build(deps): bump types-pyyaml from 6.0.12.20260510 to 6.0.12.20260518#20948
Closed
dependabot[bot] wants to merge 1 commit into
Closed
build(deps): bump types-pyyaml from 6.0.12.20260510 to 6.0.12.20260518#20948dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
Changed
dependabot
Bot
added
dependencies
Contributor
🤖 Cursor Dependency AnalysisSupply-Chain Malware ReviewInvestigating the dependency update and malware scan findings for this types-pyyaml bump. Summary: This is a routine typeshed stub refresh with no signs of compromise. The malware scanner’s two heuristic warnings are false positives for this package class. Evidence by category
Scanner findings (disagree on severity)
Action: Safe to merge from a supply-chain perspective. Optional sanity check: run mypy in CI/dev — stub-only changes could theoretically affect type-check results, but that is a typing concern, not a security one. Compatibility AnalysisGathering dependency usage, upstream type-stub changes, and compatibility signals for this bump. Compatibility & adoption analysis —
|
| Layer | Location |
|---|---|
| Dependency declaration | pyproject.toml — optional dev extra (types-pyyaml >= 6.0.12.20260518); locked in poetry.lock |
| Runtime PyYAML | Separate pin: pyyaml >= 6.0.2 (actual library, not this stub package) |
| Type-checking | Pulled in only with [dev] extras for mypy |
Code that imports yaml (stub-relevant, all use high-level APIs):
chia/util/config.py—yaml.safe_load,yaml.safe_dumpchia/util/file_keyring.py—yaml.safe_load,yaml.safe_dumpchia/util/virtual_project_analysis.py—yaml.safe_loadchia/data_layer/util/plugin.py,chia/data_layer/s3_plugin_service.py—yaml.safe_load,yaml.safe_dumpchia/cmds/{init_funcs,configure,dump_keyring,dev/gh}.py—yaml.safe_load,yaml.safe_dump,yaml.dump- Tests:
chia/_tests/core/util/test_config.py,chia/_tests/tools/test_virtual_project.py
No direct use of yaml.constructor, custom loaders, add_constructor, etc.
2) Intersection with upstream changes
Upstream typeshed diff between these releases (.upstream-dependency, stubs/PyYAML/):
| Commit | Date | Change |
|---|---|---|
9f3a260bb — constructor type hints |
May 9 | Adds bool annotations to construct_object / construct_pairs — already in 20260510 |
5372bd5c9 — black 26.5.0 |
May 17 | Formatting only: blank lines between overloads in yaml/__init__.pyi and yaml/_yaml.pyi |
Overlap with Chia usage: None meaningful. Chia calls only safe_load / safe_dump / dump; the delta between versions is whitespace in stub files, not signature changes to those APIs.
3) Risks / unknowns
| Risk | Severity |
|---|---|
| Runtime behavior | None — types-pyyaml is stubs-only; not shipped in production installs |
| Build / CI (mypy) | Very low — no semantic stub changes in this bump; unlikely to introduce new mypy errors |
| Malware scan heuristics | False positives — ghost_version_or_missing_tag (date-suffixed PyPI releases) and maintainer_drift (npm heuristic on a Python stub package) |
| Unknown | Whether CI mypy job has already run green on this PR (standard gate, not a blocker for merge given the diff) |
4) Recommendation: merge
Routine typeshed stub refresh with formatting-only changes between the two versions. No intersection with Chia’s YAML usage patterns, no runtime impact, and no meaningful typing-risk surface. Safe to merge; optional confirmation is a green mypy CI check if not already present.
Malware Scan Summary
- Status: warn
- Warn only mode:
true - Changed upstream files scanned:
0 - Resolution strategy:
unresolved - Changed node/vendor paths:
0 - Changed lockfiles:
0 - Resolved refs: from=
n/ato=n/a - Unicode findings (post-allowlist):
0 - Confusable findings (post-allowlist):
0 - IOC findings (post-allowlist):
0 - Heuristic findings (post-allowlist):
2
Top findings
types-pyyaml:0ghost_version_or_missing_tag ::6.0.12.20260518types-pyyaml:0maintainer_drift ::6.0.12.20260510->6.0.12.20260518
Coverage Report for CI Build 26484009213Coverage decreased (-0.03%) to 91.471%Details
Uncovered ChangesNo uncovered changes found. Coverage Regressions43 previously-covered lines in 5 files lost coverage.
Coverage Stats
💛 - Coveralls |
emlowe
removed
the
Changed
This was referenced May 27, 2026
ibutterbot
added a commit
to ibutterbot/chia-blockchain
that referenced
this pull request
May 27, 2026
Updates poetry.lock only (pyproject.toml constraints unchanged): - pytest-rerunfailures 16.1 → 16.2 - ruff 0.15.0 → 0.15.13 - boto3 1.42.45 → 1.43.11 - lxml 6.0.2 → 6.1.1 - types-pyyaml 6.0.12.20250915 → 6.0.12.20260518 - types-aiofiles 25.1.0.20251011 → 25.1.0.20260518 - chialisp 0.4.1 → 0.4.5 - aiohttp 3.13.3 → 3.13.5 Consolidates: Chia-Network#20952, Chia-Network#20951, Chia-Network#20950, Chia-Network#20949, Chia-Network#20948, Chia-Network#20947, Chia-Network#20919, Chia-Network#20796
ibutterbot
added a commit
to ibutterbot/chia-blockchain
that referenced
this pull request
May 27, 2026
Updates poetry.lock only (pyproject.toml constraints unchanged): - pytest-rerunfailures 16.1 → 16.2 - ruff 0.15.0 → 0.15.13 - boto3 1.42.45 → 1.43.11 - lxml 6.0.2 → 6.1.1 - types-pyyaml 6.0.12.20250915 → 6.0.12.20260518 - types-aiofiles 25.1.0.20251011 → 25.1.0.20260518 - chialisp 0.4.1 → 0.4.5 - aiohttp 3.13.3 → 3.13.5 Consolidates: Chia-Network#20952, Chia-Network#20951, Chia-Network#20950, Chia-Network#20949, Chia-Network#20948, Chia-Network#20947, Chia-Network#20919, Chia-Network#20796
ibutterbot
added a commit
to ibutterbot/chia-blockchain
that referenced
this pull request
May 27, 2026
Updates poetry.lock only (pyproject.toml constraints unchanged): - pytest-rerunfailures 16.1 → 16.2 - ruff 0.15.8 → 0.15.13 - boto3 1.43.8 → 1.43.11 - lxml 6.1.0 → 6.1.1 - types-pyyaml 6.0.12.20260510 → 6.0.12.20260518 - types-aiofiles 25.1.0.20260508 → 25.1.0.20260518 - chialisp 0.4.1 → 0.4.5 - aiohttp 3.13.4 → 3.13.5 Consolidates: Chia-Network#20952, Chia-Network#20951, Chia-Network#20950, Chia-Network#20949, Chia-Network#20948, Chia-Network#20947, Chia-Network#20919, Chia-Network#20796
github-actions
Bot
added
the
merge_conflict
Bumps [types-pyyaml](https://github.com/python/typeshed) from 6.0.12.20260510 to 6.0.12.20260518. - [Commits](https://github.com/python/typeshed/commits) --- updated-dependencies: - dependency-name: types-pyyaml dependency-version: 6.0.12.20260518 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/pip/types-pyyaml-6.0.12.20260518
branch
from
d4e5874 to
704a28d
Compare
github-actions
Bot
removed
the
merge_conflict
Contributor
🤖 Cursor Dependency AnalysisSupply-Chain Malware ReviewReviewing the dependency update: checking lockfile changes, upstream typeshed diff, and malware scanner findings. Summary: Routine typeshed stub refresh with no malware indicators. Safe to merge from a supply-chain perspective. Evidence by checklist
Upstream content (typeshed Between these versions, the only PyYAML stub change is commit Scanner findings — false positives The scanner reported warn with 2 heuristics, but they do not indicate compromise here:
Impact in this repo
Action: Approve. The scanner warnings can be ignored for this PR; consider allowlisting typeshed date-stamped stub packages in the scanner to reduce noise on future bumps. Compatibility AnalysisAnalyzing Compatibility & adoption analysis:
|
| Layer | Location |
|---|---|
| Dependency declaration | pyproject.toml — optional dev dep (>=6.0.12.20260518), in [project.optional-dependencies] dev |
| Lockfile | poetry.lock — resolved to 6.0.12.20260518, extra == "dev" only |
| Type-checking | Pre-commit + CI mypy (manage-mypy.py, .pre-commit-config.yaml, .github/workflows/upload-pypi-source.yml) |
Runtime yaml usage (typed via stubs, runs on pyyaml, not types-pyyaml) |
11 files: chia/util/config.py, file_keyring.py, virtual_project_analysis.py, data_layer/util/plugin.py, data_layer/s3_plugin_service.py, cmds/configure.py, init_funcs.py, dump_keyring.py, cmds/dev/gh.py, plus tests |
APIs actually called: yaml.safe_load, yaml.safe_dump, yaml.dump only. No use of BaseConstructor, custom loaders, or add_constructor / add_representer.
2) Intersection with upstream changes
Between the two releases, typeshed’s PyYAML stubs changed in two commits:
| Commit | Change | Intersects chia usage? |
|---|---|---|
| #15746 | construct_object / construct_pairs get deep: bool = False annotations in constructor.pyi |
No — constructor APIs unused |
| #15801 | Black 26.5.0 reformat (blank lines) in __init__.pyi, _yaml.pyi |
No semantic change to safe_load / safe_dump / dump signatures |
Chia’s usage sites do not overlap with the only substantive stub change.
3) Risks / unknowns
| Risk | Severity |
|---|---|
| Runtime / production | None — types-pyyaml is dev-only; runtime uses pyyaml >= 6.0.2 |
| Mypy regressions | Very low — no signature changes on APIs chia calls |
Malware scan warnings (ghost_version_or_missing_tag, maintainer_drift) |
Expected noise for typeshed dated PyPI releases; not a supply-chain signal |
| Unverified in this review | CI mypy green on the PR branch (standard sanity check) |
4) Recommendation: merge
Routine typeshed snapshot bump with no meaningful API impact on chia’s YAML usage. Zero runtime exposure; type-check risk is negligible. Merge after CI (especially mypy) passes — no caveats beyond normal CI gate.
Malware Scan Summary
- Status: warn
- Warn only mode:
true - Changed upstream files scanned:
0 - Resolution strategy:
unresolved - Changed node/vendor paths:
0 - Changed lockfiles:
0 - Resolved refs: from=
n/ato=n/a - Unicode findings (post-allowlist):
0 - Confusable findings (post-allowlist):
0 - IOC findings (post-allowlist):
0 - Heuristic findings (post-allowlist):
2
Top findings
types-pyyaml:0ghost_version_or_missing_tag ::6.0.12.20260518types-pyyaml:0maintainer_drift ::6.0.12.20260510->6.0.12.20260518
cmmarslender
pushed a commit
that referenced
this pull request
May 27, 2026
build(deps): consolidated dependabot updates Updates poetry.lock only (pyproject.toml constraints unchanged): - pytest-rerunfailures 16.1 → 16.2 - ruff 0.15.8 → 0.15.13 - boto3 1.43.8 → 1.43.11 - lxml 6.1.0 → 6.1.1 - types-pyyaml 6.0.12.20260510 → 6.0.12.20260518 - types-aiofiles 25.1.0.20260508 → 25.1.0.20260518 - chialisp 0.4.1 → 0.4.5 - aiohttp 3.13.4 → 3.13.5 Consolidates: #20952, #20951, #20950, #20949, #20948, #20947, #20919, #20796
Contributor
Author
|
Looks like types-pyyaml is up-to-date now, so this is no longer needed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps types-pyyaml from 6.0.12.20260510 to 6.0.12.20260518.
Commits
Note
Low Risk
Lockfile-only dev typing stub bump with no production code or behavior changes.
Overview
Bumps the optional dev typing stub package
types-pyyamlfrom6.0.12.20260510to6.0.12.20260518inpyproject.tomland refreshespoetry.lock(including the lockcontent-hash). No application or runtime dependency changes—only mypy/type-checking stubs for PyYAML.Reviewed by Cursor Bugbot for commit 704a28d. Bugbot is set up for automated code reviews on this repo. Configure here.