Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions requirements-test.txt
Original file line number Diff line number Diff line change
Expand Up @@ -1269,9 +1269,9 @@ ruamel-yaml-clib==0.2.15 \
--hash=sha256:fd4c928ddf6bce586285daa6d90680b9c291cfd045fc40aad34e445d57b1bf51 \
--hash=sha256:fe239bdfdae2302e93bd6e8264bd9b71290218fff7084a9db250b55caaccf43f
# via -r requirements.txt
s3transfer==0.16.1 \
--hash=sha256:61bcd00ccb83b21a0fe7e91a553fff9729d46c83b4e0106e7c314a733891f7c2 \
--hash=sha256:8e424355754b9ccb32467bdc568edf55be82692ef2002d934b1311dbb3b9e524
s3transfer==0.19.0 \
--hash=sha256:777cc2415536f1debadb5c2ef7779275d0fc0fe0e042411cdd6caebeb2685262 \
--hash=sha256:ce436931687addc4c1712d52d40b32f53e88315723f107ffa20ba82b05a0f685
# via
# -r requirements.txt
# boto3
Expand Down
6 changes: 3 additions & 3 deletions requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -1062,9 +1062,9 @@ ruamel-yaml-clib==0.2.15 \
--hash=sha256:fd4c928ddf6bce586285daa6d90680b9c291cfd045fc40aad34e445d57b1bf51 \
--hash=sha256:fe239bdfdae2302e93bd6e8264bd9b71290218fff7084a9db250b55caaccf43f
# via iib (setup.py)
s3transfer==0.16.1 \
--hash=sha256:61bcd00ccb83b21a0fe7e91a553fff9729d46c83b4e0106e7c314a733891f7c2 \
--hash=sha256:8e424355754b9ccb32467bdc568edf55be82692ef2002d934b1311dbb3b9e524
s3transfer==0.19.0 \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] api-contract

s3transfer is bumped to 0.19.0 while boto3 remains pinned at 1.42.96 and botocore at 1.42.96. boto3 constrains s3transfer with a strict upper bound (typically s3transfer>=0.x.0,<0.(x+1).0). boto3 1.42.96 currently resolves to s3transfer 0.16.1, implying a constraint of >=0.16.0,<0.17.0. Installing s3transfer 0.19.0 alongside boto3 1.42.96 will produce a dependency conflict and pip will refuse to install, breaking the build. The same issue exists in requirements-test.txt. Renovate pip_requirements manager bumps individual pins directly without running pip-compile, so it cannot detect transitive dependency conflicts that pip-compile would catch.

Suggested fix: Update boto3 and botocore to versions that declare compatibility with s3transfer >=0.19.0 (likely boto3 >=1.38.x), or run pip-compile to regenerate consistent, hash-pinned requirements files rather than accepting Renovate single-dependency bump.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] api-contract

s3transfer is being upgraded from 0.16.1 to 0.19.0 while boto3 remains pinned at 1.42.96. boto3 1.42.96 declares s3transfer>=0.16.0,<0.17.0 as its dependency constraint. s3transfer 0.19.0 falls outside this allowed range and pip will refuse to install the incompatible combination. The same issue applies to requirements-test.txt.

Suggested fix: Either (a) upgrade boto3 and botocore to versions that declare compatibility with s3transfer 0.19.0, or (b) keep s3transfer at 0.16.1 to remain compatible with the current boto3 1.42.96 pin.

--hash=sha256:777cc2415536f1debadb5c2ef7779275d0fc0fe0e042411cdd6caebeb2685262 \
--hash=sha256:ce436931687addc4c1712d52d40b32f53e88315723f107ffa20ba82b05a0f685
# via boto3
semver==3.0.4 \
--hash=sha256:9c824d87ba7f7ab4a1890799cec8596f15c1241cb473404ea1cb0c55e4b04746 \
Expand Down
Loading