[codex] Consolidate June 29 dependency refresh#8692
Conversation
Aragora Code ReviewAdvisory-only review. No issues found. |
Claude independent model reviewReviewer: claude (anthropic) — independent adversarial model review via the Aragora Claude reviewer, grounded on the exact PR head. Verdict: PASS Routine dependency-bump PR with no code changes. pyproject.toml constraints (click 8.4.1→8.4.2, typer 0.26.7→0.26.8, pytest 9.1.0→9.1.1, pre-commit 4.0→4.6.0) match uv.lock, and package.json bumps (@xyflow/react, mermaid 11.15→11.16, swr, @next/bundle-analyzer, @playwright/test) match package-lock.json. Transitive bumps (katex 0.16.33→0.16.47, dompurify floor ^3.3.3, cytoscape, dayjs, @mermaid-js/parser) are security-positive, no downgrades.
dogfood: yes |
Grok independent model reviewReviewer: grok (xai) — independent adversarial model review via Grok Build CLI harness, grounded on the exact PR head. Verdict: PASS
dogfood: yes |
Summary
Consolidates the fresh June 29 blocked dependency PR wave for the lowest-risk set:
aragora/live:@xyflow/react12.11.1,@next/bundle-analyzer16.2.9,swr2.4.2,@playwright/test1.61.1,mermaid11.16.0click8.4.2,typer0.26.8,pytest9.1.1,pre-commit >=4.6.0constraintSupersedes Dependabot PRs #8680, #8681, #8682, #8683, #8685, #8686, #8687, #8688, and #8689. Leaves #8684 (
sdk/typescriptdependency group) out because it is a larger SDK-only lockfile update and should stay in its own validation lane.Validation
npm ci --ignore-scripts --no-audit --no-fundnpm run lintnpm test -- --runInBand— 257 passed, 1 skipped; 4025 tests passed, 27 skippednpm run build:runtimeuv lock --checkARAGORA_USE_SECRETS_MANAGER=0 uv run --extra test aragora --helpARAGORA_USE_SECRETS_MANAGER=0 uv run --extra test --with numpy python -m pytest tests/cli/test_worktree_command.py tests/cli/test_verify.py tests/cli/test_tasks_command.py -q— 58 passedbash scripts/automation_pr_preflight.sh origin/main HEADNotes
A broad
ARAGORA_USE_SECRETS_MANAGER=0 uv run --extra test python -m pytest tests/cli -qrun fails before exercising this dependency refresh because the session autouse fixture importsnumpy, while the[test]extra does not installnumpy. The focused CLI subset above was rerun with--with numpyto satisfy that existing test-environment requirement.