Skip to content

Post-release dependency refresh (updatelocks) with a durable idna floor#355

Open
ciaranra wants to merge 5 commits into
devfrom
lock-refresh-2026-07
Open

Post-release dependency refresh (updatelocks) with a durable idna floor#355
ciaranra wants to merge 5 commits into
devfrom
lock-refresh-2026-07

Conversation

@ciaranra

Copy link
Copy Markdown
Member

Post-release dependency refresh (just updatelocks), run right after cutting 0.9.0.dev0 so the new dependency set gets a full cycle on dev before the next release. Executed per a Codex-cross-reviewed procedure (the plan review's adjustments are all incorporated).

Toolchains (for reproducibility): rustc/cargo 1.97.0, uv 0.11.16.

What changed

  • Root uv.lock: 62 packages moved (majors are tooling only: pymdown-extensions 11, setuptools 83, pywin32 312, wasmtime 43). guppylang/tket/hugr stay within their deliberate caps (0.21.16 / 0.13.1 / 0.16.0).
  • Root Cargo.lock: 128 crates moved within-range; majors only env_filter 2 / wast 253; the quinn* and wit-bindgen* families dropped out of the tree entirely.
  • New durable security floor: constraint-dependencies = ["idna>=3.18"] in the root [tool.uv] (CVE-2026-45409). The previous lock silently sat at idna 3.17 below the documented floor in docs/requirements.txt, which does not constrain workspace resolution — now it structurally cannot regress.
  • Deleted python/pecos-rslib-exp/uv.lock: pecos-rslib-exp is a workspace member governed by the root lock; this standalone lock was a dead vestige (stale at 0.2.0.dev0, referenced by no workflow, an idle OSV/Dependabot input).
  • OSV PYSEC-2026-151 suppression comment updated for wasmtime 43 (advisory still lists no fixed release).
  • Deliberately frozen: exp/zlup* locks (zluppy's skew is accommodated by its own osv-scanner.toml).

Verification (in order run)

  1. uv lock --check + cargo metadata --locked + security-floor sweep (idna 3.18 ✓, cxx 1.0.197 ✓, pyo3 0.29 ✓, quinn-proto moot)
  2. cargo deny --locked --all-features: advisories/bans/sources ok
  3. OSV scan dispatched on this branch: success
  4. python-release.yml dry_run=true dispatched on this branch: success — full repaired-wheel matrix (auditwheel/delocate/delvewheel/abi3) on the refreshed locks
  5. Local: debug build OK, 15/15 pecos-phir-json test binaries, 1240 parity+rslib tests, 181 engine-surface tests

Known watch-item: the previous refresh (#322) pushed the post-merge python-core suite past its then-45m timeout. The budget is now 75m; compare the post-merge python-core duration after this merges.

Best merged after #354 (honest smoke lanes) so this PR's smoke evidence uses real dependency metadata.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant