[S360] Add version constraints from root constraint-dependencies#216
Merged
[S360] Add version constraints from root constraint-dependencies#216
Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. OpenSSF Scorecard
Scanned Files
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a custom PEP 517 build backend to ensure published wheel metadata includes centralized minimum-version constraints (from the root tool.uv.constraint-dependencies) instead of shipping bare dependency names from per-package pyproject.toml files.
Changes:
- Added
versioning/helper/build_backend.pywrappingsetuptools.build_metato inject constraints during wheel/sdist/metadata builds. - Enhanced
versioning/helper/setup_utils.pyto read root constraints and apply them to bare external dependencies. - Updated multiple library
pyproject.tomlfiles to use the newbuild_backendviabackend-path.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| versioning/helper/setup_utils.py | Parses root constraint-dependencies and applies them to bare external deps in get_dynamic_dependencies(). |
| versioning/helper/build_backend.py | New build backend that rewrites pyproject.toml during build to inject centralized constraints into published metadata. |
| libraries/microsoft-agents-a365-tooling/pyproject.toml | Switches build backend to build_backend with backend-path to enable constraint injection. |
| libraries/microsoft-agents-a365-tooling-extensions-semantickernel/pyproject.toml | Switches build backend to build_backend with backend-path to enable constraint injection. |
| libraries/microsoft-agents-a365-tooling-extensions-openai/pyproject.toml | Switches build backend to build_backend with backend-path to enable constraint injection. |
| libraries/microsoft-agents-a365-tooling-extensions-googleadk/pyproject.toml | Switches build backend to build_backend with backend-path to enable constraint injection. |
| libraries/microsoft-agents-a365-tooling-extensions-azureaifoundry/pyproject.toml | Switches build backend to build_backend with backend-path to enable constraint injection. |
| libraries/microsoft-agents-a365-tooling-extensions-agentframework/pyproject.toml | Switches build backend to build_backend with backend-path to enable constraint injection. |
| libraries/microsoft-agents-a365-runtime/pyproject.toml | Switches build backend to build_backend with backend-path to enable constraint injection. |
| libraries/microsoft-agents-a365-observability-hosting/pyproject.toml | Switches build backend to build_backend with backend-path to enable constraint injection. |
| libraries/microsoft-agents-a365-observability-extensions-semantickernel/pyproject.toml | Switches build backend to build_backend with backend-path to enable constraint injection. |
| libraries/microsoft-agents-a365-observability-extensions-openai/pyproject.toml | Switches build backend to build_backend with backend-path to enable constraint injection. |
| libraries/microsoft-agents-a365-observability-extensions-langchain/pyproject.toml | Switches build backend to build_backend with backend-path to enable constraint injection. |
| libraries/microsoft-agents-a365-observability-extensions-agentframework/pyproject.toml | Switches build backend to build_backend with backend-path to enable constraint injection. |
| libraries/microsoft-agents-a365-observability-core/pyproject.toml | Switches build backend to build_backend with backend-path to enable constraint injection. |
| libraries/microsoft-agents-a365-notifications/pyproject.toml | Switches build backend to build_backend with backend-path to enable constraint injection. |
added 4 commits
March 31, 2026 14:45
…microsoft/Agent365-python into users/gwharris7/fix-setup-utils
ajmfehr
approved these changes
Apr 1, 2026
sellakumaran
approved these changes
Apr 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem:
Package pyproject.toml files declare dependencies by name only (no version)
for uv workspace resolution. But setuptools.build_meta copies these bare names
into published wheels, allowing vulnerable old versions to satisfy the constraint.
Solution:
This backend intercepts the wheel/sdist build, temporarily rewrites pyproject.toml
to include version constraints from the root constraint-dependencies, builds the
package, then restores the original file.
Usage in package pyproject.toml:
[build-system]
requires = ["setuptools>=68", "wheel", "tzdata"]
build-backend = "build_backend"
backend-path = ["../../versioning/helper"]