Skip to content

[codex] Consolidate June 29 dependency refresh#8692

Merged
scarmani merged 1 commit into
mainfrom
codex/dependency-refresh-live-python-june29
Jun 30, 2026
Merged

[codex] Consolidate June 29 dependency refresh#8692
scarmani merged 1 commit into
mainfrom
codex/dependency-refresh-live-python-june29

Conversation

@scarmani

Copy link
Copy Markdown
Collaborator

Summary

Consolidates the fresh June 29 blocked dependency PR wave for the lowest-risk set:

  • aragora/live: @xyflow/react 12.11.1, @next/bundle-analyzer 16.2.9, swr 2.4.2, @playwright/test 1.61.1, mermaid 11.16.0
  • root Python constraints/lock: click 8.4.2, typer 0.26.8, pytest 9.1.1, pre-commit >=4.6.0 constraint

Supersedes Dependabot PRs #8680, #8681, #8682, #8683, #8685, #8686, #8687, #8688, and #8689. Leaves #8684 (sdk/typescript dependency group) out because it is a larger SDK-only lockfile update and should stay in its own validation lane.

Validation

  • npm ci --ignore-scripts --no-audit --no-fund
  • npm run lint
  • npm test -- --runInBand — 257 passed, 1 skipped; 4025 tests passed, 27 skipped
  • npm run build:runtime
  • uv lock --check
  • ARAGORA_USE_SECRETS_MANAGER=0 uv run --extra test aragora --help
  • ARAGORA_USE_SECRETS_MANAGER=0 uv run --extra test --with numpy python -m pytest tests/cli/test_worktree_command.py tests/cli/test_verify.py tests/cli/test_tasks_command.py -q — 58 passed
  • bash scripts/automation_pr_preflight.sh origin/main HEAD

Notes

A broad ARAGORA_USE_SECRETS_MANAGER=0 uv run --extra test python -m pytest tests/cli -q run fails before exercising this dependency refresh because the session autouse fixture imports numpy, while the [test] extra does not install numpy. The focused CLI subset above was rerun with --with numpy to satisfy that existing test-environment requirement.

@scarmani scarmani marked this pull request as ready for review June 30, 2026 02:08
@scarmani scarmani requested a review from an0mium as a code owner June 30, 2026 02:08
@github-actions

Copy link
Copy Markdown
Contributor

Aragora Code Review

Advisory-only review. No issues found.

@scarmani

Copy link
Copy Markdown
Collaborator Author

Claude independent model review

Reviewer: claude (anthropic) — independent adversarial model review via the Aragora Claude reviewer, grounded on the exact PR head.
Head: cbdda73 (cbdda73), committed 2026-06-29T15:03:25Z.
PR: #8692.
Model family: claude

Verdict: PASS

Routine dependency-bump PR with no code changes. pyproject.toml constraints (click 8.4.1→8.4.2, typer 0.26.7→0.26.8, pytest 9.1.0→9.1.1, pre-commit 4.0→4.6.0) match uv.lock, and package.json bumps (@xyflow/react, mermaid 11.15→11.16, swr, @next/bundle-analyzer, @playwright/test) match package-lock.json. Transitive bumps (katex 0.16.33→0.16.47, dompurify floor ^3.3.3, cytoscape, dayjs, @mermaid-js/parser) are security-positive, no downgrades.

  • [P3] aragora/live/package-lock.json:67-70 — a workspace/sub-package lock entry bumps @types/node ^25.2.3^26.0.0 (a major bump, the only one here), but no corresponding sub-package package.json appears in the 4-file diff. Confirm that manifest change is committed; otherwise npm ci drifts/npm install reverts the lock, and the major @types/node jump can surface TS type-check breakage at build.

dogfood: yes

@scarmani

Copy link
Copy Markdown
Collaborator Author

Grok independent model review

Reviewer: grok (xai) — independent adversarial model review via Grok Build CLI harness, grounded on the exact PR head.
Head: cbdda73 (cbdda73), committed 2026-06-29T15:03:25Z.
PR: #8692.
Model family: grok

Verdict: PASS

  • [P3] aragora/live/package.json@playwright/test moves to 1.61.1 while uv.lock still resolves Python playwright at 1.60.0; the npm/Python skew widens and can cause browser/driver mismatches in mixed e2e setups until both sides are aligned.
  • [P3] aragora/live/package.json (@xyflow/react ^12.11.1) — upstream no longer fires onPaneClick when a connection drag ends on the pane; WorkflowCanvas.tsx uses onPaneClick for deselection, so verify workflow-builder UX after connect-drag-to-empty-canvas.
  • [P3] PR scope — lockfile-only refresh across Python and aragora/live with no in-diff build/test signal; canvas (xyflow), SWR consumers, and CLI (click/typer) paths warrant CI confirmation before merge.

dogfood: yes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant