Post-release dependency refresh (updatelocks) with a durable idna floor#355
Open
ciaranra wants to merge 5 commits into
Open
Post-release dependency refresh (updatelocks) with a durable idna floor#355ciaranra wants to merge 5 commits into
ciaranra wants to merge 5 commits into
Conversation
…vestigial pecos-rslib-exp lock
…S into lock-refresh-2026-07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Post-release dependency refresh (
just updatelocks), run right after cutting 0.9.0.dev0 so the new dependency set gets a full cycle on dev before the next release. Executed per a Codex-cross-reviewed procedure (the plan review's adjustments are all incorporated).Toolchains (for reproducibility): rustc/cargo 1.97.0, uv 0.11.16.
What changed
uv.lock: 62 packages moved (majors are tooling only: pymdown-extensions 11, setuptools 83, pywin32 312, wasmtime 43). guppylang/tket/hugr stay within their deliberate caps (0.21.16/0.13.1/0.16.0).Cargo.lock: 128 crates moved within-range; majors onlyenv_filter2 /wast253; thequinn*andwit-bindgen*families dropped out of the tree entirely.constraint-dependencies = ["idna>=3.18"]in the root[tool.uv](CVE-2026-45409). The previous lock silently sat at idna 3.17 below the documented floor indocs/requirements.txt, which does not constrain workspace resolution — now it structurally cannot regress.python/pecos-rslib-exp/uv.lock: pecos-rslib-exp is a workspace member governed by the root lock; this standalone lock was a dead vestige (stale at 0.2.0.dev0, referenced by no workflow, an idle OSV/Dependabot input).PYSEC-2026-151suppression comment updated for wasmtime 43 (advisory still lists no fixed release).exp/zlup*locks (zluppy's skew is accommodated by its ownosv-scanner.toml).Verification (in order run)
uv lock --check+cargo metadata --locked+ security-floor sweep (idna 3.18 ✓, cxx 1.0.197 ✓, pyo3 0.29 ✓, quinn-proto moot)cargo deny --locked --all-features: advisories/bans/sources okpython-release.yml dry_run=truedispatched on this branch: success — full repaired-wheel matrix (auditwheel/delocate/delvewheel/abi3) on the refreshed locksKnown watch-item: the previous refresh (#322) pushed the post-merge python-core suite past its then-45m timeout. The budget is now 75m; compare the post-merge python-core duration after this merges.
Best merged after #354 (honest smoke lanes) so this PR's smoke evidence uses real dependency metadata.