chore(deps): bump tornado from 6.5.5 to 6.5.6 in /envs/wildfire_env#791
chore(deps): bump tornado from 6.5.5 to 6.5.6 in /envs/wildfire_env#791dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.5 to 6.5.6. - [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst) - [Commits](tornadoweb/tornado@v6.5.5...v6.5.6) --- updated-dependencies: - dependency-name: tornado dependency-version: 6.5.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
Dependencies
python:uv
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Review: Two changes bundled — one is a lock/manifest inconsistency
The tornado bump itself (6.5.5 → 6.5.6) is correct and welcome. However, the uv.lock contains a second, unrelated change that needs attention before this can be merged.
Issue: openenv-core → openenv rename in the lock file
The lock file quietly upgrades and renames the core dependency:
| Before | After | |
|---|---|---|
| Package name | openenv-core |
openenv |
| Version | 0.2.3 | 0.3.1 |
But pyproject.toml still declares:
"openenv-core[core]>=0.2.0",The lock file and the manifest now reference different package names. This means the lock file cannot be faithfully reproduced from the manifest — anyone running uv sync from scratch against the current pyproject.toml will resolve a different dependency graph than what is pinned in the lock file.
What needs to happen
Either:
- Revert the lock file to only the tornado change — regenerate
uv.lockwithout theopenenv-core→openenvupgrade, so this PR is truly scoped to tornado only; or - Update
pyproject.tomlto match — changeopenenv-core[core]>=0.2.0toopenenv[core]>=0.3.1and handle that in a separate, intentional PR with proper context on the rename.
Bundling a package-identity change into a Dependabot patch PR makes it invisible to reviewers who will approve this as a safe security bump.
Automated review by Claude Code | Learn more
|
Rolled into #789 so maintainers can merge the env Dependabot updates together. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Alignment Review Report
Automated Checks
- Lint: PASS (for the one changed file
envs/wildfire_env/uv.lock; a pre-existing unrelatedrufferror exists elsewhere in the repo but is out of scope for this PR) - Debug code: CLEAN (lock file only)
Tier 1: Fixes Required
-
envs/wildfire_env/uv.lock— The diff contains a second, unrelated change bundled alongside the tornado bump:openenv-core 0.2.3has been silently replaced byopenenv 0.3.1throughout the lock file (package rename + minor version bump). This is not a tornado dependency change; it is an independent upgrade of the core OpenEnv library. -
envs/wildfire_env/pyproject.toml— The declared dependency is stillopenenv-core[core]>=0.2.0, but the lock file now resolves toopenenv[core]==0.3.1. These are mismatched: the manifest names a package (openenv-core) that no longer exists in the lock. Any freshuv syncfrompyproject.tomlalone would fail or resolve differently. Thepyproject.tomlmust be updated toopenenv[core]>=0.3.1(or the lock file must be regenerated against the existing manifest).
Tier 2: Alignment Discussion
ALIGNMENT FLAG: Undeclared core-library upgrade bundled in a dependabot patch PR
- Principle at stake: "Minimize lifecycle deltas" (PRINCIPLES.md) — lock file and manifest must stay coherent; a silently bumped core library can cause training/production divergence if other envs or the test harness still expect
openenv-core. - The concern: The rename
openenv-core->openenvand the jump from 0.2.3 to 0.3.1 is a non-trivial change to a core dependency. It was not part of the stated PR scope (tornado 6.5.5 -> 6.5.6), was not mentioned in the PR body, and thepyproject.tomlwas not updated to match, leaving the manifest and lock file inconsistent. - Suggested reviewer: @Darktex
Summary
- 2 mechanical issues to fix (lock/manifest mismatch, undeclared bundled upgrade)
- 1 alignment point for human review
The tornado bump itself (6.5.5 -> 6.5.6, single [[package]] block, correct hashes, all 9 wheel variants present, scoped exclusively to envs/wildfire_env/uv.lock) is correct and clean. The PR cannot be approved as-is due to the pyproject.toml / lock file mismatch introduced by the bundled openenv-core -> openenv rename.
Automated review by Claude Code | Learn more
2 participants
Bumps tornado from 6.5.5 to 6.5.6.
Changelog
Sourced from tornado's changelog.
... (truncated)
Commits
aba2569Merge pull request #3626 from bdarnell/fixes-656a24b260httpclient_test: Accept an additional error message varianta74240aRelease notes and version bump for 6.5.6.e8fc7edsimple_httpclient: Strip auth headers on cross-origin redirects96dc88cspeedups: validate mask lengthff808b3http1connection: Enforce max_body_size in _GzipMessageDelegateede4e37auth: Correctly parse check_authentication response1c178beRemove obsolete curl force_timeout workaroundc99d55bReplace deprecated pycurl IOCTLFUNCTION callback with SEEKFUNCTION2761431Merge pull request #3587 from bdarnell/fix-linkDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.