fix: restore security dep versions reverted by conductor-clients-alias merge#406
Merged
fix: restore security dep versions reverted by conductor-clients-alias merge#406
Conversation
…-alias The feat/conductor-clients-alias PR accidentally reverted security fixes from fix/security-dependency-bumps: python >=3.9 (should be >=3.10), requests >=2.31.0 (should be >=2.33.0), pytest ^8.4.1 (should be ^9.0.3), and removed pygments >=2.20.0. This left filelock>=3.20.3 (Python >=3.10 only) in dev deps while the Python floor was 3.9, breaking poetry lock and the Harness Worker Image build. Restores all four security settings and regenerates poetry.lock.
Codecov Report✅ All modified and coverable lines are covered by tests. 🚀 New features to boost your workflow:
|
v1r3n
approved these changes
Apr 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
feat/conductor-clients-aliasPR (#404) accidentally reverted four security fixes fromfix/security-dependency-bumps(#382):python>=3.10>=3.9requests>=2.33.0>=2.31.0pytest^9.0.3^8.4.1pygments(dev)>=2.20.0ruff target-versionpy310py39This left
filelock>=3.20.3(which requires Python >=3.10) in dev deps while the Python floor was reset to 3.9, makingpoetry lockunsolvable — which broke the Harness Worker Image build on every push tomain.Also syncs
requirements.txtwithpyproject.tomlmain deps:requests >= 2.31.0→>=2.33.0, loose-pinstyping-extensions, addsh2 >= 4.1.0and thehttpx[http2]extra.When did Python 3.9 actually become unsupported?
February 27, 2026 — commit
c09ea520("Bump vulnerable dependencies") addedfilelock>=3.20.3andvirtualenv>=20.36.1as dev deps.filelock>=3.20.3requires Python >=3.10, so 3.9 became de facto incompatible at that point.The
python = ">=3.10"constraint was only written explicitly in thefix/security-dependency-bumpsPR on April 23, 2026, but the effective EOL for 3.9 in this repo dates back ~2 months earlier.User impact: The Docker harness worker image build has been failing on every merge to
mainsince #404 landed. This restores the security settings and regeneratespoetry.lock, unblocking CI.Test plan
mainpoetry lockruns without error locally (verified ✓)🤖 Generated with Claude Code