:61bcd00ccb83b21a0fe7e91a553fff9729d46c83b4e0106e7c314a733891f7c2 \
--hash=sha256:8e424355754b9ccb32467bdc568edf55be82692ef2002d934b1311dbb3b9e524
s3transfer==0.19.0 \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] api-contract

s3transfer is being upgraded from 0.16.1 to 0.19.0 while boto3 remains pinned at 1.42.96. boto3 1.42.96 declares s3transfer>=0.16.0,<0.17.0 as its dependency constraint. s3transfer 0.19.0 falls outside this allowed range and pip will refuse to install the incompatible combination. The same issue applies to requirements-test.txt.

Suggested fix: Either (a) upgrade boto3 and botocore to versions that declare compatibility with s3transfer 0.19.0, or (b) keep s3transfer at 0.16.1 to remain compatible with the current boto3 1.42.96 pin.

@renovate renovate Bot force-pushed the renovate/s3transfer-0.x branch from 94b833f to ba71c16 Compare June 22, 2026 14:39
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 22, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:41 PM UTC · Completed 2:45 PM UTC
Commit: 8207ad4 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added the ready-for-merge All reviewers approved — ready to merge label Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready-for-merge All reviewers approved — ready to merge

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants