Skip to content

chore: coordinated routine dependency refresh#19

Open
magnaquant wants to merge 2 commits into
mainfrom
chore/coordinated-dependency-refresh
Open

chore: coordinated routine dependency refresh#19
magnaquant wants to merge 2 commits into
mainfrom
chore/coordinated-dependency-refresh

Conversation

@magnaquant

Copy link
Copy Markdown
Owner

Summary

The deferred routine portion of closed Dependabot group PR #15, done through the documented coordinated flow (CLAUDE.md): lock-level updates within existing constraints, exports regenerated with the pinned Poetry toolchain, and both artifact releases regenerated because poetry.lock is a release-critical fingerprinted input.

  • Updated: ccxt 4.5.63, pytest 9.1.1, redis 8.0.1, ruff 0.15.20, torch 2.12.1 (transitive triton 3.7.1), yfinance 1.5.1. Exactly 7 lock packages changed; pyproject.toml untouched.
  • pandas stays at 3.0.3: PyPI has yanked 3.0.4 (all files marked yanked), so Poetry correctly refuses it. The Dependabot group PR would have proposed a now-yanked release. The computation stack (pandas, numpy, scipy, scikit-learn) is therefore unchanged by this refresh.
  • Both releases regenerated from clean source commit c021760 (expansion first, then paper, with the expansion-artifact verification active).

Verification

  • Numerics identity: every economic CSV, figure, and target-tape hash byte-identical to the prior release; only manifests, the source-digest macro, PDFs, checksums, and build manifests changed; pdftotext diff is one digest line per PDF.
  • Both manifests record source_commit c021760 with a clean worktree at start; cross-release equality holds.
  • Local gates under the new toolchain (ruff 0.15.20, pytest 9.1.1): ruff clean, 464/464 tests pass. The three provenance tests that correctly failed against the pre-regeneration manifests pass after regeneration.
  • yfinance 1.5.1 does not alter any recorded provenance: the manifests' retrieval metadata (yfinance 1.4.1, 2026-06-16) is a historical fact about the frozen, digest-bound input, not the current environment.

Merge notes

Merge by command-line fast-forward push only (git push origin chore/coordinated-dependency-refresh:main). Do NOT squash or use the GitHub rebase button; the manifests record source commit c021760, which must remain an ancestor. Do not move research-audit-v1.

magnaprog added 2 commits July 2, 2026 01:03
Lock-level updates within existing pyproject constraints: ccxt 4.5.63,
pytest 9.1.1, redis 8.0.1, ruff 0.15.20, torch 2.12.1 (with transitive
triton 3.7.1), and yfinance 1.5.1. pandas stays at 3.0.3 because 3.0.4 is
yanked on PyPI, so the computation stack (pandas, numpy, scipy,
scikit-learn) is unchanged by this refresh. pyproject.toml untouched.

Supersedes the routine portion of the closed Dependabot group PR #15;
requirements exports regenerated with the pinned Poetry toolchain. Release
artifacts are regenerated in the follow-up commit because poetry.lock is a
release-critical fingerprinted input.
Both releases regenerated from clean source commit 881176d via the release
wrappers with fixed UTC timestamps (rebuilt on top of the merged docker
digest bump so the release history fast-forwards). The computation stack is
unchanged (pandas 3.0.3; the yanked 3.0.4 was correctly refused), and every
economic CSV, figure, and target-tape hash is byte-identical; the only PDF
content change is the source-tree digest hex in the reproducibility
appendix.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants