Skip to content

Bump the all-pip-updates group across 3 directories with 107 updates#69394

Merged
dwoz merged 5 commits into
3008.xfrom
dependabot/pip/3008.x/all-pip-updates-84e47d00ed
Jun 9, 2026
Merged

Bump the all-pip-updates group across 3 directories with 107 updates#69394
dwoz merged 5 commits into
3008.xfrom
dependabot/pip/3008.x/all-pip-updates-84e47d00ed

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the all-pip-updates group across 3 directories with 107 updates
2922b04 
---
updated-dependencies:
- dependency-name: build
  dependency-version: 1.4.4
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: wheel
  dependency-version: 0.47.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: pip
  dependency-version: 26.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: pycryptodomex
  dependency-version: 3.23.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: mock
  dependency-version: 5.2.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: pytest
  dependency-version: 8.4.2
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: pytest-salt-factories
  dependency-version: 1.0.5
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: pytest-helpers-namespace
  dependency-version: 2021.12.29
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: pytest-timeout
  dependency-version: 2.4.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: more-itertools
  dependency-version: 10.8.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: pyzmq
  dependency-version: 27.1.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: aiohttp
  dependency-version: 3.13.5
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: cheroot
  dependency-version: 11.1.2
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: cherrypy
  dependency-version: 18.10.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: croniter
  dependency-version: 6.2.2
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: cryptography
  dependency-version: 48.0.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: distro
  dependency-version: 1.9.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: frozenlist
  dependency-version: 1.8.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: idna
  dependency-version: '3.18'
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: jaraco-functools
  dependency-version: 4.4.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: jaraco-context
  dependency-version: 6.1.1
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: jaraco-text
  dependency-version: 4.2.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: jinja2
  dependency-version: 3.1.6
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: lxml
  dependency-version: 6.1.1
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: markupsafe
  dependency-version: 3.0.3
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: msgpack
  dependency-version: 1.1.2
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: opentelemetry-api
  dependency-version: 1.41.1
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: opentelemetry-sdk
  dependency-version: 1.41.1
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: opentelemetry-exporter-otlp-proto-http
  dependency-version: 1.41.1
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: opentelemetry-exporter-prometheus
  dependency-version: 0.62b1
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: xxhash
  dependency-version: 3.7.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: packaging
  dependency-version: '26.2'
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: pycparser
  dependency-version: '2.23'
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: pyopenssl
  dependency-version: 26.2.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: python-dateutil
  dependency-version: 2.9.0.post0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: python-gnupg
  dependency-version: 0.5.6
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: pywin32
  dependency-version: '312'
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: requests
  dependency-version: 2.32.5
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: setproctitle
  dependency-version: 1.3.7
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: timelib
  dependency-version: 0.3.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: tornado
  dependency-version: 6.5.6
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: urllib3
  dependency-version: 2.6.3
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: xmltodict
  dependency-version: 1.0.4
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: zipp
  dependency-version: 3.23.1
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: aiohttp
  dependency-version: 3.14.1
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: apache-libcloud
  dependency-version: 3.9.1
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: cffi
  dependency-version: 2.0.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: cherrypy
  dependency-version: 18.10.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: cryptography
  dependency-version: 48.0.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: gitpython
  dependency-version: 3.1.50
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: virtualenv
  dependency-version: 21.4.2
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: pywinrm
  dependency-version: 0.5.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: python-tools-scripts
  dependency-version: 0.20.5
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: boto3
  dependency-version: 1.43.24
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: pygit2
  dependency-version: 1.19.2
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: pymysql
  dependency-version: 1.2.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: ansible
  dependency-version: 14.0.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: twilio
  dependency-version: 9.10.9
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: python-telegram-bot
  dependency-version: '22.7'
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: mercurial
  dependency-version: 7.2.2
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: pylint
  dependency-version: 4.0.5
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: saltpylint
  dependency-version: 2024.2.5
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: boto
  dependency-version: 2.49.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: botocore
  dependency-version: 1.43.24
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: filelock
  dependency-version: 3.29.1
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: ncclient
  dependency-version: 0.7.1
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: keyring
  dependency-version: 25.7.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: kubernetes
  dependency-version: 36.0.2
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: libnacl
  dependency-version: 2.1.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: moto
  dependency-version: 5.2.2
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: paramiko
  dependency-version: 5.0.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: pynacl
  dependency-version: 1.6.2
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: python-etcd
  dependency-version: 0.4.5
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: sqlparse
  dependency-version: 0.5.5
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: watchdog
  dependency-version: 6.0.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: xmldiff
  dependency-version: 2.7.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: werkzeug
  dependency-version: 3.1.8
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: vcert
  dependency-version: 0.18.1
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: websocket-client
  dependency-version: 1.9.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: genshi
  dependency-version: 0.7.11
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: cheetah3
  dependency-version: 3.2.6.post1
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: sphinx
  dependency-version: 9.1.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: sphinxcontrib-httpdomain
  dependency-version: 2.0.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: towncrier
  dependency-version: 25.8.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: importlib-metadata
  dependency-version: 9.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: pycryptodomex
  dependency-version: 3.23.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: more-itertools
  dependency-version: 11.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: aiohttp
  dependency-version: 3.14.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: cffi
  dependency-version: 2.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: cheroot
  dependency-version: 11.1.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: cherrypy
  dependency-version: 18.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: croniter
  dependency-version: 6.2.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: cryptography
  dependency-version: 48.0.0
  dependency-type: direct:production
  dependency-group: all-pip-updates
- dependency-name: distro
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: frozenlist
  dependency-version: 1.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: gitpython
  dependency-version: 3.1.50
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-pip-updates
- dependency-name: idna
  dependency-version: '3.18'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: jaraco-functools
  dependency-version: 4.5.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: jaraco-context
  dependency-version: 6.1.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: jaraco-text
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: jinja2
  dependency-version: 3.1.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-pip-updates
- dependency-name: jmespath
  dependency-version: 1.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: lxml
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: markupsafe
  dependency-version: 3.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: packaging
  dependency-version: '26.2'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: pycparser
  dependency-version: '3.0'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: pyopenssl
  dependency-version: 26.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: python-dateutil
  dependency-version: 2.9.0.post0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: python-gnupg
  dependency-version: 0.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-pip-updates
- dependency-name: pywin32
  dependency-version: '312'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: pyyaml
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-pip-updates
- dependency-name: setproctitle
  dependency-version: 1.3.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-pip-updates
- dependency-name: tornado
  dependency-version: 6.5.6
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: urllib3
  dependency-version: 2.7.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: xmltodict
  dependency-version: 1.0.4
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: zipp
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: attrs
  dependency-version: 26.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: pymysql
  dependency-version: 1.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: aiosignal
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: annotated-types
  dependency-version: 0.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: async-timeout
  dependency-version: 5.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: charset-normalizer
  dependency-version: 3.4.7
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: immutables
  dependency-version: '0.21'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: importlib-resources
  dependency-version: 7.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: inflect
  dependency-version: 7.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: jaraco-collections
  dependency-version: 5.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: multidict
  dependency-version: 6.7.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: portend
  dependency-version: 3.2.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: pydantic-core
  dependency-version: 2.47.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: pydantic
  dependency-version: 2.13.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: pytz
  dependency-version: '2026.2'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: six
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: tempora
  dependency-version: 5.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: typing-extensions
  dependency-version: 4.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: yarl
  dependency-version: 1.24.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: zc-lockfile
  dependency-version: '4.0'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-pip-updates
- dependency-name: clr-loader
  dependency-version: 0.3.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-pip-updates
- dependency-name: gitdb
  dependency-version: 4.0.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-pip-updates
- dependency-name: pymssql
  dependency-version: 2.3.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-pip-updates
- dependency-name: smmap
  dependency-version: 5.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-pip-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the test:full Run the full test suite label Jun 8, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 8, 2026 02:04
@dwoz

dwoz commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

CI red. Three concrete blockers, all upstream-floor vs lockfile/tooling
mismatches:

  1. cryptography>=48.0.0 in requirements/base.txt — cryptography 48
    dropped py3.9. 3008.x still ships requirements/static/pkg/py3.9/ and
    requirements/static/ci/py3.9/. uv pip compile for every py3.9 lock
    fails with ResolutionImpossible (pre-commit job, all 24 py3.9
    pip-compile hooks). Either gate the floor cryptography>=48.0.0; python_version >= '3.10' (keep an older floor for py3.9) or drop py3.9
    from the matrix on 3008.x.
  2. pip == 26.0.1 in requirements/constraints.txttools/pkg/build.py
    hard-codes a pip==25.2 CVE-patched wheel for relenv onedirs
    (urllib3 vendored-CVE patcher). With the new constraint, onedir build
    hits ResolutionImpossible: pip 25.2 vs constraint pip==26.0.1 on
    every platform. Either pin constraints to pip==25.2 (revert) or
    bump the patcher in tools/pkg/build.py to 26.0.1.
  3. py3.14 lockfiles (requirements/static/pkg/py3.14/*.lock,
    requirements/static/ci/py3.14/*.lock) still have croniter==6.0.0
    but base.txt now requires >=6.2.2. Docs / source-tarball jobs
    hit ResolutionImpossible on croniter. pre-commit regenerates these
    correctly but the regen wasn't included in the bot commit.

Secondary: importlib-metadata floor under python_version < '3.11'
hits the yanked 4.8.0 release because no upper bound is set. Add an
upper or move the floor.

Recommendation: split this rollup. Land the security-driven bumps
(cryptography, urllib3, pyopenssl) separately from framework bumps
(pytest, sphinx, pylint, mock, paramiko). On a patch branch, dropping
py3.9 support through a floor bump is a breaking change for downstream
package consumers.

Align dependabot bumps with Python version floors and lock chains
78f47a0 
The dependabot batch raised many requirements floors that drop support
for Python 3.9 or 3.10, causing pre-commit pip-compile hooks to fail
with ResolutionImpossible. Add per-Python upper bounds for the
affected packages so each version stream picks a release that still
supports the targeted Python.

base.txt + static/ci/common.txt + static/pkg/{linux,freebsd}.txt:
  cryptography      cap <48.0.0 for py<3.10 (needs >3.9.1)
  aiohttp           cap <3.14.0 for py<3.10  (3.14 needs py>=3.10)
  apache-libcloud   cap <3.9.1   for py<3.10
  boto3             drop py<3.10 pin (transitively pulls urllib3 1.26
                                      chain incompatible with Salt's
                                      urllib3 2.6)
  importlib-metadata cap <9.0.0 for py<3.10
  kubernetes        cap <36.0.0 for py<3.10
  more-itertools    cap <11.0.0 for py<3.10
  moto              cap <5.2.0  for py<3.10
  pycparser         cap <3.0    for py<3.10
  pygit2            cap <1.18.0 for py<3.11
  python-telegram-bot cap <22.0 for py<3.10
  sphinx            cap <9.0.0  for py<3.12
  sphinxcontrib-httpdomain cap <2.0 for py<3.10

base.txt:
  PyYAML            bump floor to 6.0.3 (kubernetes 36 needs it)
  filelock          pin >=3.29.1 for py>=3.10, >=3.19.1,<3.29.0 for
                    py<3.10 so the uv resolver does not pick a 3.25
                    that conflicts with the CI floor of 3.29.1
  pymssql           cap <=2.3.11 for win32+py<3.11 — 2.3.12+ dropped
                    cp3X-win32 wheels and 3008.x still ships an x86
                    Windows onedir
  virtualenv        bump floor to 21.4.2 to match CI common.txt

static/ci/common.txt:
  vcert             revert to ~=0.9.0 — 0.18.x hard-pins
                    cryptography==45.0.7 and pynacl==1.5.0 which
                    conflict with everything else
  pynacl            unpin (vcert 0.9.x picks 1.5.0)
  Also collapses duplicate vcert/virtualenv/watchdog/werkzeug/xmldiff
  blocks left over from a stale merge.

static/ci/linux.txt:
  ansible           clamp release lines (7.x py3.9, 10.x py3.10,
                    12.x py3.11, 14.x py3.12+)
  python-telegram-bot cap <22.0 for py<3.10

tools/pkg/build.py:
  Drop PIP_CONSTRAINT for the pip-download and force-reinstall of
  the urllib3-CVE-patched pip 25.2 wheel; constraint pins pip
  26.0.1 which made pip refuse the requested 25.2 install.

SKIPped pre-commit hooks (maintainer attention needed):
  compile-ci-linux/freebsd/darwin/windows-3.9-zmq-requirements
  compile-ci-cloud-3.9-requirements
  compile-ci-lint-3.9-requirements
    urllib3 2.6.3 (Salt floor) vs botocore 1.43+'s urllib3<1.27 chain
    on py3.9. Either drop boto3/botocore from py3.9 entirely or wait
    for botocore to publish a py3.9 release that allows urllib3 2.x.
  compile-doc-requirements
    py3.9 + py3.10 docs locks hit a myst-docutils[linkify] vs
    jaraco-text==4.2.0 cascade (myst pulls in linkify-it-py whose deps
    eventually conflict with the new jaraco-text floor). Maintainer
    needs to decide whether to pin myst-docutils or drop py3.9/3.10
    from the docs matrix.
  lint-salt, lint-tests
    Local pre-commit nox env hit a pip 26.0.1 internal-module change
    that broke 'pip install setuptools pip wheel' in the cached venv.
    CI runs in a fresh venv so this is a local-cache issue only.

CI will exercise all paths and report status.
@dwoz

dwoz commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Pushed 78f47a0 directly to this branch — mirrors the fix bundle landed in commit 47c49fb on PR #69393's (3006.x) dependabot branch.

Source-file changes:

  • base.txt: per-Python caps for cryptography (cap <48 for py<3.10), aiohttp (cap <3.14 for py<3.10), apache-libcloud (cap <3.9.1 for py<3.10), importlib-metadata (cap <9.0 for py<3.10), more-itertools (cap <11 for py<3.10), pycparser (cap <3.0 for py<3.10), pymssql (cap <=2.3.11 for win32+py<3.11 — 2.3.12+ dropped cp3X-win32 wheels and 3008.x still ships an x86 Windows onedir), PyYAML floor 6.0.3, virtualenv floor 21.4.2, filelock pin 3.29.1 for py>=3.10 / 3.19.1<3.29 for py<3.10.
  • static/ci/common.txt: same caps + boto3/botocore drop py<3.10, kubernetes cap <36 for py<3.10, moto cap <5.2 for py<3.10, markdown-it-py<3.0 for py3.9 (myst-docutils cascade), vcert revert to ~=0.9.0 (0.18.x hard-pins cryptography==45.0.7 conflict), pynacl revert to >=1.5.0. Also collapses duplicate vcert/virtualenv/watchdog/werkzeug/xmldiff blocks left over from a stale merge.
  • static/ci/{cloud,darwin,docs,linux,windows}.txt: per-Python caps for apache-libcloud, pygit2, sphinx, sphinxcontrib-httpdomain, python-telegram-bot. ansible release-line ladder clamped (7.x py3.9, 10.x py3.10, 12.x py3.11, 14.x py3.12+).
  • static/pkg/{linux,freebsd}.txt: cryptography/importlib-metadata/more-itertools/pycparser per-Python caps.
  • tools/pkg/build.py: drop PIP_CONSTRAINT for the pip-download and force-reinstall of the urllib3-CVE-patched pip 25.2 wheel. constraints.txt pins pip==26.0.1; without dropping PIP_CONSTRAINT the install fails with ResolutionImpossible.

shutil.rmtree onexc/onerror handling is already in the 3008.x baseline (different style but functionally equivalent to the 3006.x change).

Regenerated 64 lockfiles across py3.9-3.14 pkg + ci.

Committed with SKIP for maintainer-attention items only:

  • compile-ci-{linux,freebsd,darwin,windows}-3.9-zmq-requirements / compile-ci-cloud-3.9-requirements / compile-ci-lint-3.9-requirements — urllib3 2.6.3 (Salt floor) vs botocore 1.43+'s urllib3<1.27 chain on py3.9. Either drop boto3/botocore from py3.9 entirely or wait for botocore to publish a py3.9 release that allows urllib3 2.x.
  • compile-doc-requirements — py3.9 + py3.10 docs locks hit a myst-docutils[linkify] vs jaraco-text==4.2.0 cascade. Maintainer needs to pin myst-docutils or drop py3.9/3.10 from the docs matrix. py3.11+ docs locks regenerated cleanly.
  • lint-salt / lint-tests — local pre-commit nox env hit a pip 26.0.1 internal-module change; CI runs in a fresh venv so this is a local-cache artefact only.

No --no-verify. #69400 will be closed as superseded by this push.

Revert pylint to 3.1, urllib3 floor for py3.9, pip == 25.2, and updat…
ef13ed8 
…e keyring stub

Five follow-ups to 78f47a0 that close the SKIP gaps so pre-commit
runs cleanly end-to-end with no SKIP and no --no-verify.

1. pylint ~=4.0.5 was a major-version dependabot bump that enables a
   raft of new default-on checks (E0606 possibly-used-before-assignment,
   E0601 used-before-assignment). The 3008.x source has dozens of
   pre-existing occurrences that the 3.1 line tolerated; the CI Lint
   Salt / Lint Tests jobs run inside a Py3.10 container so they fail
   regardless of any py<3.10 marker. Cap pylint unconditionally to
   ~=3.1.0 until the codebase is audited.

2. urllib3 >= 2.6.3 for py < 3.10 was a dependabot bump that broke
   the entire py3.9 pip-compile chain: botocore on py3.9 hard requires
   urllib3 < 2, so the py3.9 ZeroMQ / Cloud / Lint hooks all hit
   ResolutionImpossible. Restore the previous urllib3 >= 1.26.20,
   < 2.0.0 floor for py3.9. The py>=3.10 floor still carries the
   urllib3 2.6.3 CVE backports (CVE-2025-66418, CVE-2026-21441).

3. Docs CI Py3.10 lock chain: myst-docutils 4.x is the latest line
   supporting Python 3.10 and it pins markdown-it-py ~=3.0. Without
   a cap the py3.10 docs lock would otherwise resolve markdown-it-py
   to 4.2.0 via rich. Add markdown-it-py < 4.0.0 for py3.10 in
   requirements/constraints.txt, mirroring the existing < 3.0.0 cap
   for py3.9.

4. pip == 26.0.1 in constraints.txt corrupted the pre-commit hook
   venv on Python 3.14. The lint-salt-pre-commit and lint-tests-pre-commit
   noxfile sessions bootstrap pip with PIP_CONSTRAINT pointed at
   constraints.txt; on Py3.14 the resulting pip 26.0.1 install ships
   a vendored pygments wheel that's missing the  submodule,
   which trips the very next pip invocation. Stay on pip == 25.2 —
   the version that relenv's onedir bootstraps with, and that
   tools/pkg/build.py patches in pkg/patches/pip-urllib3/. The 25.2
   wheel works correctly on Py3.14.

5. tests/pytests/unit/utils/test_cloud.py: keyring 25 made
   an abstract class attribute and now requires super().__init__()
   in subclasses. Update the CustomKeyring stub so the lint-tests
   job stops flagging W0223 (abstract-method) and W0231
   (super-init-not-called).

salt/cache/redis_cache.py + tests/pytests/unit/cache/test_redis_cache.py:
   Pre-existing pyupgrade rewrites ("{0}".format → "{}".format) that
   the local pre-commit run surfaces; include them so pyupgrade is
   clean too.

After these changes:
  PRE_COMMIT_HOME=<isolated> pre-commit run --all-files
exits 0 on a clean checkout. No SKIP, no --no-verify.
@dwoz

dwoz commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Pushed ef13ed8 directly to this branch — closes the SKIP gaps from 78f47a0 so pre-commit runs cleanly end-to-end (exit 0, no SKIP, no --no-verify) locally.

Five targeted fixes:

  1. pylint cap ~=3.1.0 in requirements/static/ci/lint.txt. 4.0.5 introduces default-on E0606 / E0601 checks that the 3008.x codebase has dozens of pre-existing occurrences of (setup.py, salt/minion.py, salt/states/git.py, salt/states/file.py, salt/states/ssh_pki.py, etc. — see the 80207200176 Lint Salt log). Lint runs in a Py3.10 container so a py<3.10 marker would not help; the cap is unconditional.

  2. urllib3 floor for py<3.10 reverted to >=1.26.20,<2.0.0. The >=2.6.3 floor breaks botocore on py3.9 (hard-requires urllib3<2). py>=3.10 still gets >=2.7.0 with the CVE-2025-66418 / CVE-2026-21441 backports.

  3. markdown-it-py < 4.0.0 for py3.10 added to constraints.txt. myst-docutils 4.x (latest supporting py3.10) pins markdown-it-py ~=3.0; without the cap the py3.10 docs lock would resolve to 4.2.0 transitively via rich.

  4. pip pin reverted to == 25.2 in constraints.txt. 26.0.1 corrupted the lint-{salt,tests}-pre-commit hook venv on Py3.14 (the bundled pygments wheel is missing the modeline submodule on cpython 3.14, breaking the very next pip invocation). 25.2 is also the version relenv ships and that tools/pkg/build.py patches.

  5. tests/pytests/unit/utils/test_cloud.py CustomKeyring: keyring 25 made priority an abstract class attribute and now requires super().init(). Update the stub so lint-tests stops flagging W0223 / W0231.

Plus two pre-existing pyupgrade rewrites in salt/cache/redis_cache.py and tests/pytests/unit/cache/test_redis_cache.py ("{0}".format → "{}".format) that the local pre-commit surfaces.

Mirrors the equivalent fix bundle landed on #69393 (df7f933) for 3006.x.

@welcome

welcome Bot commented Jun 9, 2026

Copy link
Copy Markdown

Congratulations on your first PR being merged! 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

test:full Run the full test suite

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dwoz