build(deps): consolidated dependabot updates (2026-05-27)

[ibutterbot]

Consolidated Dependabot Updates

This PR consolidates the following dependabot dependency bumps into a single PR to avoid poetry.lock conflicts:

• build(deps): bump pytest-rerunfailures from 16.1 to 16.2 #20952 — bump pytest-rerunfailures from 16.1 to 16.2
• build(deps): bump ruff from 0.15.8 to 0.15.13 #20951 — bump ruff from 0.15.8 to 0.15.13
• build(deps): bump boto3 from 1.43.11 to 1.43.13 #20950 — bump boto3 from 1.43.8 to 1.43.11
• build(deps): bump lxml from 6.1.0 to 6.1.1 #20949 — bump lxml from 6.1.0 to 6.1.1
• build(deps): bump types-pyyaml from 6.0.12.20260510 to 6.0.12.20260518 #20948 — bump types-pyyaml from 6.0.12.20260510 to 6.0.12.20260518
• build(deps): bump types-aiofiles from 25.1.0.20260508 to 25.1.0.20260518 #20947 — bump types-aiofiles from 25.1.0.20260508 to 25.1.0.20260518
• build(deps): bump github/codeql-action from 4.35.4 to 4.35.5 #20944 — bump github/codeql-action from 4.35.4 to 4.35.5
• build(deps): bump chialisp from 0.4.1 to 0.4.5 #20919 — bump chialisp from 0.4.1 to 0.4.5
• build(deps): bump aiohttp from 3.13.4 to 3.13.5 #20796 — bump aiohttp from 3.13.4 to 3.13.5

poetry.lock has been regenerated.

Skipped

• build(deps): bump tmp from 0.2.5 to 0.2.7 in /build_scripts/npm_windows #20953 (tmp npm bump — package-lock.json conflict, not a poetry dep)

---

Generated by dependabot-consolidator

---

Note

Low Risk
Changes are mostly documentation and CI configuration; the new dependency-review workflow affects bot PRs only and does not alter node consensus or runtime code paths.

Overview
This PR adds a large .cursor/ documentation and rules layer (deep context for consensus, mempool, full node, wallet, networking, CLVM, plus testing guides and routing rules) and changes .gitignore so those paths are tracked in git.

CI and release automation are updated across many workflows: GitHub Actions artifact upload/download major versions, macOS runners moved to macOS 15, Python 3.14 added to several matrices, BLOCKS_AND_PLOTS_VERSION bumped to 0.45.16, shallower checkouts in test-single, optional Blacksmith runners for private-repo Linux/Windows tests, and pinned versions for Node, CodeQL, AWS credentials, and dependency-review.

A new Dependency Cursor Review workflow runs on Dependabot/Renovate PRs: parses PR metadata, checks out the upstream dependency, runs heuristic/malware scans on changed files, optionally invokes Cursor CLI for malware + compatibility notes, and posts/updates a marked PR comment.

Pre-commit narrows the ChiaLisp pretty-printer hook from the repo root to the chia tree.

^{Reviewed by Cursor Bugbot for commit d467048. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit d467048. Configure here.}

[cursor]

CodeQL action pinned to old version instead of new

Low Severity

The PR description states this bumps github/codeql-action from 4.35.4 to 4.35.5, but all three action references (init, autobuild, analyze) were pinned to @v4.35.4 — the old version. Previously the floating @v4 tag was used, which would have resolved to the latest v4.x. The intended target version @v4.35.5 was never applied.

Additional Locations (2)

• .github/workflows/codeql-analysis.yml#L60-L61
• .github/workflows/codeql-analysis.yml#L73-L75

 

^{Reviewed by Cursor Bugbot for commit d467048. Configure here.}

[ibutterbot]

Closing — the diff included the entire repo due to a shallow clone bug. Will redo.