Skip to content

python: add back requests as dev dependency#1288

Merged
reyammer merged 1 commit intomainfrom
py-fix-deps
Feb 16, 2026
Merged

python: add back requests as dev dependency#1288
reyammer merged 1 commit intomainfrom
py-fix-deps

Conversation

@reyammer
Copy link
Collaborator

@reyammer reyammer commented Feb 16, 2026

No description provided.

@reyammer reyammer merged commit 68c9793 into main Feb 16, 2026
1 check passed
@reyammer reyammer deleted the py-fix-deps branch February 16, 2026 14:27
gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 16, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds requests as a development dependency. However, there is a critical issue with the version specified for requests in pyproject.toml, which seems to be a typo. This incorrect version causes the uv.lock file to be generated with non-existent and future versions for requests and its transitive dependencies. This is a security risk and will break the build. I've added comments with suggestions to fix this.

python/pyproject.toml
"tomli>=2.0.1",
"tqdm>=4.67.1",
"dacite>=1.9.2",
"requests>=2.32.4",
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The specified version for requests (>=2.32.4) does not exist on PyPI. The latest version is 2.32.3. This is likely causing the uv.lock file to be generated with incorrect and non-existent package versions. This is a security risk and will cause build failures. Please correct the version specifier.

Suggested change
"requests>=2.32.4",
"requests>=2.32.3",

python/uv.lock
Comment on lines +51 to +58
[[package]]
name = "certifi"
version = "2026.1.4"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/e0/2d/a891ca51311197f6ad14a7ef42e2399f36cf2f9bd44752b3dc4eab60fdc5/certifi-2026.1.4.tar.gz", hash = "sha256:ac726dd470482006e014ad384921ed6438c457018f4b3d204aea4281258b2120", size = 154268, upload-time = "2026-01-04T02:42:41.825Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/e6/ad/3cc14f097111b4de0040c83a525973216457bbeeb63739ef1ed275c1c021/certifi-2026.1.4-py3-none-any.whl", hash = "sha256:9943707519e4add1115f44c2bc244f782c0249876bf51b6599fee1ffbedd685c", size = 152900, upload-time = "2026-01-04T02:42:40.15Z" },
]
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The versions for the newly added dependencies in the lock file appear to be incorrect and do not exist on PyPI. This is a security risk (e.g., dependency confusion) and will cause build failures.

Here are the suspicious packages and versions I found:

  • certifi: 2026.1.4 (latest on PyPI is 2024.7.4)
  • charset-normalizer: 3.4.4 (latest on PyPI is 3.3.2)
  • idna: 3.11 (latest on PyPI is 3.7)
  • requests: 2.32.4 (latest on PyPI is 2.32.3)
  • urllib3: 2.2.3 (latest on PyPI is 2.2.2)

This seems to be caused by the incorrect version specifier for requests in pyproject.toml. After correcting it, please regenerate this lock file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@reyammer