chore(deps-dev): bump pdoc from 15.0.4 to 16.0.0#1594
chore(deps-dev): bump pdoc from 15.0.4 to 16.0.0#1594dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
dependabot
bot
added
dependencies
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward Dependabot dev-dependency bump with no production impact.
Extended reasoning...
Overview
This PR bumps pdoc from 15.0.4 to 16.0.0 in two files: the version constraint in pyproject.toml (docs extra) and the pinned entry in uv.lock. pdoc is a docs-generation tool listed only under the docs dependency group — it is not a runtime or test dependency.
Security Risks
None. pdoc is a documentation-generation utility with no role in authentication, data handling, or production execution paths.
Level of Scrutiny
Low. This is a standard automated Dependabot bump for a dev-only tool. The lock file correctly pins pdoc 16.0.0 and adds the new markdown2 transitive dependency. The only concern (flagged as a nit in an inline comment) is that the lower bound in pyproject.toml was not tightened to >=16.0.0 — standard Dependabot behavior. Since this affects only the docs extra and no uv-based workflow bypasses the lock file, the practical impact is negligible.
Other Factors
No prior reviews on this PR. The change is mechanical, self-contained, and follows the established pattern for Dependabot PRs in this repo.
| @@ -36,7 +36,7 @@ dev = [ | |||
| "opentelemetry-instrumentation-threading>=0.59b0,<1", | |||
| ] | |||
| docs = [ | |||
There was a problem hiding this comment.
🟡 The pdoc version constraint was updated to >=15.0.4,<17 but the lower bound was not updated to >=16.0.0, meaning environments that install without the lock file (e.g., pip install langfuse[docs]) could resolve to pdoc 15.x instead of the intended 16.x. Consider changing the constraint to pdoc>=16.0.0,<17 to match the PR's intent.
Extended reasoning...
What the bug is: The PR bumps pdoc from 15.0.4 to 16.0.0, and correctly updates the lock file to pin pdoc 16.0.0. However, the version constraint in pyproject.toml was changed from >=15.0.4,<16 to >=15.0.4,<17 — only widening the upper bound — rather than >=16.0.0,<17. This means the lower bound still allows any pdoc 15.x release to satisfy the constraint.
The specific code path: In pyproject.toml line 38, the docs extra dependency is declared as pdoc>=15.0.4,<17. A resolver that sees this constraint (without the lock file) is free to choose pdoc 15.0.4 as a valid solution.
Why existing code doesn't prevent it: The uv.lock file pins pdoc to exactly 16.0.0, so any uv sync or uv run invocation respects the lock and gets 16.0.0. However, anyone running pip install "langfuse[docs]" (a common workflow for users installing the docs extra manually, or in CI pipelines not using uv) bypasses the lock file entirely and relies solely on the pyproject.toml constraint. With >=15.0.4,<17, pip could resolve to 15.x.
Impact: pdoc 16.0.0 is a major version release with meaningful changes: it adds markdown2 as a new dependency, drops Python 3.9 support, and changes templating behavior. Running with pdoc 15.x versus 16.x would produce different documentation output and could silently fail to include markdown2. That said, this is a docs-only dev dependency, so production users are entirely unaffected.
How to fix it: Change line 38 in pyproject.toml from pdoc>=15.0.4,<17 to pdoc>=16.0.0,<17.
Step-by-step proof:
- A user runs
pip install "langfuse[docs]"(not using uv, no lock file honored). - pip sees the constraint
pdoc>=15.0.4,<17. - pip resolves the latest compatible version — normally 16.0.0 — but if 16.0.0 is yanked or if the user has a conflicting constraint pinning an older version, pip could legitimately choose any pdoc 15.x release (e.g., 15.0.4).
- The installed pdoc 15.x lacks the
markdown2dependency and has different rendering behavior compared to 16.x. - The developer or CI system gets unexpected documentation output without any error indicating the wrong version is installed.
Addressing the refutation: The refutation correctly notes this is standard Dependabot behavior — Dependabot typically only widens the upper bound. However, "standard Dependabot behavior" and "correct constraint" are different things. The constraint >=15.0.4,<17 is technically imprecise for a PR whose stated goal is to adopt pdoc 16.0.0. This is a nit rather than a blocking issue because the lock file protects most real workflows, but tightening the lower bound is a small, low-risk improvement worth noting.
Bumps [pdoc](https://github.com/mitmproxy/pdoc) from 15.0.4 to 16.0.0. - [Changelog](https://github.com/mitmproxy/pdoc/blob/main/CHANGELOG.md) - [Commits](mitmproxy/pdoc@v15.0.4...v16) --- updated-dependencies: - dependency-name: pdoc dependency-version: 16.0.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/uv/pdoc-16.0.0
branch
from
a13c516 to
9e9d17b
Compare
Bumps pdoc from 15.0.4 to 16.0.0.
Changelog
Sourced from pdoc's changelog.
Commits
6677d73pdoc 16.0.03f75834Support Pydantic model defaults + field descriptions (#802)f19fbf7Add support for Python 3.14 (#843)8aa648fBump mhils/workflows in the dependencies group (#844)b782455Add support for keyword args for Google flavor docs (#840)34c7759Drop Support for Python 3.9 (#842)0f27371fix: remove hard-coded pdoc mention from title in template (#841)a12c236Add new pdoc logo (#838)0f308abBump mhils/workflows in the dependencies group (#837)7c880c5Replace vendored markdown2 w/ official upstream (#836)