-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat/sync dev with v1.8.2 #366
base: dev
Are you sure you want to change the base?
Conversation
…ve issues with flakeheaven pre-commit validation
…re-commit CI to try to solve the issue with flakeheaven
feat/upgrade_protobuf_version
WalkthroughThe changes in this pull request involve updates to several configuration files related to dependency management and versioning. The GitHub Actions workflow for pre-commit has been modified to enforce specific Python version constraints. The changelog has been updated to reflect a new version entry with a change in the Changes
Possibly related PRs
Suggested reviewers
📜 Recent review detailsConfiguration used: .coderabbit.yaml 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
Documentation and Community
|
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: pypi/aiohappyeyeballs@2.4.0, pypi/aiohttp@3.10.5, pypi/aioresponses@0.7.6, pypi/bitarray@2.9.2, pypi/charset-normalizer@3.3.2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 1
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
poetry.lock
is excluded by!**/*.lock
📒 Files selected for processing (4)
.github/workflows/pre-commit.yml
(1 hunks)CHANGELOG.md
(1 hunks)buf.gen.yaml
(1 hunks)pyproject.toml
(4 hunks)
✅ Files skipped from review due to trivial changes (1)
- CHANGELOG.md
🔇 Additional comments (5)
.github/workflows/pre-commit.yml (1)
15-16
: LGTM! Python version constraint is well-defined.
The version range >=3.9 <3.12
aligns with the project's requirements and provides a good balance between flexibility and stability.
Let's verify compatibility with key dependencies:
✅ Verification successful
Python version constraint is appropriate and consistent
The version constraint >=3.9 <3.12
in the pre-commit workflow aligns perfectly with:
- Project's base requirement of
python = "^3.9"
in pyproject.toml - Test matrix covering Python 3.9, 3.10, and 3.11
- Black formatter's target versions: py39, py310, py311
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Check if any dependencies in pyproject.toml specify Python version constraints
rg -A 1 'python = ".*"' pyproject.toml
# Check if any dependencies have known issues with Python 3.11
rg -l 'python_version.*3\.11' .github/
Length of output: 211
Script:
#!/bin/bash
# Check for any Python version constraints in requirements files
fd -e txt -e in requirements | xargs rg 'python_version|Python'
# Check for any Python version constraints in setup files
fd -e cfg -e py setup | xargs rg 'python_version|requires.*Python'
# Look for any CI/test configurations that might specify Python versions
fd -e yml -e yaml | xargs rg 'python-version|PYTHON_VERSION'
Length of output: 66363
Script:
#!/bin/bash
# Check Python version constraints in pyproject.toml
cat pyproject.toml
# Check for any Python version constraints in CI workflows
fd -e yml -e yaml .github/workflows/ | xargs cat
Length of output: 2947
Script:
#!/bin/bash
# Check Python version constraints in CI workflows with corrected path
fd . '.github/workflows/' -e yml -e yaml | xargs cat
Length of output: 2630
buf.gen.yaml (1)
7-7
: LGTM! Minor version update for gRPC plugin.
The update from v1.65.4 to v1.65.5 is a patch version change and should be safe.
Let's verify compatibility with related dependencies:
✅ Verification successful
LGTM! The gRPC plugin update is compatible with dependencies
The project uses flexible version constraints for gRPC dependencies (grpcio = "*"
, grpcio-tools = "*"
), and the protobuf dependency is pinned to ^5.26.1
. The update from v1.65.4 to v1.65.5 of the gRPC Python plugin is a patch version change, which is safe and compatible with these dependencies.
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Check protobuf and grpc dependencies in the project
rg -A 1 'protobuf|grpc' pyproject.toml
# Check for any potential breaking changes in the gRPC plugin
curl -s "https://raw.githubusercontent.com/grpc/grpc/v1.65.5/doc/python/changelog.md" | grep -A 5 "1.65.5"
Length of output: 273
pyproject.toml (3)
25-25
: Security-related version constraint change for aiohttp.
The comment indicates this is a security-related dependency. Changing from >=3.9.4
to ^3.9.4
might allow future versions that could reintroduce security issues.
Let's verify the security implications:
✅ Verification successful
Using ^3.9.4
is appropriate for security constraints
The caret (^
) constraint in ^3.9.4
allows updates to patch and minor versions while keeping the major version fixed (3.x.x). This is actually safer than >=3.9.4
because:
- It prevents updates to version 4.x.x which could introduce breaking changes or new vulnerabilities
- It allows security patches within the 3.x series, which is important as shown by recent advisories:
- 3.10.11 fixes request smuggling and memory leak issues
- 3.10.2 fixes path traversal in compressed files
- 3.9.4 fixes DoS and XSS vulnerabilities
The current constraint ^3.9.4
ensures you get these security fixes while maintaining compatibility.
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Check for known security advisories for aiohttp
gh api graphql -f query='
{
securityVulnerabilities(first: 5, ecosystem: PIP, package: "aiohttp") {
nodes {
advisory {
summary
severity
publishedAt
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}'
Length of output: 1618
34-34
: Consider implications of relaxing protobuf version constraint.
Changing from =5.26.1
to ^5.26.1
could lead to compatibility issues with the gRPC plugins and generated code.
Let's verify compatibility:
✅ Verification successful
Let me analyze the results and generate a final response.
Relaxing protobuf version constraint appears safe
The codebase heavily uses protobuf for generated code but:
- No explicit version requirements found in the generated code
- Uses standard protobuf imports and APIs that are stable across 5.x versions
- Generated code uses core protobuf features (descriptors, builders, symbol database) that maintain compatibility in minor versions
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Check for any protobuf version requirements in generated code
rg -l 'proto.*5\.26\.1' pyinjective/proto/
# Check for any version-specific imports or features
rg 'from google.protobuf' pyinjective/proto/
Length of output: 68226
54-54
: Verify the need for importlib-metadata constraint.
Adding importlib-metadata = "<5.0"
with an upper bound suggests potential compatibility issues. Please document the reason for this constraint.
Let's check for related issues:
@@ -1,6 +1,6 @@ | |||
[tool.poetry] | |||
name = "injective-py" | |||
version = "1.8.1" | |||
version = "1.9.0-pre" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Version number inconsistent with PR objective.
The PR title suggests syncing with v1.8.1, but the version is being bumped to 1.9.0-pre. This seems inconsistent with the PR's objective.
Please clarify if this version bump is intentional or if it should remain at 1.8.1 to align with the PR's purpose.
(cherry picked from commit eb70492)
Summary by CodeRabbit
New Features
1.9.0-pre
.importlib-metadata
for improved compatibility.Bug Fixes
protobuf
dependency version.Documentation
1.8.2
and various dependency updates.Chores