chore(deps): bump tornado from 6.5.5 to 6.5.6 in /envs/coding_env#792
chore(deps): bump tornado from 6.5.5 to 6.5.6 in /envs/coding_env#792dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.5 to 6.5.6. - [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst) - [Commits](tornadoweb/tornado@v6.5.5...v6.5.6) --- updated-dependencies: - dependency-name: tornado dependency-version: 6.5.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
Dependencies
python:uv
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Review: tornado 6.5.5 → 6.5.6
The tornado bump itself is clean — correct sdist/wheel hashes for 6.5.6, scoped to envs/coding_env/uv.lock, no pyproject.toml entry to update (tornado is a transitive dependency, not a direct one).
However, the diff bundles a second unrelated change that blocks approval:
Bundled, unrelated change: openenv-core → openenv rename
The lock file removes the openenv-core 0.2.3 package entry entirely and replaces it with openenv 0.3.1. The openenv-coding-env block's requires-dist is also rewritten from openenv-core[core]>=0.2.2 to openenv[core]>=0.2.2.
The problem: envs/coding_env/pyproject.toml still declares:
"openenv-core[core]>=0.2.2",
The pyproject.toml (source of truth) and uv.lock are now inconsistent on the name and version of this dependency. A uv sync from a clean state would likely fail or resolve differently than what the lock file encodes.
What needs to happen before this can merge:
- If
openenv-corehas been renamed toopenenvon PyPI,pyproject.tomlmust be updated toopenenv[core]>=0.3.1(or whatever the correct minimum) and the lock file regenerated as a separate PR. - If this rename is not yet intentional, the lock file entry for
openenv-core → openenvshould be reverted to keep this PR purely a tornado patch bump.
A pure tornado bump would be approved immediately — please split or fix the inconsistency.
Automated review by Claude Code | Learn more
|
Rolled into #789 so maintainers can merge the env Dependabot updates together. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Alignment Review Report
Automated Checks
- Lint: PASS - hook scope is
src/; lockfile not subject to ruff/usort - Debug code: CLEAN - no debug artifacts in changed file
Tier 1: Fixes Required
None. The tornado bump itself is mechanically correct: version string, sdist hash, and all nine platform wheel hashes are consistently updated from 6.5.5 to 6.5.6 within envs/coding_env/uv.lock. The change is correctly scoped to a single file under envs/coding_env/. No conflicting pins were found.
Tier 2: Alignment Discussion
ALIGNMENT FLAG: Lockfile silently renames the core dependency from openenv-core to openenv
- Principle at stake: "Be hands-on" / production-readiness — the canonical package name is a load-bearing identity for every env that depends on
openenv-core[core] - The concern: The diff removes the
openenv-core 0.2.3package entry and insertsopenenv 0.3.1in its place. Thepyproject.tomlstill declaresopenenv-core[core]>=0.2.2as the dependency, but the resolver has satisfied it via the newopenenvpackage name. This means the PyPI package has been renamed (or re-released under a new name) without a correspondingpyproject.tomlupdate in this repo. Ifopenenv-coreis deprecated on PyPI, this silent lock-only substitution could break fresh installs in other envs that have not been re-locked. This change is not about tornado and should not be bundled into a patch security PR without explicit review. - Suggested reviewer: @Darktex
Summary
- 0 mechanical issues to fix
- 1 alignment point for human review: the
openenv-core->openenvpackage rename baked into this lockfile should be separated from the tornado bump and reviewed independently, with a matchingpyproject.tomlupdate toopenenv[core]>=0.3.1if the rename is intentional.
Automated review by Claude Code | Learn more
2 participants
Bumps tornado from 6.5.5 to 6.5.6.
Changelog
Sourced from tornado's changelog.
... (truncated)
Commits
aba2569Merge pull request #3626 from bdarnell/fixes-656a24b260httpclient_test: Accept an additional error message varianta74240aRelease notes and version bump for 6.5.6.e8fc7edsimple_httpclient: Strip auth headers on cross-origin redirects96dc88cspeedups: validate mask lengthff808b3http1connection: Enforce max_body_size in _GzipMessageDelegateede4e37auth: Correctly parse check_authentication response1c178beRemove obsolete curl force_timeout workaroundc99d55bReplace deprecated pycurl IOCTLFUNCTION callback with SEEKFUNCTION2761431Merge pull request #3587 from bdarnell/fix-linkDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.