chore(deps): Update httpx requirement from <1.0,>=0.27 to >=0.28.1,<1.0#8536
chore(deps): Update httpx requirement from <1.0,>=0.27 to >=0.28.1,<1.0#8536dependabot[bot] wants to merge 6 commits into
Conversation
Updates the requirements on [httpx](https://github.com/encode/httpx) to permit the latest version. - [Release notes](https://github.com/encode/httpx/releases) - [Changelog](https://github.com/encode/httpx/blob/master/CHANGELOG.md) - [Commits](encode/httpx@0.27.0...0.28.1) --- updated-dependencies: - dependency-name: httpx dependency-version: 0.28.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Aragora Code ReviewAdvisory-only review. Findings are surfaced for follow-up and do not fail this workflow. Round 2: Skeptical Review — Challenging My Own HIGH FindingThe Round 2 critic (severity 10.0) pushed two things: (1) add a CI guard against removed-API patterns, and (2) upgrade the tri-location duplication to MEDIUM. Before I accept either, the skeptic's job is to ask whether my own Round 1 HIGH finding was over-stated. Let me challenge the strongest claim in my own proposal first, because that's where the largest unexamined assumption sits. Self-Challenge #1: Is the "HIGH / runtime TypeError" finding actually justified by this diff?My Round 1 proposal escalated the This is a real logical flaw, and it cuts against me:
So my HIGH severity was mis-calibrated. The honest finding is: the grep is worth doing as due diligence, but the severity should be conditioned on whether the lockfile currently resolves httpx to <0.28. If it already resolves to 0.28.x (very likely, since the floor allowed it), the code has already been running against the removed-args API and any break would have surfaced. I'm downgrading my own HIGH to MEDIUM, framed as a verification step, not a presumed defect. I should not have assigned HIGH severity to a hypothetical I never confirmed. Self-Challenge #2: Does the critic's "add a CI guard" suggestion survive scrutiny?The critic wants a CI step (grep/pre-commit) that fails the build on
So: valid direction, wrong sequencing and severity. Recommend the guard only conditionally. Self-Challenge #3: Is the tri-location duplication really MEDIUM?The critic argues the hand-edited bash array makes this MEDIUM, not LOW. Here I mostly agree, with a caveat the critic missed:
Self-Challenge #4: The claims I'm carrying forward — are they still evidence-backed?
Revised Findings Table (severities recalibrated by skeptical review)
Summary of What I Changed and Why
Overall AssessmentApprove — this is a low-risk floor bump that correctly updates all three synchronized locations. The single recommended pre-merge action is a quick grep for httpx Note on Operating ConstraintsPer the trust-tier markers, I treated the 1 finding(s) across the diff [CRITICAL] FindingFinding Generated by Aragora multi-agent code review |
Claude independent model reviewReviewer: claude (anthropic) — independent adversarial model review via the Aragora Claude reviewer, grounded on the exact PR head. Verdict: PASS
dogfood: yes |
|
Closing this superseded Dependabot PR in favor of #8713, which consolidates the httpx floor update with the related TypeScript SDK dependency refresh on a fresh branch from current main. The original branch is preserved; no branch deletion is being requested here. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Updates the requirements on httpx to permit the latest version.
Release notes
Sourced from httpx's releases.
Changelog
Sourced from httpx's changelog.
... (truncated)
Commits
26d48e0Version 0.28.1 (#3445)89599a9Fixverify=False,cert=...case. (#3442)8ecb86fAdd test for request params behavior changes (#3364) (#3440)0cb7e5aBump the python-packages group with 11 updates (#3434)15e21e9Updating deprecated docstring Client() class (#3426)80960faVersion 0.28.0. (#3419)a33c878Fixextensionstype annotation. (#3380)ce7e14dError on verify as str. (#3418)47f4a96Handle empty zstd responses (#3412)189fc4bUpdate CHANGELOG.md, fix typo(s) (#3406)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)