chore(deps): roll up env Dependabot updates#789
Conversation
Bumps [starlette](https://github.com/Kludex/starlette) from 1.0.0 to 1.0.1. - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@1.0.0...1.0.1) --- updated-dependencies: - dependency-name: starlette dependency-version: 1.0.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [starlette](https://github.com/Kludex/starlette) from 1.0.0 to 1.0.1. - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@1.0.0...1.0.1) --- updated-dependencies: - dependency-name: starlette dependency-version: 1.0.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [starlette](https://github.com/Kludex/starlette) from 1.0.0 to 1.0.1. - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@1.0.0...1.0.1) --- updated-dependencies: - dependency-name: starlette dependency-version: 1.0.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [starlette](https://github.com/Kludex/starlette) from 1.0.0 to 1.0.1. - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@1.0.0...1.0.1) --- updated-dependencies: - dependency-name: starlette dependency-version: 1.0.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [starlette](https://github.com/Kludex/starlette) from 1.0.0 to 1.0.1. - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@1.0.0...1.0.1) --- updated-dependencies: - dependency-name: starlette dependency-version: 1.0.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [authlib](https://github.com/authlib/authlib) from 1.7.0 to 1.7.1. - [Release notes](https://github.com/authlib/authlib/releases) - [Commits](authlib/authlib@v1.7.0...1.7.1) --- updated-dependencies: - dependency-name: authlib dependency-version: 1.7.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [authlib](https://github.com/authlib/authlib) from 1.7.0 to 1.7.1. - [Release notes](https://github.com/authlib/authlib/releases) - [Commits](authlib/authlib@v1.7.0...1.7.1) --- updated-dependencies: - dependency-name: authlib dependency-version: 1.7.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Review: env Dependabot lockfile rollup
Verdict: Approve ✅
Reviewed all 7 changed files. Scope matches the description exactly — changes are confined to envs/*/uv.lock, with no src/, pyproject.toml, or config changes.
Tier 1 — Bugs / correctness
- Scope is clean. Only the 7
uv.lockfiles listed in the body are touched. No code, manifest, or CI changes leaked in. - Version bumps look like legitimate Dependabot/
uvoutput — pinned versions withsha256hashes, all sourced fromfiles.pythonhosted.org/pypi.org. No suspicious URLs or unexpected package additions:starlette1.0.0 → 1.0.1 (all envs)authlib1.7.0 → 1.7.1 (opencode_env,terminus_env)gradiobump (textarena_env)greenlet3.5.0: pruning ofs390x/riscv64manylinux wheels, and amacholib/altgraphenv-marker normalization — both benignuvresolver recomputations.
openenv-core→openenv0.3.1 consolidation is consistent. Several lockfiles replace the standaloneopenenv-corepackage (0.2.3 / 0.3.0) withopenenv0.3.1, including in the embeddedrequires-distmetadata. I verified this against thepyproject.tomlmanifests at the PR head (finqa,chess,julia,opencode,calendar,terminus) — they already declareopenenv[core]/openenv, so these lockfiles are simply catching up to the already-migrated manifests. The resolvedopenenv0.3.1 satisfies every manifest's version specifier.
Tier 2 — Alignment
No concerns. Lockfile-only change; no client/server boundary or invariant implications.
Note (non-blocking)
The body describes this as a pure "Dependabot rollup," but it also carries the openenv-core → openenv package consolidation. That change is correct and consistent with the manifests — just worth a line in the description so reviewers aren't surprised by the non-version-bump diff. Recommend confirming CI's uv lock --check (or equivalent) is green before merge, since lockfile resolution wasn't run as part of this automated review.
Automated review by Claude Code | Learn more
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Verdict: Approve ✅
Reviewed as a Dependabot lockfile roll-up touching only 7 uv.lock files (no src/, no pyproject.toml, no code).
What it does
- Replaces locked
openenv-core(0.2.3 / 0.3.0) withopenenv0.3.1 and rewrites each env's lockrequires-dist/dependenciesfromopenenv-core[core]→openenv[core]. - Patch bumps:
starlette1.0.0 → 1.0.1,authlib1.7.0 → 1.7.1. - Prunes some
greenlet3.5.0 wheels (s390x, riscv64) in calendar_env; refines amacholib→altgraphplatform marker in chess_env.
Tier 1 — bugs/lint: None. Lockfiles only (not subject to Python lint). I verified the lock requires-dist entries are consistent with the base pyproject.toml specifiers on main (HEAD 7f17b2a2) for all 7 envs — the openenv-core → openenv rename already landed in source, so these locks mirror it correctly. Locked openenv==0.3.1 satisfies every floor, including opencode's >=0.3.0.
| Env | pyproject on main | lock after PR | OK |
|---|---|---|---|
| calendar | openenv>=0.2.0 |
openenv>=0.2.0 |
✅ |
| chess | openenv[core]>=0.2.2 |
openenv[core]>=0.2.2 |
✅ |
| finqa | openenv[core]>=0.2.2 |
openenv[core]>=0.2.2 |
✅ |
| julia | openenv[core]>=0.2.2 |
openenv[core]>=0.2.2 |
✅ |
| opencode | openenv[core]>=0.3.0 |
openenv[core]>=0.3.0 |
✅ |
| terminus | openenv[core]>=0.2.2 |
authlib bump only | ✅ |
| textarena | openenv[core]>=0.2.2 |
openenv[core]>=0.2.2 |
✅ |
Tier 2 — alignment: No OpenEnv invariants touched — third-party env dependency bookkeeping with no interface, architecture, or behavioral change.
Non-blocking notes
- The pruned
greenletwheels are s390x / riscv64 only — irrelevant for the supported x86-64 / arm64 Docker targets. - calendar_env's bare
openenv>=0.2.0now pulls the full framework transitively (vs. the old 2020 placeholderopenenv 0.1.13); this matches the intent already encoded onmain.
Automated review by Claude Code | Learn more
2 participants
Rolls up the currently open Dependabot updates under
envs/so maintainers can merge them as one PR.Includes:
Scope:
envs/calendar_env/uv.lockenvs/chess_env/uv.lockenvs/finqa_env/uv.lockenvs/julia_env/uv.lockenvs/opencode_env/uv.lockenvs/terminus_env/uv.lockenvs/textarena_env/uv.lockNo
src/changes. Tests were not run because this only updates third-party environment lockfiles.