chore(deps)(deps): bump the application-python group across 2 directories with 9 updates#282
Closed
dependabot[bot] wants to merge 2 commits intomainfrom
Closed
chore(deps)(deps): bump the application-python group across 2 directories with 9 updates#282dependabot[bot] wants to merge 2 commits intomainfrom
dependabot[bot] wants to merge 2 commits intomainfrom
Conversation
…ries with 9 updates Updates the requirements on [python-hcl2](https://github.com/amplify-education/python-hcl2), [checkov](https://github.com/bridgecrewio/checkov), [opencv-python](https://github.com/opencv/opencv-python), [psutil](https://github.com/giampaolo/psutil), [python-dotenv](https://github.com/theskumar/python-dotenv), [pyyaml](https://github.com/yaml/pyyaml), [pytest](https://github.com/pytest-dev/pytest), [pytest-asyncio](https://github.com/pytest-dev/pytest-asyncio) and [pytest-cov](https://github.com/pytest-dev/pytest-cov) to permit the latest version. Updates `python-hcl2` to 7.3.1 - [Release notes](https://github.com/amplify-education/python-hcl2/releases) - [Changelog](https://github.com/amplify-education/python-hcl2/blob/main/CHANGELOG.md) - [Commits](amplify-education/python-hcl2@v4.3.0...v7.3.1) Updates `checkov` to 3.2.510 - [Release notes](https://github.com/bridgecrewio/checkov/releases) - [Changelog](https://github.com/bridgecrewio/checkov/blob/main/CHANGELOG.md) - [Commits](bridgecrewio/checkov@3.2.0...3.2.510) Updates `opencv-python` from 4.10.0.84 to 4.13.0.92 - [Release notes](https://github.com/opencv/opencv-python/releases) - [Commits](https://github.com/opencv/opencv-python/commits) Updates `psutil` from 6.0.0 to 7.2.2 - [Changelog](https://github.com/giampaolo/psutil/blob/master/docs/changelog.rst) - [Commits](giampaolo/psutil@release-6.0.0...release-7.2.2) Updates `python-dotenv` from 1.0.1 to 1.2.2 - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](theskumar/python-dotenv@v1.0.1...v1.2.2) Updates `pyyaml` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/yaml/pyyaml/releases) - [Changelog](https://github.com/yaml/pyyaml/blob/6.0.3/CHANGES) - [Commits](yaml/pyyaml@6.0.2...6.0.3) Updates `pytest` from 8.3.3 to 9.0.2 - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@8.3.3...9.0.2) Updates `pytest-asyncio` from 0.24.0 to 1.3.0 - [Release notes](https://github.com/pytest-dev/pytest-asyncio/releases) - [Commits](pytest-dev/pytest-asyncio@v0.24.0...v1.3.0) Updates `pytest-cov` from 5.0.0 to 7.0.0 - [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst) - [Commits](pytest-dev/pytest-cov@v5.0.0...v7.0.0) --- updated-dependencies: - dependency-name: python-hcl2 dependency-version: 7.3.1 dependency-type: direct:production dependency-group: application-python - dependency-name: checkov dependency-version: 3.2.510 dependency-type: direct:production dependency-group: application-python - dependency-name: opencv-python dependency-version: 4.13.0.92 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: application-python - dependency-name: psutil dependency-version: 7.2.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: application-python - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: application-python - dependency-name: pyyaml dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: application-python - dependency-name: pytest dependency-version: 9.0.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: application-python - dependency-name: pytest-asyncio dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: application-python - dependency-name: pytest-cov dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: application-python ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
WilliamBerryiii
approved these changes
Mar 20, 2026
katriendg
approved these changes
Mar 20, 2026
This was referenced Mar 23, 2026
katriendg
added a commit
that referenced
this pull request
Mar 25, 2026
…, and cspell v9 (#297) This PR batches all open dependabot PRs (#271–#294) into a conflict-aware, risk-prioritized merge sequence. The changes span four ecosystems and three NPM scopes (root, *docs/_server*, *docs/assets/js*), upgrading multiple major versions while maintaining full lint and test compatibility. > Merges all 16 open dependabot PRs into a single integration branch, covering dependency updates across NPM, Python, Rust, and GitHub Actions. Manual fix commits addressed breaking changes from eslint v10, vitest v4, and post-merge regressions from dependency resolution conflicts. Dependabot PRs will be closed when this one merges in. ### ESLint v10 Migration Upgraded **eslint** from v9 to v10.0.3 across all three NPM scopes. ESLint v10 decoupled `@eslint/js` from its bundle, requiring it as an explicit devDependency in the root *package.json*. The existing flat config (`eslint.config.js`) required no structural changes. ESLint v10 dropped ~10 transitive dependencies including `chalk`, `lodash.merge`, `globals`, and `@eslint/eslintrc`, resulting in a leaner dependency tree. Minimum Node.js raised to `^20.19.0 || ^22.13.0 || >=24`. ### Vitest v4 and Vite 8 Upgraded **vitest** to 4.1.0 and **@vitest/coverage-v8** to 4.1.0 in both *docs/_server* and *docs/assets/js*. Vite 8 replaced Rollup with **Rolldown** (Rust-based bundler) and promoted **LightningCSS** as a direct dependency. Adapted *docs/assets/js/vitest.config.js* for three vitest v4 breaking changes: reporter `'basic'` renamed to `'default'`, `poolOptions.threads` flattened to top-level `maxThreads`/`minThreads`, and `experimentalVmThreads` removed. Migrated *docs/_server/vitest.config.js* and *docs/_server/vitest.integration.config.js* from deprecated `poolOptions.forks` to top-level `maxWorkers`. ### cspell v9 Upgraded **cspell** from v8.19.4 to v9.7.0 in root scope. All sub-packages moved in lockstep. Adds TOML config support via `smol-toml` and introduces `@cspell/cspell-worker` for improved performance. Minimum Node raised to 20. ### Python Dependency Updates Updated root *requirements.txt*: **python-hcl2** 4.3.0→7.3.1, **checkov** 3.2.0→3.2.510. Updated *src/500-application/506-ros2-connector/services/requirements.txt* with 7 package bumps including **opencv-python** 4.10→4.13, **psutil** 6→7.2, **pytest** 8→9, and **pytest-cov** 5→7. ### Rust Security Patches Applied **rustls-webpki** 0.103.7→0.103.10 (TLS certificate verification fix) in *502-rust-http-connector* and **tar** 0.4.44→0.4.45 (security fix) in *507-ai-inference*. ### Post-merge Fixes Resolved several regressions surfaced during post-merge validation: - Removed erroneous `"overrides": { "js-yaml": "^4.1.0" }` from *docs/_server/package.json* that forced `js-yaml@4` on `gray-matter` (which requires `^3.13.1`), breaking YAML frontmatter parsing and disabling path-to-kata expansion entirely. - Added **uuid** as a direct dependency in *docs/_server/package.json* — previously resolved as a transitive dependency but lost after lock file regeneration. - Added a third regex pattern to `parseStepsFromMarkdown` in *docs/_server/services/learning-path-manifest.js* to match the bold-title format (`- [ ] [**Kata: ...**](../katas/...)`) used in learning path markdown files. - Fixed flaky CPU performance test in *docs/_server/tests/performance/file-watch.test.js* by widening the comparison tolerance from 1.2x to 2x to account for container environment measurement variability. - Corrected 9 boundary assertions in *docs/_server/tests/integration/learning-path-selections.test.js* from `toBeGreaterThan` to `toBeGreaterThanOrEqual` for `selectionCount` and `selectedItems.length` checks. - Updated *docs/_server/tests/integration/progress-endpoint.test.js* to match the current API response format (`{ progressData: [...] }`) instead of the legacy `{ katas: [], paths: [] }` structure. ### Other Updates - Bumped **markdownlint-cli** 0.47.0→0.48.0 (root) - Bumped **happy-dom** to 20.8.4 (docs/_server and docs/assets/js) - Upgraded **ajv-formats** v2→v3.0.1 in *docs/_server* (now enforces timezone in `date-time` format) - Upgraded **express-rate-limit** v6→v8.3.1 in *docs/_server* - Updated **azure/login** action hash in *cluster-test-terraform.yml* ## Related Issue Related to #271, #272, #273, #274, #275, #276, #277, #278, #279, #280, #282, #284, #285, #286, #293, #294 ## Type of Change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] Blueprint modification or addition - [ ] Component modification or addition - [ ] Documentation update - [x] CI/CD pipeline change - [ ] Other (please describe): ## Implementation Details Merged all 16 dependabot PRs in a risk-prioritized sequence using an integration branch based on `origin/main`. Security patches (Rust) and isolated changes merged first, followed by scope-grouped NPM updates with sequential merging within shared lock file scopes to avoid corruption. Lock file conflicts resolved using delete-and-reinstall strategy. Three manual fix commits addressed eslint v10 and vitest v4 breaking changes: - **`994f3a39`** — Added `@eslint/js` as explicit devDependency for eslint v10 (root scope) - **`cec1db67`** — Adapted vitest v4 config breaking changes in *docs/assets/js/vitest.config.js* - **`845089f9`** — Migrated deprecated `poolOptions.forks` to top-level `maxWorkers` in *docs/_server/vitest.config.js* and *docs/_server/vitest.integration.config.js* Additional post-merge fixes resolved regressions from dependency resolution conflicts: - Removed `js-yaml` v4 override from *docs/_server/package.json* that broke `gray-matter` frontmatter parsing - Added missing `uuid` direct dependency in *docs/_server/package.json* - Extended `parseStepsFromMarkdown` in *docs/_server/services/learning-path-manifest.js* with a bold-title regex pattern for learning path kata references - Fixed flaky CPU comparison in *docs/_server/tests/performance/file-watch.test.js* - Corrected boundary assertions in *docs/_server/tests/integration/learning-path-selections.test.js* - Updated response format expectations in *docs/_server/tests/integration/progress-endpoint.test.js* ## Testing Performed - [ ] Terraform plan/apply - [ ] Blueprint deployment test - [x] Unit tests - [x] Integration tests - [ ] Bug fix includes regression test (see [Test Policy](docs/contributing/testing-validation.md)) - [x] Manual validation - [ ] Other: ## Validation Steps 1. Verify `npm install && npm run lint` passes at root 2. Verify `cd docs/_server && npm install && npm run lint && npm test` passes (42 test files, 554 tests passed) 3. Verify `cd docs/assets/js && npm install && npm run lint && npm test` passes 4. Verify `npm run mdlint` passes at root 5. Verify `npm run cspell` passes at root 6. Verify `pip install -r requirements.txt` succeeds ## Checklist - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [x] All new and existing tests passed - [ ] I have run `terraform fmt` on all Terraform code - [ ] I have run `terraform validate` on all Terraform code - [ ] I have run `az bicep format` on all Bicep code - [ ] I have run `az bicep build` to validate all Bicep code - [x] I have checked for any sensitive data/tokens that should not be committed - [ ] I have run MegaLinter on my code (`mega-linter-runner`) ## Additional Notes - Node.js minimum version raised to 20+ across eslint v10 and cspell v9. The dev container runs Node v24.14.0, satisfying all requirements. - The **ajv-formats** v3 upgrade enforces timezone in `date-time` format validation. Existing docs/_server tests pass with this change. - The `js-yaml` v4 override was introduced during the eslint v10 merge but broke `gray-matter@4.0.3` (requires `js-yaml@^3.13.1`), silently disabling all YAML frontmatter parsing in the learning path manifest service. - The `uuid` package was previously available as a transitive dependency but was dropped after lock file regeneration, requiring explicit declaration. - ~95% of the diff is lock file churn, typical for a dependabot consolidation PR. Actual manifest and source changes are minimal. ## Screenshots (if applicable) N/A — dependency updates only, no UI changes. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Marcel Bindseil <marcbind@microsoft.com>
Collaborator
|
Closed by consolidated PR |
Contributor
Author
|
This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests. To ignore these dependencies, configure ignore rules in dependabot.yml |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates the requirements on python-hcl2, checkov, opencv-python, psutil, python-dotenv, pyyaml, pytest, pytest-asyncio and pytest-cov to permit the latest version.
Updates
python-hcl2to 7.3.1Release notes
Sourced from python-hcl2's releases.
Changelog
Sourced from python-hcl2's changelog.
... (truncated)
Commits
d36c5bev7.3.1 changelog (#245)2cc7594add github PR check for dependencies sync (#244)128aaeev7.3.0 release (#241)75c3d8duseregexpackage instead of built-inre(#240)e159a5aadd more robust string, interpolation and escaped interpolation parsing and r...4631fccv7.2.1 changelog (#233)0710134supportstring_with_interpolationas an object key (#232)7493dfdchangelog for #224 (#228)89ad71cImprove string escaping for HCL interpolation (#224)d3fe70crelease 7.2.0 (#227)Updates
checkovto 3.2.510Release notes
Sourced from checkov's releases.
Changelog
Sourced from checkov's changelog.
... (truncated)
Commits
03128c2fix(terraform): support modern TLS security policies in CKV_AWS_206 (#7466)f890acffix(terraform): support modern TLS security policies in CKV_AWS_206 (#7466)e455df0fix(terraform): update CKV_AWS_339 supported EKS Kubernetes versions (#7465)ac9f9aefix(terraform): update CKV_GCP_79 latest Postgres version from 17 to 18 (#7464)b1c860fchore(secrets): upgrade detect-secrets (#7469)64a2243chore(secrets): upgrade detect-secrets (#7469)8bd89bechore: update release notes35e5081fix(secrets): eliminate race condition in secrets scanner when running concur...e99bc86fix(secrets): eliminate race condition in secrets scanner when running concur...29bae30chore: update release notesUpdates
opencv-pythonfrom 4.10.0.84 to 4.13.0.92Release notes
Sourced from opencv-python's releases.
Commits
Updates
psutilfrom 6.0.0 to 7.2.2Changelog
Sourced from psutil's changelog.
... (truncated)
Commits
9eea97dPre-release938ac64Rm sphinxcontrib.googleanalytics; override layout.html9dcbb7eAdd sphinxcontrib-googleanalytics to requirements.txt76eaf9aTry to add google analytics to docde1cafaUpdate doc mentioning Process.wait() internal detailsbb30943Refact can_use_pidfd_open() and can_use_kqueue()a571717#2708, macos / cmdline / environ; raise AD instead of OSError(0) (#2709)8b98c3ePre-release700b7e6[macOS] fix potential leaks in error paths (#2707)7cc7923Windows / cmdline(): be more defensive in free()ing in case of errorUpdates
python-dotenvfrom 1.0.1 to 1.2.2Release notes
Sourced from python-dotenv's releases.
... (truncated)
Changelog
Sourced from python-dotenv's changelog.
... (truncated)
Commits
36004e0Bump version: 1.2.1 → 1.2.2eb20252docs: update changelog for v1.2.2790c5c0Merge commit from fork43340daRemove the use ofshin tests (#612)09d7ceedocs: clarify override behavior and document FIFO support (#610)c8de288ci: improve workflow efficiency with best practices (#609)7bd9e3dAdd Windows testing to CI (#604)1baaf04Drop Python 3.9 support and update to PyPy 3.11 (#608)4a22cf8ci: enable testing on Python 3.14t (free-threaded) (#588)e2e8e77Fix license specifier (#597)Updates
pyyamlfrom 6.0.2 to 6.0.3Release notes
Sourced from pyyaml's releases.
Changelog
Sourced from pyyaml's changelog.
Commits
49790e7Release 6.0.3 (#889)Updates
pytestfrom 8.3.3 to 9.0.2Release notes
Sourced from pytest's releases.
... (truncated)
Commits
3d10b51Prepare release version 9.0.2188750bMerge pull request #14030 from pytest-dev/patchback/backports/9.0.x/1e4b01d1f...b7d7befMerge pull request #14014 from bluetech/compat-notebd08e85Merge pull request #14013 from pytest-dev/patchback/backports/9.0.x/922b60377...bc78386Add CLI options reference documentation (#13930)5a4e398Fix docs typo (#14005) (#14008)d7ae6dfMerge pull request #14006 from pytest-dev/maintenance/update-plugin-list-tmpl...556f6a2pre-commit: fix rst-lint after new release (#13999) (#14001)c60fbe6Fix quadratic-time behavior when handlingunittestsubtests in Python 3.10 ...73d9b01Merge pull request #13995 from nicoddemus/patchback/backports/9.0.x/1b5200c0f...Updates
pytest-asynciofrom 0.24.0 to 1.3.0Release notes
Sourced from pytest-asyncio's releases.
... (truncated)
Commits
2e9695fdocs: Compile changelog for v1.3.0dd0e9badocs: Reference correct issue in news fragment.4c31abeBuild(deps): Bump nh3 from 0.3.1 to 0.3.213e9477Link to migration guides from changelog4d2cf3ctests: handle Python 3.14 DefaultEventLoopPolicy deprecation warningsee3549btest: Remove obsolete test for the event_loop fixture.7a67c82tests: Fix failing test by preventing warning conversion to error.a17b689test: add pytest config to isolated test directories18afc9dfix(tests): replace runpytest_subprocess with runpytestcdc6bd1Add support for pytest 9 and drop Python 3.9 supportUpdates
pytest-covfrom 5.0.0 to 7.0.0Changelog
Sourced from pytest-cov's changelog.
... (truncated)
Commits
224d896Bump version: 6.3.0 → 7.0.073424e3Cleanup the docs a bit.36f1cc2Bump pins in template.f299c59Bump the github-actions group with 2 updates25f0b2eUpdate docs/config.rstbb23eacImprove configuration docsa19531eSwitch from build/pre-commit to uv/prek - this should make this faster.82f9993Update changelog.211b5cdFix links.97aadd7Update some ci config, reformat and apply some lint fixes.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions