Skip to content

build(deps): bump types-aiofiles from 25.1.0.20260508 to 25.1.0.20260518#20947

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/types-aiofiles-25.1.0.20260518
Closed

build(deps): bump types-aiofiles from 25.1.0.20260508 to 25.1.0.20260518#20947
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/types-aiofiles-25.1.0.20260518

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 27, 2026
edited
Loading

Bumps types-aiofiles from 25.1.0.20260508 to 25.1.0.20260518.

Commits

Note

Low Risk
Dev-only typing stub bump with no production dependency or logic changes.

Overview
Updates the optional dev dependency types-aiofiles (Typeshed stubs for aiofiles) from 25.1.0.20260508 to 25.1.0.20260518 in pyproject.toml, with the matching lockfile entry and content-hash refresh in poetry.lock.

No runtime or application code changes—only typing support used when installing the dev extra (e.g. with mypy).

Reviewed by Cursor Bugbot for commit ac3f48c. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file python Pull requests that update Python code labels May 27, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 27, 2026 00:51
@dependabot dependabot Bot added python Pull requests that update Python code Changed Required label for PR that categorizes merge commit message as "Changed" for changelog labels May 27, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 27, 2026

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing the dependency update: checking lockfile changes, upstream typeshed context, and malware scan findings.
Verdict: benign

This is a routine typeshed stub refresh, not a supply-chain compromise.

Why the scanner warnings are false positives

  • ghost_version_or_missing_tag: Typeshed publishes types-* packages with date-stamped versions (25.1.0.20260518) via automated PyPI uploads. They are not tagged individually in git, so a “missing tag” check is expected to fail here.
  • maintainer_drift (npm-maintainers): This is a PyPI package, not npm. Both 25.1.0.20260508 and 25.1.0.20260518 are published by typeshed_bot on PyPI — no publisher change.

Integrity checks (pass)

Category Result
Unicode / GlassWorm / IOC Scanner: 0 findings
Obfuscation / exec / network / install hooks N/A — stub-only .pyi package; no runtime code or lifecycle scripts
Typosquatting Legitimate typeshed package for aiofiles
Lockfile hashes poetry.lock SHA256 values match PyPI exactly for wheel and sdist
Transitive deps None (requires_dist: null)
Scope of PR Dev-only optional dep (pyproject.toml + poetry.lock version bump only)
Workflow / vendor churn No .github/workflows/, node_modules/, or unexpected file changes

Package context

  • types-aiofiles provides type stubs for mypy/pyright against runtime aiofiles (used in Chia for async file I/O).
  • The version bump reflects a routine typeshed snapshot (2026-05-18), not a suspicious semver jump or new dependency graph.

Action: Safe to merge from a supply-chain perspective. The scanner’s warn status reflects heuristic limitations on typeshed’s publishing model, not evidence of malware.

Compatibility Analysis

I'll trace where types-aiofiles is declared and used, then compare the upstream stub changes between the two versions.

Compatibility & adoption analysis — types-aiofiles 25.1.0.20260508 → 25.1.0.20260518

1) Where it appears / is used

Dependency declaration (direct):

  • pyproject.toml — optional dev extra: types-aiofiles = { version = ">=25.1.0.20260518", ... }
  • poetry.lock — resolved in the dev group only
  • CI/pre-commit — consumed indirectly via mypy (manage-mypy.py build-mypy-ini, .pre-commit-config.yaml, .github/workflows/upload-pypi-source.yml)

Not imported anywhere. This is a typing-stub package; it does not ship at runtime.

Runtime aiofiles usage (what the stubs annotate):

Location API
chia/consensus/block_height_map.py aiofiles.open(..., "rb"/"r+b"/"wb")
chia/server/address_manager.py aiofiles.open(..., "rb")
chia/util/files.py aiofiles.tempfile.NamedTemporaryFile(...)
tools/validate_rpcs.py aiofiles.open(..., "rb")
benchmarks/address_manager_store.py aiofiles.open(..., "rb")

Runtime dep: aiofiles = ">=24.1.0" (unchanged by this PR).

2) Intersection with upstream changes

Release notes: none provided.

Upstream diff (.upstream-dependency, May 8–18): one commit touching stubs/aiofiles/ — typeshed’s Black upgrade (#15801). Changes are whitespace-only (blank-line formatting) in:

  • aiofiles/os.pyiscandir, listdir, statvfs, etc.
  • aiofiles/tempfile/__init__.pyi — around SpooledTemporaryFile / TemporaryDirectory overloads

No signature or API changes in the stubs this repo actually uses (aiofiles.open, tempfile.NamedTemporaryFile). The repo does not call aiofiles.os.*.

3) Risks / unknowns

Risk Level
Runtime / production None — stub package is dev-only
mypy regressions Very low — no substantive stub changes on used APIs
Missing release notes Low concern — diff is formatting-only
Malware scan warnings False positives (date-stamped PyPI versions, npm-oriented maintainer check)

Residual unknown: CI mypy pass not verified in this review; theoretically possible but unlikely given the diff.

4) Recommendation: merge

Routine typeshed snapshot bump with formatting-only stub changes. No overlap with changed APIs beyond blank lines in an unused submodule (aiofiles.os). Safe to merge; optional sanity check is that CI mypy job stays green.

Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 0
  • Resolution strategy: unresolved
  • Changed node/vendor paths: 0
  • Changed lockfiles: 0
  • Resolved refs: from=n/a to=n/a
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 2

Top findings

  • types-aiofiles:0 ghost_version_or_missing_tag :: 25.1.0.20260518
  • types-aiofiles:0 maintainer_drift :: 25.1.0.20260508->25.1.0.20260518

@coveralls-official
Copy link
Copy Markdown

coveralls-official Bot commented May 27, 2026

Coverage Report for CI Build 26483981430

Coverage decreased (-0.03%) to 91.467%

Details

  • Coverage decreased (-0.03%) from the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • 47 coverage regressions across 6 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

47 previously-covered lines in 6 files lost coverage.

File Lines Losing Coverage Coverage
chia/_tests/core/util/test_lockfile.py 24 77.42%
chia/timelord/timelord.py 11 73.36%
chia/full_node/full_node.py 8 88.1%
chia/timelord/timelord_launcher.py 2 70.21%
chia/_tests/simulation/test_simulation.py 1 96.5%
chia/wallet/wallet_node.py 1 87.16%

Coverage Stats

Coverage Status
Relevant Lines: 121996
Covered Lines: 111763
Line Coverage: 91.61%
Relevant Branches: 12032
Covered Branches: 10829
Branch Coverage: 90.0%
Branches in Coverage %: Yes
Coverage Strength: 1.83 hits per line
💛 - Coveralls

@emlowe emlowe removed the Changed Required label for PR that categorizes merge commit message as "Changed" for changelog label May 27, 2026
This was referenced May 27, 2026
Closed
Closed
Closed
Closed
Merged
ibutterbot added a commit to ibutterbot/chia-blockchain that referenced this pull request May 27, 2026
@ibutterbot
build(deps): consolidated dependabot updates
fca60c7 
Updates poetry.lock only (pyproject.toml constraints unchanged):
- pytest-rerunfailures 16.1 → 16.2
- ruff 0.15.0 → 0.15.13
- boto3 1.42.45 → 1.43.11
- lxml 6.0.2 → 6.1.1
- types-pyyaml 6.0.12.20250915 → 6.0.12.20260518
- types-aiofiles 25.1.0.20251011 → 25.1.0.20260518
- chialisp 0.4.1 → 0.4.5
- aiohttp 3.13.3 → 3.13.5

Consolidates: Chia-Network#20952, Chia-Network#20951, Chia-Network#20950, Chia-Network#20949, Chia-Network#20948, Chia-Network#20947, Chia-Network#20919, Chia-Network#20796
ibutterbot added a commit to ibutterbot/chia-blockchain that referenced this pull request May 27, 2026
@ibutterbot
build(deps): consolidated dependabot updates
a0e1c54 
Updates poetry.lock only (pyproject.toml constraints unchanged):
- pytest-rerunfailures 16.1 → 16.2
- ruff 0.15.0 → 0.15.13
- boto3 1.42.45 → 1.43.11
- lxml 6.0.2 → 6.1.1
- types-pyyaml 6.0.12.20250915 → 6.0.12.20260518
- types-aiofiles 25.1.0.20251011 → 25.1.0.20260518
- chialisp 0.4.1 → 0.4.5
- aiohttp 3.13.3 → 3.13.5

Consolidates: Chia-Network#20952, Chia-Network#20951, Chia-Network#20950, Chia-Network#20949, Chia-Network#20948, Chia-Network#20947, Chia-Network#20919, Chia-Network#20796
ibutterbot added a commit to ibutterbot/chia-blockchain that referenced this pull request May 27, 2026
@ibutterbot
build(deps): consolidated dependabot updates
8d9c9ae 
Updates poetry.lock only (pyproject.toml constraints unchanged):
- pytest-rerunfailures 16.1 → 16.2
- ruff 0.15.8 → 0.15.13
- boto3 1.43.8 → 1.43.11
- lxml 6.1.0 → 6.1.1
- types-pyyaml 6.0.12.20260510 → 6.0.12.20260518
- types-aiofiles 25.1.0.20260508 → 25.1.0.20260518
- chialisp 0.4.1 → 0.4.5
- aiohttp 3.13.4 → 3.13.5

Consolidates: Chia-Network#20952, Chia-Network#20951, Chia-Network#20950, Chia-Network#20949, Chia-Network#20948, Chia-Network#20947, Chia-Network#20919, Chia-Network#20796
@github-actions github-actions Bot added the merge_conflict Branch has conflicts that prevent merge to main label May 27, 2026
@dependabot
build(deps): bump types-aiofiles from 25.1.0.20260508 to 25.1.0.20260518
ac3f48c 
Bumps [types-aiofiles](https://github.com/python/typeshed) from 25.1.0.20260508 to 25.1.0.20260518.
- [Commits](https://github.com/python/typeshed/commits)

---
updated-dependencies:
- dependency-name: types-aiofiles
  dependency-version: 25.1.0.20260518
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/types-aiofiles-25.1.0.20260518 branch from 502649f to ac3f48c Compare May 27, 2026 17:53
@github-actions github-actions Bot removed the merge_conflict Branch has conflicts that prevent merge to main label May 27, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 27, 2026

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing the dependency update: checking lockfile changes, package usage, and upstream typeshed context.
Verdict: benign

This is a routine typeshed stub refresh with no supply-chain red flags.

Top evidence

  1. Package is low-risk by designtypes-aiofiles is an optional dev dependency (mypy stubs only). It ships .pyi type annotations, not runtime code. Production uses aiofiles separately; stubs are not imported at runtime.

  2. PR scope is minimal — Only pyproject.toml (constraint >=25.1.0.20260518) and poetry.lock (version + SHA256 hashes). No new transitive deps, no workflow changes, no install/lifecycle scripts.

  3. Scanner hard evidence is cleanunicode: 0, confusable: 0, ioc: 0, changed_files: 0. No obfuscation, hidden Unicode, or suspicious network/process patterns were detected.

  4. Heuristic warnings are false positives (disagree with scanner interpretation)

    • ghost_version_or_missing_tag — Expected for typeshed packages. Versions like 25.1.0.20260518 are date-stamped PyPI snapshots, not per-release git tags.
    • maintainer_drift (npm-maintainers) — Wrong ecosystem heuristic; this is a PyPI package from python/typeshed, not npm.

  5. Upstream diff is formatting-only — Between these dates, the aiofiles stub change in typeshed (5372bd5c9, “Upgrade black to 26.5.0”) is whitespace/formatting in os.pyi and tempfile/__init__.pyi — no behavioral or malicious content.

  6. Checklist categories — Classic obfuscation: none. Invisible Unicode/GlassWorm: none (scanner-confirmed). Dependency integrity: single direct bump, lockfile hashes present, no graph expansion. Dependabot context: lock/manifest only.

Action: Safe to merge from a supply-chain perspective. The scanner warn status reflects heuristic noise on typeshed’s versioning model, not actual compromise indicators.

Compatibility Analysis

Analyzing dependency usage and upstream stub changes for this types-aiofiles bump.

Compatibility and adoption analysis — types-aiofiles 25.1.0.20260508 → 25.1.0.20260518

1) Where it’s used

Role Location
Declared pyproject.toml — optional dev extra (types-aiofiles); runtime dep is aiofiles >=24.1.0
Lockfile poetry.lock — dev group only
Runtime aiofiles chia/consensus/block_height_map.py, chia/server/address_manager.py, chia/util/files.py (tempfile.NamedTemporaryFile), tools/validate_rpcs.py, benchmarks/address_manager_store.py

types-aiofiles is a mypy-only stub package (dev extra). It does not ship in production installs unless dev deps are installed.

2) Intersection with upstream changes

Between these two stub releases, typeshed’s only stubs/aiofiles change is Black 26.5.0 reformatting (typeshed#15801): extra blank lines in os.pyi and tempfile/__init__.pyi. No signature, overload, or return-type changes.

Repo usage is narrow and unchanged by that diff:

  • aiofiles.open(..., "rb"|"r+b"|"wb") + read() / writes
  • tempfile.NamedTemporaryFile(..., delete=False) (already has local # type: ignore in chia/util/files.py)

No usage of aiofiles.os, threadpool.wrap, or other APIs touched in that commit.

3) Risks / unknowns

Risk Severity
Runtime / packaging None — stubs are not imported at runtime
mypy regressions Very low — formatting-only stub delta; worst case is unchanged ignores or trivial CI mypy noise
Malware heuristics (ghost_version, maintainer_drift) Expected noise for dated types-* PyPI builds from typeshed; not indicative of a bad package
Release notes gap Low impact here — upstream delta is inspectable and trivial

Unknown: CI mypy on the full tree wasn’t run in this review; that’s the only practical verification step.

4) Recommendation

Merge.

Dev-only stub refresh with no functional typing changes relative to your aiofiles call sites. Optional sanity check: dev install + mypy on modules that import aiofiles if CI isn’t already green on the PR.

Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 0
  • Resolution strategy: unresolved
  • Changed node/vendor paths: 0
  • Changed lockfiles: 0
  • Resolved refs: from=n/a to=n/a
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 2

Top findings

  • types-aiofiles:0 ghost_version_or_missing_tag :: 25.1.0.20260518
  • types-aiofiles:0 maintainer_drift :: 25.1.0.20260508->25.1.0.20260518

cmmarslender pushed a commit that referenced this pull request May 27, 2026
@ibutterbot
build(deps): consolidated dependabot updates (2026-05-27) (#20958)
57ee17a 
build(deps): consolidated dependabot updates

Updates poetry.lock only (pyproject.toml constraints unchanged):
- pytest-rerunfailures 16.1 → 16.2
- ruff 0.15.8 → 0.15.13
- boto3 1.43.8 → 1.43.11
- lxml 6.1.0 → 6.1.1
- types-pyyaml 6.0.12.20260510 → 6.0.12.20260518
- types-aiofiles 25.1.0.20260508 → 25.1.0.20260518
- chialisp 0.4.1 → 0.4.5
- aiohttp 3.13.4 → 3.13.5

Consolidates: #20952, #20951, #20950, #20949, #20948, #20947, #20919, #20796
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 27, 2026

Looks like types-aiofiles is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this May 27, 2026
@dependabot dependabot Bot deleted the dependabot/pip/types-aiofiles-25.1.0.20260518 branch May 27, 2026 19:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@emlowe