chore(deps): multibump rollup of 33 Dependabot bumps + release 0.3.8#551
Conversation
Bumps [pydantic-settings](https://github.com/pydantic/pydantic-settings) from 2.12.0 to 2.14.2. - [Release notes](https://github.com/pydantic/pydantic-settings/releases) - [Commits](pydantic/pydantic-settings@v2.12.0...v2.14.2) --- updated-dependencies: - dependency-name: pydantic-settings dependency-version: 2.14.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…est, aws-durable-execution-sdk-python; redis lock-only) + version 0.3.8 Folds dependabot PRs QualityUnit#530 QualityUnit#527 QualityUnit#524 QualityUnit#525 QualityUnit#497 QualityUnit#522; QualityUnit#523 taken lock-only (extra floors kept at redis>=5.0.0 — primary consumer urlslab-app pins redis ^6.4.0).
…/pydantic-settings-2.14.2' into chore/deps-rollup
…cide, router, rhf, dev tools) Folds dependabot PRs QualityUnit#496 QualityUnit#500 QualityUnit#501 QualityUnit#505 QualityUnit#506 QualityUnit#528-QualityUnit#548 (npm). Caret resolution landed some packages a notch above the PR targets; reviewed to landed versions.
D3 packages — what changed and what to test
Verification already executed (isolated old-vs-new legs, one package pinned back at a time)
Full leg tables and the engine-suite/CI-gate diffs are in the PR body. |
|
Verdict: safe to merge. Verified: engine suite + CI gates identical old vs new; croniter/filelock/click checked in isolation; Celery suspend/resume E2E pass; urlslab-app full suite on this rev — zero regressions; OSV + npm supply chain clean. @yasha-dev1 one thing to check: aws-durable-execution-sdk 1.5.0 → 1.7.0 changed suspend semantics inside Verification also surfaced ~8 pre-existing engine bugs (broken Celery retries, scheduler starvation, …) — not caused by this PR; issues with repros follow. After merge: tag |
|
no one's using that for now. we'll just merge |
|
Pre-existing bugs from the verification, now filed with executed repros: #554 (P1 Celery retries broken on string retry_after), #552 (P1 scheduler tick starvation), #553 (trigger_schedule persist ordering), #555 (schedules CLI missing discovery), #556 (yaml-overrides-env broker footgun), #557 (resume-vs-sleep, schedule purge case bug, .locks growth). None are caused by this PR. |
|
Stage-5 dashboard UI walkthrough done (backend+frontend booted from this branch, real run data): navigation/back-forward, runs table + filters, select, dropdown-menu, radio-group form submit (theme+font applied), Cmd+K dialog open/Esc-close with pointer-events intact, sidebar collapse — all pass, zero console errors. That was the last open verification leg; everything is now executed. |
Multibump rollup of all open pip + npm Dependabot PRs, reviewed dependacheck-style (investigate → test), plus version bump 0.3.7 → 0.3.8. 33 packages. Max tier D3 — all D3s verified safe by isolated old-vs-new execution.
Folds and supersedes: #497 #496 #500 #501 #505 #506 #518 #522 #523 #524 #525 #527 #528 #529 #530 #531 #532 #533 #534 #535 #536 #537 #538 #539 #540 #541 #542 #543 #544 #545 #546 #547 #548. Not included (GH Actions, review directly): #521 (
actions/cache5→6), #491 (actions/checkout6→7).Note: npm caret resolution landed some packages one notch above the Dependabot targets (e.g. lucide 1.24.0, rhf 7.81.0, typescript-eslint 8.63.0, prettier 3.9.5); review and changelog judgment were done against the landed versions.
Root pip (engine — critical blast radius)
pyworkflow/utils/schedule.py:113,348(croniter(),.get_next)pyworkflow/storage/file.py(25×with FileLock(...)).lockfiles persist after release>=0.1.0→>=1.6.0)pyworkflow/aws/handler.py,aws/context.py,context/aws.py@durable_execution(#492); repo has zero real-SDK tests — see needs-judgment note belowpyworkflow/cli/**(~290 symbol uses)>=7.4.0→>=9.1.1)pip install -e .[dev])>=0.15.20)>=5.0.0)celery/singleton.py,streams/checkpoint.pydashboard/backend
app/config.py(BaseSettings, env prefix +.env)dashboard/frontend (25 npm)
useFieldArrayerror-placement fixes intersectprofile-form.tsx; corrections, gates greenasChildpath used by button/formui/select+ 4 downstreamuseMatch/Match memoization perf changes on every-navigation render path; no API changeunstable_*APIs usedvite.config.ts(path,__dirname);skipLibCheckon; tsc build verified green--checkfailing-file set byte-identical old vs new (37 pre-existing)Security
Executed evidence
Engine suite (Python 3.13,
pip install -e .[dev]), new leg (croniter 6.2.3, filelock 3.29.7, click 8.4.2, redis 8.0.1, pytest 9.1.1):Old-leg CI-gate diffs (identical suite, one package pinned back at a time):
check .format --check .--check .(frontend)tsc -b && vite build/eslint .(old lock vs new lock)D3 isolated old-vs-new regression legs (each leg pins back exactly one package, everything else held at new):
croniter 6.2.2 vs 6.2.3 — normal exprs and 59-element comma ranges: identical
validate_cron_expression+get_nextresults from a fixed base. Zero-step exprs (*/0,1-5/0, reversed5-1/0): rejected on both legs; only divergence is exception type on reversed ranges (ValueError→CroniterBadCronError, which subclassesValueErrorin both versions), fully absorbed byvalidate_cron_expression'sexcept (ValueError, KeyError)→ returnsFalse, never crashes. Safe.filelock 3.29.4 vs 3.29.7 — mutual exclusion (2 threads), release→reacquire, reacquire-over-stale-lockfile (post-upgrade simulation), and a real
FileStorageBackendwrite+read roundtrip: identical on both legs. Single divergence = documented #577:.lockfiles persist after release. Cosmetic accumulation; no call site assumes lock-file absence. Operational note:.locks/dirs grow unbounded (one file per distinct run/hook/schedule id) — possible future cleanup task. Safe.click 8.4.1 vs 8.4.2 —
pyworkflow --helpandpyworkflow schedules --help: exit 0, byte-identical output on both legs. Safe.Needs-judgment (human sign-off)
@durable_execution, whichpyworkflow/aws/handler.pywraps — and the repo has no tests exercising the real SDK (AWS path verified only against in-repo mocks), so this one cannot be execution-verified here. If the AWS runtime is in production use anywhere, verify a suspend/resume cycle on a real Lambda before relying on it; otherwise the floor raise to>=1.6.0is the safest expression of intent.Version bump
0.3.7 → 0.3.8inpyproject.toml+pyworkflow/__init__.py(per RELEASING.md). This picks up #550 (STEP_SUSPENDED for inline step_hook suspensions) already on main — downstream urlslab-app is waiting on 0.3.8 to re-pin from the temporary fork rev.Risk tier: Tier 3 (engine-critical paths touched by croniter/filelock; verified by execution as above).