build(deps): consolidated dependabot updates (2026-05-27)

[ibutterbot]

Consolidated Dependabot Updates

This PR consolidates the following dependabot dependency bumps into a single PR to avoid poetry.lock conflicts:

• build(deps): bump pytest-rerunfailures from 16.1 to 16.2 #20952 — build(deps): bump pytest-rerunfailures from 16.1 to 16.2
• build(deps): bump ruff from 0.15.8 to 0.15.13 #20951 — build(deps): bump ruff from 0.15.8 to 0.15.13
• build(deps): bump boto3 from 1.43.11 to 1.43.14 #20950 — build(deps): bump boto3 from 1.43.8 to 1.43.11
• build(deps): bump lxml from 6.1.0 to 6.1.1 #20949 — build(deps): bump lxml from 6.1.0 to 6.1.1
• build(deps): bump types-pyyaml from 6.0.12.20260510 to 6.0.12.20260518 #20948 — build(deps): bump types-pyyaml from 6.0.12.20260510 to 6.0.12.20260518
• build(deps): bump types-aiofiles from 25.1.0.20260508 to 25.1.0.20260518 #20947 — build(deps): bump types-aiofiles from 25.1.0.20260508 to 25.1.0.20260518
• build(deps): bump github/codeql-action from 4.35.4 to 4.35.5 #20944 — build(deps): bump github/codeql-action from 4.35.4 to 4.35.5
• build(deps): bump chialisp from 0.4.1 to 0.4.5 #20919 — build(deps): bump chialisp from 0.4.1 to 0.4.5
• build(deps): bump aiohttp from 3.13.4 to 3.13.5 #20796 — build(deps): bump aiohttp from 3.13.4 to 3.13.5

Skipped (cherry-pick conflicts)

• build(deps): bump tmp from 0.2.5 to 0.2.7 in /build_scripts/npm_windows #20953

---

Generated by dependabot-consolidator

---

Note

High Risk
Unresolved conflicts leave invalid YAML and Python, and the wallet sync conflict touches peer validation logic if merged incorrectly.

Overview
This PR is meant to roll up several Dependabot bumps into one change set (pyproject.toml / poetry.lock plus CI pins such as CodeQL v4.35.5). The lockfile diff clearly moves aiohttp from 3.13.4 to 3.13.5 and updates the Poetry content hash.

The branch is not mergeable as shown: Git conflict markers (<<<<<<<, =======, >>>>>>>) are still present across installer workflows (e.g. actions/setup-node v6.4.0 vs v6.3.0, configure-aws-credentials v6.1.1 vs v6.1.0), codeql-analysis.yml (init/autobuild/analyze v4.35.4 vs v4.35.5), pyproject.toml (competing floors for aiohttp, boto3, chialisp, ruff, pytest-rerunfailures, lxml, type stubs), and chia/wallet/wallet_node.py plus chia/_tests/wallet/test_wallet_node.py (HEAD’s request_and_validate_header_block path vs the older inline request_header_blocks validation).

Until those conflicts are resolved to the intended bumped versions (and the wallet refactor is chosen consistently with its tests), workflows will not parse and Python will not import.

^{Reviewed by Cursor Bugbot for commit bfa7e21. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit bfa7e21. Configure here.}

[cursor]

Unresolved merge conflict markers in production code

High Severity

Unresolved git merge conflict markers (<<<<<<<, =======, >>>>>>>) are present throughout the entire PR — in wallet_node.py (production code), pyproject.toml (build config), test_wallet_node.py, and all GitHub Actions workflow YAML files. This will cause Python syntax errors at import time for wallet_node.py, make pyproject.toml unparseable (breaking all dependency resolution and builds), and fail every CI workflow due to invalid YAML. The dependabot consolidation script clearly did not resolve the cherry-pick conflicts before committing.

Additional Locations (2)

• pyproject.toml#L47-L84
• chia/_tests/wallet/test_wallet_node.py#L3-L31

 

^{Reviewed by Cursor Bugbot for commit bfa7e21. Configure here.}

[ibutterbot]

Closing — replaced with a cleaner version that properly resolves conflicts and regenerates poetry.lock.