Python: Update chromadb requirement from <1.4,>=0.5 to >=0.5,<1.6 in /python#13951
Python: Update chromadb requirement from <1.4,>=0.5 to >=0.5,<1.6 in /python#13951dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Updates the requirements on [chromadb](https://github.com/chroma-core/chroma) to permit the latest version. - [Release notes](https://github.com/chroma-core/chroma/releases) - [Changelog](https://github.com/chroma-core/chroma/blob/main/RELEASE_PROCESS.md) - [Commits](chroma-core/chroma@0.5.0...1.5.8) --- updated-dependencies: - dependency-name: chromadb dependency-version: 1.5.8 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
added
the
dependencies
github-actions
Bot
changed the title
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Automated Code Review
Reviewers: 4 | Confidence: 93%
✓ Correctness
This is a simple upper-bound version bump for the chromadb dependency from < 1.4 to < 1.6. The change allows users to install newer chromadb versions. The existing code imports standard chromadb public APIs (Client, Collection, GetResult, QueryResult, ClientAPI, Settings, EmbeddingFunction, Space, and collection configuration classes) which are stable across minor versions. No correctness issues found.
✓ Security Reliability
This is a minimal, low-risk change that widens the upper version bound for the chromadb optional dependency from < 1.4 to < 1.6. There are no security or reliability concerns — it simply allows users to install newer chromadb versions (1.4.x and 1.5.x) which may contain their own bug fixes and security patches. No injection risks, secrets, resource leaks, or unsafe patterns are introduced.
✓ Test Coverage
This is a minor dependency upper-bound bump for chromadb from < 1.4 to < 1.6 in pyproject.toml. The existing unit tests in tests/unit/connectors/memory/test_chroma.py use MagicMock for the chromadb client, so they verify connector logic but don't exercise real chromadb API compatibility. No new behavior is introduced by relaxing a version constraint, so no new tests are strictly required. The existing test suite remains valid.
✗ Design Approach
I found one design-level issue: this PR widens the supported
chromadbrange to include 1.4/1.5 without any corresponding compatibility work or PR-time validation for the actual Chroma integration. That is risky here because the connector imports and calls Chroma-specific APIs directly, while the only pull-request coverage for Chroma is mocked unit tests; the real memory integration suite runs later in non-PR merge-gate/scheduled workflows.
Flagged Issues
-
python/pyproject.toml:80widens supported Chroma versions to<1.6, but the Chroma connector is tightly coupled to specific Chroma APIs (python/semantic_kernel/connectors/chroma.py:9-13,123-180) and the PR path does not exercise a real Chroma client. Unit tests mockClientAPI(python/tests/unit/connectors/memory/test_chroma.py:12-116), while the real memory integration suite only runs in non-PR jobs (.github/workflows/python-integration-tests.yml:299-355,357-462). The better approach is to keep the existing cap until compatibility with 1.4/1.5 is explicitly verified, or add/update coverage that validates the connector against the newly admitted versions before widening the dependency range.
Automated review by dependabot[bot]'s agents
| ] | ||
| chroma = [ | ||
| "chromadb >= 0.5,< 1.4" | ||
| "chromadb >= 0.5,< 1.6" |
There was a problem hiding this comment.
This advertises support for Chroma 1.4/1.5, but the connector depends on Chroma-specific APIs (python/semantic_kernel/connectors/chroma.py:9-13, 123-180) and PR-time coverage does not exercise a real Chroma client: the unit tests mock ClientAPI (python/tests/unit/connectors/memory/test_chroma.py:12-116), while the real memory integration tests only run in non-PR jobs (.github/workflows/python-integration-tests.yml:299-355, 357-462). Please either keep the old cap until compatibility is verified, or add coverage that validates the connector against the newly admitted versions before widening the range.
Updates the requirements on chromadb to permit the latest version.
Release notes
Sourced from chromadb's releases.
Commits
124a6cb[RELEASE] Python 1.5.8 JS 3.4.4 Rust 0.14.0 (#6921)0367cb4[ENH] Add IndexAndAdaptiveWal to clients (#6918)f749f58[ENH] Add IndexAndBoundedWal read level (#6914)db9a8bd[ENH] Use the official Rust client in the CLI (#6906)f9a7f68ENH: add optional upload fault injector (#6849)c94eb76[ENH]: Change retry rate limits in s3 client (#6917)a760f7eENH: add fault injection control plane (#6795)a5a919a[ENH]: Make compaction client grpc timeout configurable (#6902)47b2948[ENH] Update stars/followers count (#6908)71afcf0[ENH] add MCMR property tests and fix dirty log detection (#6835)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)