Skip to content

fix(deps): patch 18 Dependabot alerts in tests/integrations/python#168

Merged
shudonglin merged 1 commit into
mainfrom
fix/dependabot-python-tests
Jul 5, 2026
Merged

fix(deps): patch 18 Dependabot alerts in tests/integrations/python#168
shudonglin merged 1 commit into
mainfrom
fix/dependabot-python-tests

Conversation

@shudonglin

Copy link
Copy Markdown

Summary

Resolves all 18 open Dependabot alerts, all scoped to the Python integration
test harness (tests/integrations/python/) — a test-only package, not
gateway runtime code.

Root cause of why uv lock --upgrade-package initially didn't move any
versions: [tool.uv] exclude-newer in pyproject.toml was pinned to
2026-06-02T00:00:00Z, which pre-dates every patched release below. Bumped
it to 2026-07-05T00:00:00Z (today) so the resolver can see the patched
versions, then re-ran the upgrade.

Package version changes

Package Old New Patched threshold Note
aiohttp 3.14.0 3.14.1 >=3.14.1 transitive
pydantic-settings 2.14.1 2.14.2 >=2.14.2 transitive
langchain-anthropic 1.3.0 1.4.8 >=1.4.6 direct pin in pyproject.toml relaxed from ==1.3.0 to >=1.4.6
langchain 1.3.2 1.3.11 >=1.3.9 direct floor raised from >=1.1.0 to >=1.3.9
starlette 1.2.1 1.3.1 >=1.3.1 transitive
python-multipart 0.0.30 0.0.32 >=0.0.31 transitive
vcrpy 8.1.1 8.3.0 >=8.2.1 transitive
langsmith 0.8.8 0.9.7 >=0.8.18 transitive
cryptography 48.0.0 49.0.0 >=48.0.1 transitive

No separate lowercase "Starlette" entry exists in the lockfile — only one
starlette package.

All 9 packages landed at or above their patched threshold. No package was
UNRESOLVABLE.

Validation

  • uv lock --locked — passes (lockfile consistent with pyproject.toml)
  • uv sync --frozen --dry-run — resolves cleanly, no conflicts
  • git diff --stat:
     tests/integrations/python/pyproject.toml |   6 +-
     tests/integrations/python/uv.lock        | 352 ++++++++++++++++---------------
     2 files changed, 182 insertions(+), 176 deletions(-)
    

These are test-only integration harness dependencies (used to drive
end-to-end tests against the Bifrost proxy), not gateway runtime
dependencies — this change carries no runtime/production risk.

Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_01KaMwdJBpdWtWo7xxmehHrr

@shudonglin shudonglin merged commit e71bdf1 into main Jul 5, 2026
57 of 61 checks passed
@shudonglin shudonglin deleted the fix/dependabot-python-tests branch July 5, 2026 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant