Skip to content

chore(deps): relax authlib pin to >=1.6.5,<2#654

Merged
LinoGiger merged 1 commit into
mainfrom
chore(deps)/relax-authlib-pin
Jul 8, 2026
Merged

chore(deps): relax authlib pin to >=1.6.5,<2#654
LinoGiger merged 1 commit into
mainfrom
chore(deps)/relax-authlib-pin

Conversation

@kannwism

@kannwism kannwism commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Why

A customer asked whether we can relax the exact authlib==1.6.5 pin in the SDK (it forces dependency conflicts in their environment).

Investigation

The exact pin is not deliberate:

An exact pin is especially harmful in a published SDK — it propagates a version conflict to every downstream consumer.

Change

Relax to authlib>=1.6.5,<2 (matches the original caret intent, floored at the currently-tested version).

Verification

  • uv lock resolves cleanly.
  • Forced upgrade to the latest 1.x (1.7.2) imports the OAuth2Client / OAuthError symbols the SDK actually uses, under the existing httpx>=0.28.1,<0.29 constraint. authlib does not cap httpx.

🔗 Session: https://t-28283203d35cde.poseidon.rapidata.internal/

authlib was pinned to an exact ==1.6.5 incidentally by the uv migration (#407),
which froze the then-resolved version. It was originally added in #228 as a
flexible ^1.5.1 for the OAuth2 refresh-token client and has no compatibility
guard requiring an exact version. An exact pin is especially harmful in a
published SDK because it forces dependency conflicts on downstream users.

Relax to >=1.6.5,<2 (matching the original caret intent, floored at the
currently-tested version). Verified the range resolves and that the latest 1.x
(1.7.2) imports the OAuth2Client/OAuthError used by the SDK cleanly under the
existing httpx<0.29 constraint.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: RapidPoseidon <poseidon@rapidata.ai>
@claude

claude Bot commented Jul 8, 2026

Copy link
Copy Markdown

Reviewed the diff. This is a small, well-scoped dependency change and I don't see any correctness issues.

Code quality / rationale

  • The PR description does a good job digging into the history of the pin (added as ^1.5.1 in fix: RAPID-4589 credentials lost after a prolonged period of time #228, accidentally frozen to ==1.6.5 during the uv migration in feat: migrate to uv #407). Relaxing to >=1.6.5,<2 is a reasonable middle ground: it removes the incidental exact pin while still capping at the next major to guard against breaking changes.
  • The only two usages of authlib in the codebase are OAuth2Client and OAuthError from authlib.integrations.httpx_client (src/rapidata/api_client/rest.py, src/rapidata/service/openapi_service.py). Both symbols are stable in the authlib public API, so the relaxed range looks safe for actual usage.

Dependency/lockfile considerations

  • authlib 1.7.x pulls in a new transitive dependency, joserfc, which wasn't previously in the lock file. Worth confirming there's no license/security concern with adding this new transitive dep (it's BSD-licensed and authlib's own dependency, so this is likely fine, just flagging since it's a new package entering the dependency tree).
  • The uv.lock diff also includes unrelated churn to ipython/ipython-pygments-lexers/exceptiongroup marker conditions (dropping python_full_version markers). This is presumably just uv lock normalizing resolution markers as a side effect of re-resolving, not something intentionally changed by this PR — but worth double-checking it doesn't silently change which packages get installed on Python 3.10 vs 3.11+ environments (these are dev-only deps per the extras, so risk is low, but still worth a sanity check that uv sync --group dev behaves the same across supported Python versions).

Security

  • No security concerns with widening the range itself — >=1.6.5,<2 still excludes any known-vulnerable pre-1.6.5 releases and caps at a major version boundary, which is the right way to relax a pin in a published SDK.

Test coverage

  • No behavioral code changes, so no new tests are needed. The verification described (forced upgrade to 1.7.2, uv lock resolves cleanly, symbols import fine under the existing httpx constraint) is appropriate for a dependency-range-only change.

Overall: looks good to merge. Only worth a quick look at the incidental uv.lock marker churn for the dev dependencies before merging, just to confirm it's expected from the re-resolve and not masking something else.

@LinoGiger LinoGiger marked this pull request as ready for review July 8, 2026 06:49
@LinoGiger LinoGiger merged commit bfafc5a into main Jul 8, 2026
3 checks passed
@LinoGiger LinoGiger deleted the chore(deps)/relax-authlib-pin branch July 8, 2026 06:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants