-
Notifications
You must be signed in to change notification settings - Fork 26
Update dependency s3transfer to v0.19.0 #1332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -1062,9 +1062,9 @@ ruamel-yaml-clib==0.2.15 \ | |
| --hash=sha256:fd4c928ddf6bce586285daa6d90680b9c291cfd045fc40aad34e445d57b1bf51 \ | ||
| --hash=sha256:fe239bdfdae2302e93bd6e8264bd9b71290218fff7084a9db250b55caaccf43f | ||
| # via iib (setup.py) | ||
| s3transfer==0.16.1 \ | ||
| --hash=sha256:61bcd00ccb83b21a0fe7e91a553fff9729d46c83b4e0106e7c314a733891f7c2 \ | ||
| --hash=sha256:8e424355754b9ccb32467bdc568edf55be82692ef2002d934b1311dbb3b9e524 | ||
| s3transfer==0.19.0 \ | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [critical] api-contract s3transfer is being upgraded from 0.16.1 to 0.19.0 while boto3 remains pinned at 1.42.96. boto3 1.42.96 declares s3transfer>=0.16.0,<0.17.0 as its dependency constraint. s3transfer 0.19.0 falls outside this allowed range and pip will refuse to install the incompatible combination. The same issue applies to requirements-test.txt. Suggested fix: Either (a) upgrade boto3 and botocore to versions that declare compatibility with s3transfer 0.19.0, or (b) keep s3transfer at 0.16.1 to remain compatible with the current boto3 1.42.96 pin. |
||
| --hash=sha256:777cc2415536f1debadb5c2ef7779275d0fc0fe0e042411cdd6caebeb2685262 \ | ||
| --hash=sha256:ce436931687addc4c1712d52d40b32f53e88315723f107ffa20ba82b05a0f685 | ||
| # via boto3 | ||
| semver==3.0.4 \ | ||
| --hash=sha256:9c824d87ba7f7ab4a1890799cec8596f15c1241cb473404ea1cb0c55e4b04746 \ | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[critical] api-contract
s3transfer is bumped to 0.19.0 while boto3 remains pinned at 1.42.96 and botocore at 1.42.96. boto3 constrains s3transfer with a strict upper bound (typically s3transfer>=0.x.0,<0.(x+1).0). boto3 1.42.96 currently resolves to s3transfer 0.16.1, implying a constraint of >=0.16.0,<0.17.0. Installing s3transfer 0.19.0 alongside boto3 1.42.96 will produce a dependency conflict and pip will refuse to install, breaking the build. The same issue exists in requirements-test.txt. Renovate pip_requirements manager bumps individual pins directly without running pip-compile, so it cannot detect transitive dependency conflicts that pip-compile would catch.
Suggested fix: Update boto3 and botocore to versions that declare compatibility with s3transfer >=0.19.0 (likely boto3 >=1.38.x), or run pip-compile to regenerate consistent, hash-pinned requirements files rather than accepting Renovate single-dependency bump.