chore(deps): upgrade dependencies#590
Conversation
8d518b0 to
6e06eca
Compare
7c7ba9e to
fee375b
Compare
scottschreckengaust
left a comment
There was a problem hiding this comment.
Review: PR #590 chore(deps): upgrade dependencies
Verdict: REQUEST_CHANGES — this bot dep-bump is not mergeable as-is because it breaks the build. build (agentcore) is RED and the cause is a dependency in this very diff (the ty type-checker bump), not a pre-existing/flaky failure. For a dependency PR, CI-green is the load-bearing signal, so a bump that turns the build red must be fixed before merge — even for routine bot hygiene.
Everything else in the bump is safe (details below); the block is narrow and mechanical.
Vision alignment
Bounded blast radius, mostly. Lockfile-only change (agent/uv.lock + yarn.lock; no package.json / pyproject.toml edits), so every bump stays within existing semver ranges. No attack-surface widening, no new top-level deps. The one leak past the intended boundary is ty: it is pinned bare ("ty", no version bound) in agent/pyproject.toml, so "regenerate within pins" still walked the type-checker forward to a stricter engine (0.0.56 → 0.0.59) that rejects previously-accepted source.
Blocking
B1 — ty 0.0.56 → 0.0.59 breaks //agent:typecheck (build (agentcore) job is RED). agent/uv.lock (ty package block; +version = "0.0.59").
//agent:typecheckrunsuv run ty check(agent/mise.toml:44). ty 0.0.59 now emits 9 new diagnostics inagent/tests/test_models.py— the source is unchanged in this PR, so this is purely the engine getting stricter/regressing on the same code:- 6×
invalid-assignment"Property … is read-only" attest_models.py:30, 63, 140, 170, 416, 447. Each is an intentional negative test asserting Pydantic immutability (e.g.c.author = "bob"insidewith pytest.raises(ValidationError):) on models declaredmodel_config = ConfigDict(frozen=True, …)(agent/src/models.py:20, 47, 62, 117, 294, 305). - 2×
invalid-argument-typeattest_models.py:237, 244:content_trust={"issue": "untrusted-external", …}is inferred asdict[str, str]and rejected against the declareddict[str, ContentTrustLevel]whereContentTrustLevel = Literal["trusted","untrusted-external","memory"](agent/src/models.py:71, 130).
- 6×
- Note this is a two-step jump vs
main, which currently pinsty 0.0.50. - Fix — pick one, none should be silent:
- Cleanest for a pure dep-bump: pin
ty==0.0.56(last known-green) inagent/pyproject.tomland revert only thetyblock ofagent/uv.lock; let the other 8 Python bumps + all yarn bumps land green. - If keeping ty current is desired: that requires touching
agent/tests/test_models.pysource (per-line# ty: ignore[invalid-assignment]on the 6 deliberate frozen-write negative tests, and an explicitdict[str, ContentTrustLevel]annotation /castfor the 2content_trustliterals). Source changes fall outside bot dep-hygiene and need a governance issue per ADR-003 — so this should be split out, not ridden in on the auto-approve bump.
- Do not globally relax
[tool.ty.rules]to mask this — it would hide real future frozen-write / literal bugs.
- Cleanest for a pure dep-bump: pin
Non-blocking observations
- Cedar parity: intact. Neither
cedarpy(Python) nor@cedar-policy/cedar-wasm(TS) is touched —cedarpy==4.8.4andcedar-wasm@4.8.2are unchanged on both sides. The paired-engine rule (AGENTS.md "Common mistakes") is not triggered; nocontracts/cedar-parity/refresh needed. - No downgrades. All 9 uv.lock and ~60 yarn.lock transitions move forward.
- No synth-affecting core CDK bump.
aws-cdk-libandconstructsare not changed (the@@ aws-cdk-lib@^2.260.0line is only a hunk-context header).@aws-cdk/cloud-assembly-schema54.8.0→54.11.0 and theaws-cdkCLI 2.1129.0→2.1131.0 are the CLI/cxapi side, within the pinned major — CDK snapshot tests should not shift. - AWS SDK v3 clients (
@aws-sdk/client-bedrock-agentcore/-runtime/-dynamodb/-ecs/-lambda/-s3/-secrets-manager) 3.1081.0→3.1087.0: standard weekly patch/minor cadence, no majors. - Python bumps anyio 4.14.1→4.14.2, asgiref 3.11.1→3.12.1, botocore 1.43.42→1.43.48, coverage 7.15.0→7.15.1, grpcio 1.81.1→1.82.1, ruff 0.15.20→0.15.21, s3transfer 0.19.0→0.19.1, websockets 16.0→16.1 — all patch/minor, none with a known advisory.
Documentation
N/A — pure lockfile bump; no docs/guides/ or docs/design/ source touched, so no Starlight mirror sync required.
Tests & CI
Secrets, deps, and workflow scan(OSV Scanner onyarn.lock+agent/uv.lock): pass — no advisories or vulnerable pulls introduced. CodeQL / Analyze (actions, js-ts, python): pass. Dead-code (advisory): pass. Validate PR title: pass.build (agentcore): FAIL —//agent:typecheckFound 9 diagnostics→ exit 1 (B1). This is the sole failure and it is deterministic, not a flake.- No new tests expected for a dep bump; the concern is that existing tests/typecheck must stay green, and they do not.
Review agents run
pr-review-toolkit:code-reviewer— ran; independently reproduced thetybuild-breaker mechanism and confirmed no downgrades / no synth-affecting core bump / Cedar untouched.silent-failure-hunter,type-design-analyzer— omitted (out of scope: lockfile-only diff, no error-handling or type-definition source changes).
Human heuristics
Base is fresh (PR head merge-base == origin/main @ 22705e83, single commit). Author is the backgroundagents bot; missing approved-issue is normal for pure dep hygiene and is not the basis for this block. The auto-approve label is present but must not auto-merge a red build — the failing agentcore job is a legitimate, self-caused gate failure. The narrowest green path is option (1): pin ty back and re-run.
🤖 Generated with Claude Code
| { url = "https://files.pythonhosted.org/packages/c3/36/f51d4666d2de6cf33c1f3a1fcc4bb6b70b197dd6ceaa491eef71d78fe8e8/ty-0.0.56-py3-none-win32.whl", hash = "sha256:b30687bb5cd9729d34c889a289edf32770388d9bb05243e534e723fb45e0381b", size = 11093759, upload-time = "2026-07-01T16:44:49.171Z" }, | ||
| { url = "https://files.pythonhosted.org/packages/5e/b4/8fb5d4acfa4afb152245b20fa263069a7547bd1f8e4bfca4eda280c897d7/ty-0.0.56-py3-none-win_amd64.whl", hash = "sha256:ad4c8c47b6f4e3f9ed3fc0b1a5d650088d229e17dd8f63c1826d6bbe94cc3235", size = 12100327, upload-time = "2026-07-01T16:44:51.26Z" }, | ||
| { url = "https://files.pythonhosted.org/packages/b8/fc/6a183e71edde90d0c35c2303f23f7a45b6891d1a2c45daf7b8f869831e19/ty-0.0.56-py3-none-win_arm64.whl", hash = "sha256:57538f273d444a5f1293fa7860e967178afe3917611fc5eff16b64e1204fe0d6", size = 11538780, upload-time = "2026-07-01T16:44:53.8Z" }, | ||
| version = "0.0.59" |
There was a problem hiding this comment.
Blocking: this ty bump (0.0.56 → 0.0.59) is what turns build (agentcore) red. ty is pinned bare ("ty") in agent/pyproject.toml, so the lockfile is its only bound and regenerating walked it to a stricter engine. uv run ty check (agent/mise.toml:44) now emits 9 new diagnostics in agent/tests/test_models.py (6 frozen-attribute negative tests + 2 content_trust Literal narrowings) even though that source is unchanged in this PR.
Cleanest fix to keep this a green, pure dep-bump: pin ty==0.0.56 in agent/pyproject.toml and revert just this ty block of the lockfile; let the other bumps land. Keeping ty current instead requires editing test_models.py (deliberate # ty: ignore + explicit dict[str, ContentTrustLevel] annotations), which is source work that should go through a governance issue rather than the auto-approve bot bump.
Upgrades project dependencies. See details in [workflow run]. [Workflow Run]: https://github.com/aws-samples/sample-autonomous-cloud-coding-agents/actions/runs/29461601257 ------ *Automatically created by the "upgrade-main" workflow* Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
fee375b to
dfdf967
Compare
Upgrades project dependencies. See details in workflow run.
Automatically created by the "upgrade-main" workflow