Chore: Bump Python dependencies, fix tests #64
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Copilot started reviewing on behalf of
ModeSevenIndustrialSolutions
December 10, 2025 10:13
View session
There was a problem hiding this comment.
Pull request overview
This PR updates Python dependencies to address security vulnerabilities, particularly upgrading urllib3 to 2.6.1 which contains important security fixes. The update also includes test improvements to isolate test git repositories from parent repository state and fix issues when running tests under pre-commit hooks.
Key Changes
- Bumped urllib3 from 2.5.0 to 2.6.1 for security fixes
- Removed Python 3.14 version constraint (was
<3.14, now>=3.11) - Updated all Python dependencies to latest versions
- Added
--no-verifyflag to git commits in tests to bypass hooks - Improved git environment isolation in tests by unsetting GIT_INDEX_FILE, GIT_DIR, and GIT_WORK_TREE
- Fixed stderr handling in rich_display.py to ensure CliRunner captures error output
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| uv.lock | Updated all Python dependencies including security-critical urllib3 2.6.1, plus certifi, charset-normalizer, click, coverage, cryptography, hatchling, iniconfig, mypy, pbr, pynacl, pytest, pyyaml, ruff, setuptools-scm, trove-classifiers, typer, and urllib3 |
| pyproject.toml | Removed Python 3.14 upper version constraint, updated minimum dependency versions, and reordered Python classifiers |
| tests/test_ssh_artifact_prevention.py | Added environment variable isolation (GIT_INDEX_FILE, GIT_DIR, GIT_WORK_TREE) and --no-verify flag to git commits |
| tests/fixtures/make_repo.py | Added environment variable isolation in _run_git and --no-verify flag to git commits |
| src/github2gerrit/rich_display.py | Changed stderr handling to use typer.echo for better test capture |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Matthew Watkins <mwatkins@linuxfoundation.org>
ModeSevenIndustrialSolutions
force-pushed
the
python-deps
branch
from
1f7bd37 to
7d211b6
Compare
tykeal
approved these changes
Dec 10, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
urllib3 2.6.1 released two days ago and contains important security fixes. SBOM/Grype audits (builds) have started failing in Python projects that need dependency updates. I've bumped all the Python dependencies for this project, and updated the uv.lock file. This update also includes fixes for failing tests during these updates. Since the Python build action recently got a new tagged/release, and includes the python-sigstore-action 3.2.0, Python 3.14 builds are working again.