LCORE-1026: Update dependencies

[tisnik]

Description

LCORE-1026: Update dependencies

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-1026

Summary by CodeRabbit

• Chores
  • Upgraded multiple dependencies to recent versions across all supported architectures, including updates to machine learning frameworks, database connectivity tools, and language model libraries.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Six Python packages are updated to newer versions across both architecture-specific requirements files (aarch64 and x86_64): litellm, mcp, networkx, scikit-learn, sqlalchemy, and trl. Associated hashes are updated to reflect the new package versions.

Changes

Cohort / File(s)	Summary
Dependency Version Bumps requirements.aarch64.txt, requirements.x86_64.txt	litellm (1.80.8 → 1.80.9), mcp (1.23.1 → 1.23.3), networkx (3.6 → 3.6.1), scikit-learn (1.7.2 → 1.8.0), sqlalchemy (2.0.44 → 2.0.45), trl (0.25.1 → 0.26.0) with corresponding hash updates for each package

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Straightforward version bumps with no logic, functionality, or control flow changes
• Repetitive pattern of version and hash updates across both files
• Primary review task is verifying version numbers are intentional and hashes align with official package releases

Possibly related PRs

• PR #871: Modifies the same requirements files with overlapping package dependency updates (litellm, mcp, networkx, sqlalchemy, and others), suggesting coordinated dependency management.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically identifies the main change as updating dependencies, which directly matches the changeset containing version bumps and hash updates for multiple packages.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 668d09c and 9d3344b.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• requirements.aarch64.txt (6 hunks)
• requirements.x86_64.txt (6 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-08-18T10:57:39.266Z

Learnt from: matysek
Repo: lightspeed-core/lightspeed-stack PR: 292
File: pyproject.toml:59-59
Timestamp: 2025-08-18T10:57:39.266Z
Learning: In the lightspeed-stack project, transitive dependencies like faiss-cpu are intentionally pinned as top-level dependencies to maintain better control over the dependency graph and avoid version conflicts when bundling ML/LLM tooling packages.

Applied to files:

• requirements.aarch64.txt
• requirements.x86_64.txt

📚 Learning: 2025-08-18T10:58:14.951Z

Learnt from: matysek
Repo: lightspeed-core/lightspeed-stack PR: 292
File: pyproject.toml:47-47
Timestamp: 2025-08-18T10:58:14.951Z
Learning: psycopg2-binary is required by some llama-stack providers in the lightspeed-stack project, so it cannot be replaced with psycopg v3 or moved to optional dependencies without breaking llama-stack functionality.

Applied to files:

• requirements.aarch64.txt
• requirements.x86_64.txt

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: build-pr
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: E2E: library mode / azure
• GitHub Check: E2E: server mode / ci
• GitHub Check: E2E: server mode / azure
• GitHub Check: E2E: library mode / ci

🔇 Additional comments (14)

requirements.aarch64.txt (7)

3315-3363: SQLAlchemy 2.0.45: verify codebase compatibility with 2.0‑style APIs.

Patch bump to 2.0.45; greenlet 3.3.0 compatible. Scan codebase for legacy 1.x patterns (Session.query, Query(...), engine.execute) that would break under 2.0 semantics before deployment.

---

1392-1395: Cross‑arch parity and retained strategic pins.

• Confirm the same six bumps (litellm, mcp, networkx, scikit-learn, sqlalchemy, trl) exist in requirements.x86_64.txt to avoid drift.
• Verify that strategic pins faiss-cpu and psycopg2-binary remain present and pinned consistently across both architecture files.

Also applies to: 1700-1703, 1883-1886, 3184-3220, 3315-3363, 3532-3534

---

1700-1703: MCP 1.23.3: verify protocol/client compatibility with paired SSE dependencies.

Confirm this pin is consistent across all requirements files. If upgrading with httpx-sse 0.4.3 and sse-starlette 3.0.3, test tool invocation and streaming to ensure handshake/keepalive behavior is unchanged.

---

1883-1886: NetworkX 3.6.1: low‑risk patch bump with bug fixes.

No breaking changes, API removals, or deprecations in 3.6.1—only enhancements (spectral bipartition, nodelistconstraints for from_biadjacency_matrix) and bug fixes (Graph subclass argument handling). No need for specialized testing.

---

3532-3534: TRL 0.26.0: verify accelerate version compatibility—1.12.0 may exceed typical requirements.

Web search indicates TRL 0.26.0 typically requires accelerate 0.34.2, while the specified version here is 1.12.0. The versions provided for transformers (4.57.3) and peft (0.18.0) align with expected ranges, but the accelerate version is substantially higher than documented baselines. Either confirm through integration testing (minimal PPO/SFT sample) that 1.12.0 is compatible, or align with the pinned 0.34.2 requirement.

---

3184-3220: Confirm scikit‑learn 1.8.0 binary compatibility with NumPy/SciPy on aarch64.

NumPy 2.2.6, SciPy 1.16.3, joblib 1.5.2, and threadpoolctl 3.6.0 are mutually compatible. All packages publish manylinux aarch64 wheels on PyPI. Verify that wheels resolve correctly in your aarch64 environment and run a quick import/fit test (e.g., LogisticRegression().fit()) to confirm no runtime ABI issues.

---

1392-1395: LiteLLM 1.80.9: Confirm stable release status and Langfuse integration impact.

The v1.80.9 changelog shows primarily new provider additions (Helicone, SAP GenAI) and a Langfuse passthrough route query parameter restructuring. This API change warrants testing only if Langfuse integration is active in the stack. No documented breaking changes to streaming, retries, or LITELLM_* environment variables in this release. Confirm this is a stable release (only dev/nightly artifacts found publicly) and verify x86_64 requirements file matches.

requirements.x86_64.txt (7)

1883-1885: networkx 3.6.1: low‑risk patch bump.

No action needed unless you rely on deprecated algorithms. Approving.

---

1392-1394: Parity check with aarch64 and retained pins per project policy.

• Please confirm requirements.aarch64.txt mirrors these bumps.
• psycopg2-binary and faiss-cpu remain pinned as required for providers/bundling. Good.

Based on learnings, these pins are intentional and should not be altered.

Also applies to: 1700-1702, 1883-1885, 3183-3220, 3315-3362, 3531-3534

---

3315-3362: Review comment is misaligned with file type.

The review requests scanning for SQLAlchemy 1.x legacy patterns in Python source code, but requirements.x86_64.txt contains only package dependency specifications and hashes—no executable code. This comment should be applied to Python source files, not requirements files. Clarify whether the review target is correct and provide repository access for verification.

---

3531-3534: No action required — trl 0.26.0, transformers 4.57.3, and accelerate 1.12.0 are compatible.

trl v0.26.x requires transformers >= 4.46.0 (satisfied by 4.57.3) and accelerate with no strict lower bound preventing 1.12.0. Recent trl releases include fixes for transformers 4.57.x, confirming compatibility.

---

1392-1394: litellm 1.80.9: patch bump appears safe; verify with a quick import test.

No obvious conflicts detected in this dependency set. To confirm compatibility, run:

python -c "import litellm, httpx, jiter, openai; print('litellm', litellm.__version__)"

---

1700-1702: mcp 1.23.3 does not exist on PyPI. The latest available version is mcp 1.23.2 (released Dec 8, 2025). Either this is a private/internal package or the version specified in requirements is incorrect. Remove this line or correct the version number to 1.23.2 if mcp is a public dependency.

Likely an incorrect or invalid review comment.

---

3183-3220: and

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}