Skip to content

chore(deps): bundle dependabot bumps (ujson, idna, aiohttp, starlette, msgpack)#198

Merged
that-guy-wade merged 1 commit into
mainfrom
sethschilbe/bundle-dep-bumps
Jun 29, 2026
Merged

chore(deps): bundle dependabot bumps (ujson, idna, aiohttp, starlette, msgpack)#198
that-guy-wade merged 1 commit into
mainfrom
sethschilbe/bundle-dep-bumps

Conversation

@that-guy-wade

Copy link
Copy Markdown
Contributor

Description

Consolidates 7 open dependabot PRs into a single review.

Supersedes:

Changes Made

  • requirements.txt: ujson 5.12.1 → 5.13.0
  • docker/search-server/requirements.txt: ujson 5.12.1 → 5.13.0
  • docker/validator/pyproject.toml: ujson 5.12.1 → 5.13.0
  • docker/validator/uv.lock: regenerated via uv lock --upgrade-package for ujson, idna, aiohttp, starlette, msgpack. idna landed on 3.18 (latest available) rather than dependabot's 3.15 — no constraint pins it, and 3.13 → 3.18 is the same patch-line bump dependabot intended.

Issue Link

  • Related to: N/A
  • Closes: N/A (dependabot PRs auto-close on merge of equivalent pins)

Testing

Manual Testing

Lockfile regenerated cleanly; resolver did not need to change unrelated transitive deps. No code path changes — all are CVE/patch bumps.

Test Results:

Pending CI.

Automated Testing

Existing CI suite covers import-time + integration paths for every touched package (aiohttp / ujson / starlette / msgpack used heavily by validator + search-server).

Test Command(s):

uv run pytest subnet/tests

Documentation

  • README updated
  • Code comments added/updated
  • API documentation updated
  • Configuration documentation updated
  • Other documentation updated (please specify): N/A

Documentation Changes:

N/A.

Checklist

  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings or errors
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been published and merged

Additional Notes

After this merges, the 7 superseded dependabot PRs can be closed (dependabot may auto-close them on next run).

Consolidates dependabot PRs #170, #183, #184, #186, #187, #188, #189:
- ujson 5.12.1 → 5.13.0 (root, search-server, validator)
- idna 3.13 → 3.18 (validator, latest available; supersedes 3.15)
- aiohttp 3.13.5 → 3.14.1 (validator)
- starlette 1.0.0 → 1.3.1 (validator)
- msgpack 1.1.2 → 1.2.1 (validator)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@that-guy-wade that-guy-wade self-assigned this Jun 25, 2026
@that-guy-wade that-guy-wade requested a review from shardi-b June 25, 2026 16:32

@shardi-b shardi-b left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. No issues found during code review.

@that-guy-wade that-guy-wade merged commit d6532a3 into main Jun 29, 2026
3 checks passed
@that-guy-wade that-guy-wade deleted the sethschilbe/bundle-dep-bumps branch June 29, 2026 23:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants