Skip to content

chore(deps): bump idna from 3.14 to 3.15 in /tools/gmail/oauth-draft#233

Merged
potiuk merged 1 commit into
mainfrom
dependabot/uv/tools/gmail/oauth-draft/idna-3.15
May 20, 2026
Merged

chore(deps): bump idna from 3.14 to 3.15 in /tools/gmail/oauth-draft#233
potiuk merged 1 commit into
mainfrom
dependabot/uv/tools/gmail/oauth-draft/idna-3.15

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 20, 2026

Copy link
Copy Markdown
Contributor

Bumps idna from 3.14 to 3.15.

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

  • Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
  • Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
  • Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
  • Allow flit_core 4.x in the build backend.
  • Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
  • Add Dependabot configuration for GitHub Actions.
  • Convert README and HISTORY from reStructuredText to Markdown.
  • Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

Commits
  • af30a09 Release 3.15
  • 30314d4 Pre-release 3.15rc0
  • 05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
  • 2987fdb Convert README and HISTORY from reStructuredText to Markdown
  • 59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
  • def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
  • bbd8004 Merge pull request #234 from StanFromIreland/patch-1
  • edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
  • 5557db0 Merge branch 'master' into patch-1
  • f11746c Merge pull request #235 from StanFromIreland/patch-2
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [idna](https://github.com/kjd/idna) from 3.14 to 3.15.
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md)
- [Commits](kjd/idna@v3.14...v3.15)

---
updated-dependencies:
- dependency-name: idna
  dependency-version: '3.15'
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels May 20, 2026
@potiuk potiuk merged commit 7155ebe into main May 20, 2026
13 checks passed
@potiuk potiuk deleted the dependabot/uv/tools/gmail/oauth-draft/idna-3.15 branch May 20, 2026 01:33
potiuk added a commit to potiuk/magpie that referenced this pull request May 24, 2026
The github-actions and pre-commit ecosystem blocks in
.github/dependabot.yml carried `semver-{major,minor,patch}-days`
cooldown keys, which those ecosystems do not accept. Dependabot
rejected both blocks outright with:

    The property '#/updates/0/cooldown/semver-major-days' is not
    supported for the package ecosystem 'github-actions'.
    The property '#/updates/1/cooldown/semver-major-days' is not
    supported for the package ecosystem 'pre-commit'.
    ...

which is why neither ecosystem produced a single PR in the four
weeks since adoption on 2026-04-29 (the uv blocks were unaffected
and ran normally — see apache#130, apache#233). Strip the unsupported keys and
keep `default-days: 7` for the 7-day settle window.

Apply the bumps that would have landed already had dependabot been
running, all past the 7-day cooldown:

  actions/cache                v4.2.2  -> v5.0.5
  github/codeql-action         v4.35.2 -> v4.35.5
  zizmorcore/zizmor-action     v0.5.2  -> v0.5.6
  astral-sh/setup-uv           v7.3.0  -> v8.1.0

actions/cache@v5 needs runner >= 2.327.1 (Node 24), which the
GitHub-hosted runners we target already satisfy. setup-uv@v8 is a
major bump; CI on this commit is the smoke test.

ASF allowlist: setup-uv@08807647 and zizmor-action@5f14fd08 are
already on approved_patterns.yml. actions/cache and
github/codeql-action are exempt — `actions` and `github` are in
TRUSTED_OWNERS in apache/infrastructure-actions/allowlist-check/
check_asf_allowlist.py.

Generated-by: Claude Code (Opus 4.7)
potiuk added a commit that referenced this pull request May 24, 2026
…mpl (#257)

* pr-management-stats: require full engagement schema + add reference impl

Fixes three correctness issues in pr-management-stats that cause severe
under-counting of engagement and over-counting of untriaged PRs:

1. `fetch.md` previously said "no statusCheckRollup / mergeable /
   reviewThreads" — claiming none were needed for stats. This is wrong
   for `reviewThreads`, `latestReviews`, and `timelineItems`: the
   `is_engaged` predicate in classify.md explicitly counts maintainer
   line-level review comments, submitted reviews, and label/draft
   timeline events as engagement. Omitting those fields means a
   maintainer who only left a line-level review comment is treated as
   "no engagement" and the PR is misclassified as untriaged. On a
   ~530-PR queue this inflates the untriaged count ~10× (observed:
   225 → 24, then 24 → 2 with full schema + reviewThreads added).

2. `SKILL.md` had no explicit no-skip rule for the 11 dashboard panels.
   Agents under context pressure were observed simplifying away the
   line charts, CODEOWNERS table, and triager-activity table. New
   Golden rule 8 requires all sections to render; missing-data
   stubs are allowed but silent omission is not.

3. New Golden rule 9 documents the FULL engagement schema explicitly
   so agents don't trim the query "to save complexity points".

Also adds:
- `tools/pr-management-stats/reference.py` — canonical reference
  implementation of the fetch + classify contract. Encodes the full
  engagement schema and serves as the single source of truth agents
  can read from.
- `tools/pr-management-stats/README.md` — describes how the agent
  invokes the reference + the anti-skip contract.
- Updated GraphQL template in fetch.md to include the engagement
  fields, with batch size dropped from 50 to 30 to absorb the
  ~11-point complexity increase per page.

* chore(ci): fix dependabot cooldown schema and bump pinned actions

The github-actions and pre-commit ecosystem blocks in
.github/dependabot.yml carried `semver-{major,minor,patch}-days`
cooldown keys, which those ecosystems do not accept. Dependabot
rejected both blocks outright with:

    The property '#/updates/0/cooldown/semver-major-days' is not
    supported for the package ecosystem 'github-actions'.
    The property '#/updates/1/cooldown/semver-major-days' is not
    supported for the package ecosystem 'pre-commit'.
    ...

which is why neither ecosystem produced a single PR in the four
weeks since adoption on 2026-04-29 (the uv blocks were unaffected
and ran normally — see #130, #233). Strip the unsupported keys and
keep `default-days: 7` for the 7-day settle window.

Apply the bumps that would have landed already had dependabot been
running, all past the 7-day cooldown:

  actions/cache                v4.2.2  -> v5.0.5
  github/codeql-action         v4.35.2 -> v4.35.5
  zizmorcore/zizmor-action     v0.5.2  -> v0.5.6
  astral-sh/setup-uv           v7.3.0  -> v8.1.0

actions/cache@v5 needs runner >= 2.327.1 (Node 24), which the
GitHub-hosted runners we target already satisfy. setup-uv@v8 is a
major bump; CI on this commit is the smoke test.

ASF allowlist: setup-uv@08807647 and zizmor-action@5f14fd08 are
already on approved_patterns.yml. actions/cache and
github/codeql-action are exempt — `actions` and `github` are in
TRUSTED_OWNERS in apache/infrastructure-actions/allowlist-check/
check_asf_allowlist.py.

Generated-by: Claude Code (Opus 4.7)

* fix(pr-management-stats): use placeholders in fetch.md + README example

`check-placeholders` pre-commit hook (and skill-validator pytest)
rejected hardcoded `apache/airflow` references in:

  .claude/skills/pr-management-stats/fetch.md:414
  tools/pr-management-stats/README.md:39

Replace with `<upstream>` (the skill's existing placeholder for the
project repo, used on fetch.md lines 171, 178, 185, 193, 203, 223,
238, 348). Also swap `potiuk` for `<maintainer-handle>` in the
README invocation so the example matches the placeholder convention
end-to-end. doctoc TOC added by pre-commit on first README edit.

Generated-by: Claude Code (Opus 4.7)

* fix(pr-management-stats): typos in reference.py flagged by `typos` hook

prek's `typos` hook caught:
- `invokable` -> `invocable` (docstring, line 23)
- `thr` -> `thread` (loop variable in the reviewThreads walk,
  lines 257-258)

Pure rename + spelling fix; no behaviour change.

Generated-by: Claude Code (Opus 4.7)
potiuk added a commit that referenced this pull request May 31, 2026
…idle trackers in bulk mode (#414)

Bulk sync (sync all, sync announced, etc.) currently dispatches
one full subagent per resolved tracker. Each subagent loads the
skill + does a `gh issue view` + reads comments + reads mail +
returns a structured report — ~50 KB per subagent transcript.
On bulk sweeps where 30–50% of trackers are in steady state
(closed > 30d with `announced`, or open with the full
cve-allocated + pr-merged + announced label set and no recent
activity), the subagent's full work is a no-op that produces an
empty proposal — pure waste.

This change inserts a Step 1b pre-flight classifier between
selector-resolution and subagent dispatch. One batched
`gh api graphql` round-trip fetches `state`, `closedAt`,
`updatedAt`, `labels`, and the last comment's author+timestamp
for every resolved issue at once (aliased multi-field query,
~3 KB request, ~6 KB response for 30 issues). A conservative
rule table classifies each as `dispatch` / `dispatch-urgent` /
`skip-noop`; only the non-skipped ones get subagents.

Safety:

* Conservative — `skip-noop` fires only when multiple signals
  align (closed AND age AND label set AND inactive last comment
  AND bot last commenter).
* `updatedAt` within last 7 days is an absolute override; never
  skip a tracker with recent activity regardless of other
  signals.
* Pre-flight only applies to set-resolving selectors
  (`sync all`, `sync announced`, label/title selectors). An
  explicit number selector like `sync #232, #233` never skips.
* Every skip appears in the proposal's "Pre-flight skipped"
  group with the rule that fired — never silent. The user can
  `force-sync <N>` any of them at confirmation.
* `--no-preflight` opts out entirely.

This is a skill-instruction change; no Python tool added. The
orchestrator builds the GraphQL query directly. Rules can be
iterated quickly by editing the table; if real-world results
show the classifier is too aggressive or too timid, the patches
are one-line edits to the rule table.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant