Upgrade software dependencies 2026-05-25 (#8051)

[achave11-ucsc]

Linked issue: #8051

Checklist

Author

• PR is assigned to the author
• Status of PR is In progress
• Target branch is develop
• Name of PR branch matches upgrades/yyyy-mm-dd
• PR is linked to the upgrade issue it resolves
• Status of linked issue is In progress
• PR description links to linked issue
• PR title matches Upgrade software dependencies yyyy-mm-dd
• PR title references the linked issue

Author (upgrading deployments)

• Ran make docker_images.json and committed the resulting changes _{or this PR does not modify azul_docker_images, or any other variables referenced in the definition of that variable}
• Documented upgrading of deployments in UPGRADING.rst _{or this PR does not require upgrading deployments}
• Added u tag to commit title _{or this PR does not require upgrading deployments}
• This PR is labeled upgrade _{or does not require upgrading deployments}
• This PR is labeled deploy:shared _{or does not modify docker_images.json, and does not require deploying the shared component for any other reason}
• This PR is labeled deploy:gitlab _{or does not require deploying the gitlab component}
• This PR is labeled backup:gitlab
• This PR is labeled deploy:runner _{or does not require deploying the runner image}

Author (before every review)

• Rebased PR branch on develop, squashed fixups from prior reviews
• Ran make requirements_update _{or this PR does not modify Dockerfile, environment, requirements*.txt, common.mk, Makefile or environment.boot}
• Added R tag to commit title _{or this PR does not modify requirements*.txt}
• This PR is labeled reqs _{or does not modify requirements*.txt}
• Updated the AL2023_release variable in gitlab.tf.json.template.py to the most recent AL2023 release _{or no update is available}
• make integration_test passes in personal deployment _{or this PR does not modify functionality that could affect the IT outcome}
• PR is not a draft
• PR is awaiting requested review from system administrator
• Status of PR is Review requested
• PR is assigned to only the system administrator and the author

System administrator (after approval)

• Actually approved the PR
• Labeled linked issue as no demo
• A comment to this PR details the completed security design review
• PR title is appropriate as title of merge commit
• N reviews label is accurate
• Status of PR is Approved
• PR is assigned to only the operator and the author

Operator

• Squashed PR branch and rebased onto develop
• Sanity-checked history
• Pushed PR branch to GitHub

Operator (deploy .shared and .gitlab components)

• Ran _select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select dev.gitlab && python scripts/create_gitlab_snapshot.py --no-restart (see operator manual for details) _{or this PR is not labeled backup:gitlab}
• Ran _select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Ran _select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.gitlab && python scripts/create_gitlab_snapshot.py --no-restart (see operator manual for details) _{or this PR is not labeled backup:gitlab}
• Ran _select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Checked the items in the next section _{or this PR is labeled deploy:gitlab}
• PR is assigned to only the system administrator and the author _{or this PR is not labeled deploy:gitlab}

System administrator (post-deploy of .gitlab component)

• Background migrations for dev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• Background migrations for anvildev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• PR is assigned to only the operator and the author

Operator (deploy runner image)

• Ran _select dev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}
• Ran _select anvildev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}

Operator (sandbox build)

• Added sandbox label
• Pushed PR branch to GitLab dev
• Pushed PR branch to GitLab anvildev
• Build passes in sandbox deployment
• Build passes in anvilbox deployment
• Reviewed build logs for anomalies in sandbox deployment
• Reviewed build logs for anomalies in anvilbox deployment
• Applied upgrade instructions from UPGRADING.rst to sandbox _{or this PR is not labeled upgrade, or upgrade instructions do not apply to sandbox}
• Applied upgrade instructions from UPGRADING.rst to anvilbox _{or this PR is not labeled upgrade, or upgrade instructions do not apply to anvilbox}

Operator (merge the branch)

• All status checks passed and the PR is mergeable
• The title of the merge commit starts with the title of this PR
• Added PR # reference to merge commit title
• Collected commit title tags in merge commit title _{but excluded any p tags}
• Closed related Dependabot PRs with a comment referencing the corresponding commit in this PR _{or this PR does not include any such commits}
• Pushed merge commit to GitHub
• Status of PR is Merged lower
• Status of blocked issues is Triage _{or no issues are blocked on the linked issue}

Operator (main build)

• Pushed merge commit to GitLab dev
• Pushed merge commit to GitLab anvildev
• Build passes on GitLab dev
• Reviewed build logs for anomalies on GitLab dev
• Build passes on GitLab anvildev
• Reviewed build logs for anomalies on GitLab anvildev
• Applied upgrade instructions from UPGRADING.rst to dev _{or this PR is not labeled upgrade, or upgrade instructions do not apply to dev}
• Applied upgrade instructions from UPGRADING.rst to anvildev _{or this PR is not labeled upgrade, or upgrade instructions do not apply to anvildev}
• Notified developers to apply upgrade instructions from UPGRADING.rst to their personal deployments _{or this PR is not labeled upgrade, or upgrade instructions do not apply to personal deployments}
• Ran _select dev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Deleted PR branch from GitHub
• PR is assigned to only the operator
• Deleted PR branch from GitLab dev
• Deleted PR branch from GitLab anvildev
• Status of linked issue is Lower

Operator

• At least 24 hours have passed since anvildev.shared was last deployed
• Ran scripts/export_inspector_findings.py against anvildev, imported results to Google Sheet and posted screenshot of relevant¹ findings as a comment on the linked issue.
• Propagated the upgrade and API labels to the next promotion PRs _{or this PR carries neither of these labels}
• Propagated the deploy:shared, deploy:gitlab, deploy:runner and backup:gitlab labels to the next promotion PRs _{or this PR carries none of these labels}
• Propagated any specific instructions related to the deploy:shared, deploy:gitlab, deploy:runner and backup:gitlab labels, from the description of this PR to that of the next promotion PRs _{or this PR carries none of these labels}
• PR is assigned to only the system administrator

¹A relevant finding is a high or critical vulnerability in an image
that is used within the security boundary. Images not used within the boundary
are tracked in azul.docker_images under a key starting with _.

System administrator

• No currently reported vulnerability requires immediate attention
• PR is assigned to no one

Shorthand for review comments

• L line is too long
• W line wrapping is wrong
• Q bad quotes
• F other formatting problem

[coveralls]

coverage: 84.801%. remained the same — upgrades/2026-05-25 into develop

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.72%. Comparing base (be75124) to head (658c309).

Additional details and impacted files

@@           Coverage Diff            @@
##           develop    #8065   +/-   ##
========================================
  Coverage    84.72%   84.72%           
========================================
  Files          165      165           
  Lines        24245    24245           
========================================
  Hits         20541    20541           
  Misses        3704     3704           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[hannes-ucsc]

cast is almost always problematic. The only legitimate use is working around a bug in the type checker. Remove this commit and the dependency upgrade that requires it. File a follow-up issue.

[hannes-ucsc]

Note that we have not_none