chore(api): Remove uv override-dependencies block#7756
Draft
matthewelwell wants to merge 4 commits into
Draft
Conversation
The `[tool.uv].override-dependencies` block was added during the Poetry to uv migration to keep the lockfile dependency-neutral with the prior `poetry.lock`. With several months of normal upgrades since, the block is now silently capping security updates (most recently Django 5.2.15, which Renovate could not produce a PR for until the Django pin was removed in #7755). Removing the whole block lets uv perform a natural resolution. The resulting `uv.lock` changes are minimal but mixed: - cryptography 46.0.7 -> 43.0.3 (downgrade) - pyopenssl 26.0.0 -> 25.1.0 (downgrade) - pytest 7.2.2 -> 9.0.3 (major bump) - deprecation 2.0.7 -> 2.1.0 - pluggy 1.2.0 -> 1.6.0 - tomli added Opening for discussion before merging — the downgrades suggest something in the dependency graph is capping these packages, which is worth understanding before we remove the override scaffolding. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub. 3 Skipped Deployments
|
pluggy 1.6 ships proper typing for `@pytest.hookimpl`, so the `# type: ignore[misc]` previously needed under pluggy 1.2 is now flagged as unused-ignore by mypy. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
pytest-lazy-fixture 0.6.3 (unmaintained since 2020) uses `CallSpec2.funcargs` which pytest 9 removed, so every test that imports it errors at collection with `AttributeError: 'CallSpec2' object has no attribute 'funcargs'`. Cap pytest at <8 until the migration to the maintained `pytest-lazy-fixtures` fork is done in #7759. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
# Conflicts: # api/pyproject.toml # api/uv.lock
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #7756 +/- ##
=======================================
Coverage 98.55% 98.55%
=======================================
Files 1454 1454
Lines 56000 56000
=======================================
Hits 55193 55193
Misses 807 807 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Thanks for submitting a PR! Please check the boxes below:
docs/if required so people know about the feature.Changes
Opening as a draft to start a discussion.
The
[tool.uv].override-dependenciesblock inapi/pyproject.tomlwas added during the Poetry to uv migration to keep the resolved versions identical to the priorpoetry.lock. The comment above it states:This PR removes the whole block to see what the natural uv resolution looks like today. The lockfile diff is smaller than I expected:
<8, see belowFindings so far (things the override block was silently load-bearing for):
pytest-lazy-fixture0.6.3 (unmaintained since 2020) relies onCallSpec2.funcargs, removed in pytest 9. pytest is now capped at>=7.2.2,<8with TODO markers pointing at tests: Migrate from unmaintained pytest-lazy-fixture to pytest-lazy-fixtures #7759; the migration to the maintainedpytest-lazy-fixturesfork is in test: Migrate to pytest-lazy-fixtures #7761, after which the cap can be lifted here.@pytest.hookimpl, which turned a previously-required# type: ignore[misc]intests/conftest.pyinto a mypyunused-ignoreerror — removed in this PR.Things still worth discussing:
cryptographyandpyopenssldowngrades suggest something in the dependency graph caps them. We should figure out what and decide whether to bump that dependency or keep a targeted override.devextras still contain this comment foremail-validator/pyjwtreferring to a pydantic override, which would no longer apply after this PR.email-validator/pyjwtworkaround comment should be updated or removed in the same PR.How did you test this code?
uv locklocally — resolution completes successfully with the changes above.make typecheckpasses locally (Success: no issues found in 1697 source files).<8cap.cryptography/pyopenssldowngrades.