Update dependencies in requirements.txt

[ondrejvala2]

• package connexion kept <3 to prevent it from breaking (potential update in the future)

Summary by CodeRabbit

• Chores
  • Locked project dependencies to exact version pins for reproducible installs.
  • Updated generator ignore list to preserve a specific generated file across regenerations.
• Refactor
  • Switched JSON serialization to the framework's newer provider while preserving API behavior.
• Tests
  • Restructured integration tests to submit helper-based request tasks for clearer concurrent request handling.

[coderabbitai]

Walkthrough

Pin all dependencies to exact versions in requirements.txt; replace the Flask JSONEncoder approach with a _serialize function and CustomJSONProvider, wire it in app.py, and add fleetv2_http_api/encoder.py to .openapi-generator-ignore; refactor several integration tests to submit helper callables to executors for HTTP calls. No public API signature changes.

Changes

Cohort / File(s)	Summary
Dependencies requirements.txt	Replaced flexible version ranges/inequalities with exact == pins for all listed packages; no packages added or removed.
JSON serialization provider server/fleetv2_http_api/encoder.py, server/app.py, server/.openapi-generator-ignore	Replaced class-based JSONEncoder with a functional _serialize(obj, include_nulls) and CustomJSONProvider.dumps(...); app.py now assigns app.app.json = CustomJSONProvider(app.app) (Flask 2.3+ provider). Added fleetv2_http_api/encoder.py to OpenAPI ignore list.
Integration tests (executor helper refactor) tests_integration/messages/test_since_parameter.py, tests_integration/wait_mechanism/test_commands.py, tests_integration/wait_mechanism/test_statuses.py	Refactored tests to encapsulate HTTP GET/POST client calls in local helper functions that create their own test_client context; executor submissions now submit these helpers instead of inline client calls. Test behavior/assertions unchanged.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Baf 932/unit-tests-executable-as-python-script #14: Touches JSON serialization integration and references the previously used JSONEncoder, making it directly related to the provider/encoder changes.

Suggested reviewers

• MarioIvancik

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 2.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update dependencies in requirements.txt' directly addresses the main change (dependency updates in requirements.txt), though it does not mention the broader refactoring of JSON handling and test cases that comprise significant portions of the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch BAF-1260/update-dependencies

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@requirements.txt`:
- Around line 9-18: The requirements file uses open-ended >= ranges for core
packages (SQLAlchemy, pydantic, cryptography) which can permit incompatible
major upgrades; update the dependency lines for SQLAlchemy, pydantic, and
cryptography in requirements.txt to add conservative upper bounds (e.g., change
SQLAlchemy >= 2.0.46 to SQLAlchemy >= 2.0.46,<3.0, pydantic >= 2.12.5 to
pydantic >= 2.12.5,<3.0, and cryptography >= 46.0.4 to cryptography >=
46.0.4,<47.0) so future breaking major releases are excluded while preserving
the current minimums.
- Around line 10-11: The requirements file currently pins both "psycopg >=
3.3.2" and "psycopg-binary >= 3.3.2"; remove the "psycopg-binary" entry from the
production requirements and leave only "psycopg >= 3.3.2" in that file, and if
you need the binary wheel for development/testing, add "psycopg-binary >= 3.3.2"
to your dev/test requirements file (e.g., requirements-dev.txt or test
dependencies) and update any CI/lockfile references accordingly.
- Around line 1-6: The requirements list causes a dependency conflict between
Connexion (constraint "<3") and Flask ">= 3.1.2"; either pin Flask to a 2.x
series (e.g., change the Flask spec to <3) to match Connexion 2.x, or upgrade
Connexion to a 3.x compatible spec (e.g., use connexion >=3.x) so Werkzeug
requirements align; also ensure only one PostgreSQL driver is listed by removing
either "psycopg" or "psycopg-binary" so the requirements contain a single
psycopg package.

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@requirements.txt`:
- Around line 1-17: Remove the testing/dev-only packages from the main
requirements file: delete Flask_Testing and coverage from requirements.txt and
create a separate requirements-dev.txt (or requirements-test.txt) that lists
Flask_Testing and coverage (and any other test-only tools) with the same pinned
versions; update any CI, local setup scripts, or docs to install
requirements-dev.txt when running tests so production installs only the runtime
packages like Flask, SQLAlchemy, cryptography, pydantic, and pyjwt.

🧹 Nitpick comments (2)

requirements.txt (2)

11-11: Consider moving testing dependencies to a separate requirements file.

Flask_Testing and coverage are testing tools that typically don't belong in production dependencies. Moving them to a separate requirements-dev.txt or requirements-test.txt reduces the production attack surface and deployment size.

📦 Suggested refactor

Create a requirements-dev.txt file:

-r requirements.txt
Flask_Testing == 0.8.1
coverage == 7.13.3

Then remove these lines from requirements.txt:

-Flask_Testing == 0.8.1

-coverage == 7.13.3

Update your CI/CD and local development setup to install from requirements-dev.txt for testing, and only requirements.txt for production deployments.

Also applies to: 15-15

---

1-17: Consider using a lock file approach for dependency management.

Exact pinning (==) provides reproducibility but requires manual updates for every security patch or bug fix. Consider using tools like pip-tools (pip-compile) or Poetry to generate lock files from more flexible constraints, allowing easier security updates while maintaining reproducibility.

🔒 Example with pip-tools

requirements.in (flexible constraints):

connexion[swagger-ui] >=2.15.0,<3.0
Flask >=2.3.0,<3.0
SQLAlchemy >=2.0.0,<3.0
# ... other packages with similar ranges

Generate lock file:

pip-compile requirements.in

This produces requirements.txt with exact pins, but you can easily regenerate to get updates while respecting your version bounds.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[koudis]

From my humble side tit seems ok.