chore(deps-dev): bump the pip group across 1 directory with 3 updates#1283
chore(deps-dev): bump the pip group across 1 directory with 3 updates#1283dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps the pip group with 3 updates in the /packages/python-sdk directory: [python-dotenv](https://github.com/theskumar/python-dotenv), [black](https://github.com/psf/black) and [requests](https://github.com/psf/requests). Updates `python-dotenv` from 1.1.1 to 1.2.2 - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](theskumar/python-dotenv@v1.1.1...v1.2.2) Updates `black` from 25.9.0 to 26.3.1 - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](psf/black@25.9.0...26.3.1) Updates `requests` from 2.32.5 to 2.33.0 - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.32.5...v2.33.0) --- updated-dependencies: - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: direct:development dependency-group: pip - dependency-name: black dependency-version: 26.3.1 dependency-type: indirect dependency-group: pip - dependency-name: requests dependency-version: 2.33.0 dependency-type: indirect dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
added
the
dependencies
dependabot
Bot
requested review from
ValentaTomas and
mishushakov
as code owners
|
Package ArtifactsBuilt from 89529ab. Download artifacts from this workflow run. JS SDK ( npm install ./e2b-2.19.1-dependabot-pip-packages-python-sdk-pip-4d98c49ba6.0.tgzCLI ( npm install ./e2b-cli-2.9.1-dependabot-pip-packages-python-sdk-pip-4d98c49ba6.0.tgzPython SDK ( pip install ./e2b-2.20.0+dependabot.pip.packages.python.sdk.pip.4d98c49ba6-py3-none-any.whl |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| @@ -1,4 +1,4 @@ | |||
| # This file is automatically @generated by Poetry 2.1.1 and should not be changed by hand. | |||
| # This file is automatically @generated by Poetry 2.2.1 and should not be changed by hand. | |||
There was a problem hiding this comment.
🔴 The poetry.lock header was updated to show generation by Poetry 2.2.1, but .tool-versions still pins poetry 2.1.1, causing CI to install a different Poetry version than what generated the lock file. Update .tool-versions to poetry 2.2.1 to match the lock file generator.
Extended reasoning...
What the bug is: This PR updates the poetry.lock header comment from Poetry 2.1.1 to Poetry 2.2.1, indicating the lock file was regenerated using Poetry 2.2.1. However, the .tool-versions file (line 5) still pins poetry 2.1.1. This is a genuine configuration inconsistency introduced by this PR.
The specific code path: The CI workflow python_sdk_tests.yml uses wistia/parse-tool-versions to read the poetry version from .tool-versions and exports it as TOOL_VERSION_POETRY. It then passes that value directly to snok/install-poetry (via version: "${{ env.TOOL_VERSION_POETRY }}"). As a result, CI installs Poetry 2.1.1 while the lock file was generated by Poetry 2.2.1.
Why existing code doesn't prevent it: There is no version consistency check between the lock file generator comment and .tool-versions. The CI pipeline blindly trusts .tool-versions for the Poetry version, and the lock file was updated by a tool (Dependabot or a developer running a newer Poetry) without updating .tool-versions in sync.
Addressing the refutation: One verifier correctly notes that Poetry uses the lock-version field in [metadata] (which remains 2.1 in this PR) for format compatibility, not the header comment. This is accurate — Poetry 2.1.1 will not outright reject the lock file based on the header. However, the mismatch still carries real risks: (1) Poetry 2.2.1 changed the exceptiongroup marker from python_version < "3.11" to python_version == "3.10" — if Poetry 2.1.1 recomputes markers differently during install, it may attempt to re-resolve and produce a lock diff; (2) hash verification is performed against the resolved graph, and subtle differences between minor versions can trigger re-resolution warnings or failures; (3) the inconsistency makes the environment non-reproducible between local development (using Poetry 2.2.1) and CI (using 2.1.1).
Concrete proof: Developer runs Poetry 2.2.1 locally → generates lock file with python_version == "3.10" marker for exceptiongroup → pushes PR. CI reads .tool-versions, installs Poetry 2.1.1, then runs poetry install against the 2.2.1-generated lock file. Poetry 2.1.1 may see the exceptiongroup marker (python_version == "3.10") as unexpected (since 2.1.1 would have written python_version < "3.11") and attempt to re-resolve, producing a CI diff or warning. Even absent a hard failure, the CI environment is no longer using the tool that generated the lock file.
How to fix: Update .tool-versions line 5 from poetry 2.1.1 to poetry 2.2.1 to match the Poetry version that generated the lock file.
1 participant
Bumps the pip group with 3 updates in the /packages/python-sdk directory: python-dotenv, black and requests.
Updates
python-dotenvfrom 1.1.1 to 1.2.2Release notes
Sourced from python-dotenv's releases.
... (truncated)
Changelog
Sourced from python-dotenv's changelog.
Commits
36004e0Bump version: 1.2.1 → 1.2.2eb20252docs: update changelog for v1.2.2790c5c0Merge commit from fork43340daRemove the use ofshin tests (#612)09d7ceedocs: clarify override behavior and document FIFO support (#610)c8de288ci: improve workflow efficiency with best practices (#609)7bd9e3dAdd Windows testing to CI (#604)1baaf04Drop Python 3.9 support and update to PyPy 3.11 (#608)4a22cf8ci: enable testing on Python 3.14t (free-threaded) (#588)e2e8e77Fix license specifier (#597)Updates
blackfrom 25.9.0 to 26.3.1Release notes
Sourced from black's releases.
... (truncated)
Changelog
Sourced from black's changelog.
... (truncated)
Commits
c6755bbPrepare release 26.3.1 (#5046)69973fdHarden blackd browser-facing request handling (#5039)4937fe6Fix some shenanigans with the cache file and IPython (#5038)2e641d1docs: remove outdated Black Playground references (#5044)c014b22Remove unused internal code (#5041)0dae20bAdd new changelog (#5036)c5c1cbdMinor release patches (#5035)7e5a828docs: clarify relationship between Black style and PEP 8 (#5025)69705dedocs: add clearer pyproject configuration guidance (#5026)35ea679Prepare release 26.3.0 (#5032)Updates
requestsfrom 2.32.5 to 2.33.0Release notes
Sourced from requests's releases.
Changelog
Sourced from requests's changelog.
Commits
bc04dfdv2.33.066d21cbMerge commit from fork8b9bc8fMove badges to top of README (#7293)e331a28Remove unused extraction call (#7292)753fd08docs: fix FAQ grammar in httplib2 example774a0b8docs(socks): same block as other sections9c72a41Bump github/codeql-action from 4.33.0 to 4.34.1ebf7190Bump github/codeql-action from 4.32.0 to 4.33.00e4ae38docs: exclude Response.is_permanent_redirect from API docs (#7244)d568f47docs: clarify Quickstart POST example (#6960)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.