chore(deps): move benchmark deps to PEP 723 scripts, patch vulns#63
Merged
thomasht86 merged 1 commit intomainfrom May 6, 2026
Merged
chore(deps): move benchmark deps to PEP 723 scripts, patch vulns#63thomasht86 merged 1 commit intomainfrom
thomasht86 merged 1 commit intomainfrom
Conversation
…g], patch vulns Goal: shrink the surface area surfaced by Dependabot from 30+ open alerts down to those that actually ship to users. Benchmark group → PEP 723 inline scripts - benchmark/server.py, benchmark.py, benchmark_cbor.py, generate_image.py now declare deps via `# /// script` blocks and run with `uv run --script benchmark/<file>.py`. - Removed the `[benchmark]` optional-deps group from pyproject.toml. - uv.lock loses ~4300 lines (aiohttp, requests, jupyter chain, matplotlib, pandas, fastapi, gunicorn, …), eliminating 16 transitive alerts. - CI.yml/benchmark.yml updated: server boots via the inline script, env vars BENCHMARK_HOST/BENCHMARK_PORT control the bind address. Docs group - Drop the `[imaging]` extra on mkdocs-material — pillow + cairosvg were only there for social-card generation, but no `social:` plugin is configured in mkdocs.yml. Removes 6 pillow alerts from the lock. Real vuln fixes - pytest>=9.0.3 (CVE-listed alert #65); kept 8.x conditional for Py 3.9 since 9.x dropped 3.9 support. - `uv lock --upgrade` brings cryptography>=47, filelock>=3.29 (Py>=3.10), certifi 2026.4.22. - `cargo update` brings rustls-webpki 0.103.13, rand 0.8.6/0.9.4, time 0.3.47, bytes 1.11.1, tokio 1.52.2 — all transitive, Cargo.toml unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
benchmark/*.pyto PEP 723 inline scripts so their deps (aiohttp, requests, jupyter chain, matplotlib, pandas, fastapi, …) never enteruv.lock. Run withuv run --script benchmark/<file>.py.[imaging]extra onmkdocs-material— pillow + cairosvg were only there for social-card generation, but nosocial:plugin is configured inmkdocs.yml.pytest>=9.0.3(kept 8.x conditional for Py 3.9 since 9.x dropped 3.9 support);uv lock --upgradefor cryptography/filelock/certifi.cargo updatefor rustls-webpki 0.103.13, rand 0.8.6/0.9.4, time 0.3.47, bytes 1.11.1, tokio 1.52.2 — all transitive.Vulnerability impact
Of the 35 open alerts on
main, this branch closes:[benchmark])jupyterin[benchmark])Remaining: filelock 3.19.x for Py 3.9 only (3.20+ requires Py>=3.10) — dev-only, no runtime exposure.
Test plan
lintjob (ruff + mypy + cargo fmt + clippy)testmatrix across Py 3.9–3.14e2ejob (httpbun container)docsbuild (verifies the dropped[imaging]extra is OK)🤖 Generated with Claude Code