Bump the all-pip-updates group across 3 directories with 77 updates

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dwoz]

CI failing on three distinct issues, all caused by this bump:

1. tools/ci.py missing import + format drift. The "Fix rich MarkupError" commit calls escape(...) without from rich.markup import escape, so Prepare Workflow Run fails with NameError: name 'escape' is not defined and blocks every downstream job. Pre-commit also wants config["testrun"] over config['testrun']. Fix landing in Add missing rich.markup.escape import in tools/ci.py #69396 (3007.x); @dependabot rebase once that merges.

2. Stale lock files. Dependabot bumped input requirements (base.txt, constraints.txt, static/ci/common.txt, static/pkg/{linux,freebsd}.txt) but didn't regenerate requirements/static/{ci,pkg}/py3.*/*.lock. Pre-commit re-runs pip-compile and produces a diff; runtime hits ResolutionImpossible: certifi>=2026.5.20 vs ==2026.1.4 on Documentation/Build (man) and similar mismatches on the onedir/pkg builds. Local regen attempt also surfaces a NEW bug: requirements/static/ci/common.txt bumps virtualenv>=21.4.2 but requirements/base.txt only requires virtualenv (no floor), so pkg locks pin virtualenv==20.36.1 which conflicts with the ci >=21.4.2. The virtualenv floor needs to land in requirements/base.txt too, then @dependabot recreate.

3. constraints.txt: pip == 26.0.1 collides with hardcoded pip==25.2 in tools/pkg/build.py:170-185 (urllib3 security patching). Breaks Build Salt Onedir Windows (amd64/x86) and macOS (arm64) with ResolutionImpossible: pip 25.2 vs constraint pip==26.0.1. Also: pre-commit's pip-compile hooks pin additional_dependencies: ["pip<26.0"], so the pip bump in constraints.txt is incompatible with the entire lock-regeneration infra. Recommend reverting the pip bump in requirements/constraints.txt until the urllib3-patched-pip wheel and the pre-commit hooks are updated for pip 26.x.

[dwoz]

Pushed bf77c8b directly to this branch — adapts the 47c49fb + df7f933 fix bundle from #69393 (3006.x) onto the 3007.x dependabot tree.

Diagnosis:

1. Per-Python conditional caps for packages that dropped Py3.9/3.10/3.11 — cryptography, aiohttp, apache-libcloud, importlib-metadata, kubernetes, more-itertools, moto, pycparser, pygit2, python-telegram-bot, sphinx, sphinxcontrib-httpdomain. boto3 and botocore dropped for py<3.10 (botocore<1.43 hard-requires urllib3<2 which conflicts with the urllib3 2.6.3 floor).
2. urllib3 reverted to >=1.26.20,<2.0.0 for py<3.10 (same botocore<>urllib3 chain).
3. virtualenv floor bumped to 21.4.2 in base.txt so pkg locks resolve consistently with ci/common.txt's existing floor (this was the lock-regen blocker I diagnosed earlier).
4. pymssql capped to ==2.3.11 — 2.3.13 has no win32 wheels and 3007.x still builds a Windows x86 onedir.
5. PyYAML floor bumped to 6.0.3 (kubernetes 36 needs it).
6. filelock pinned >=3.29.1 for py>=3.10 to keep the uv resolver from picking 3.25.
7. vcert reverted to ~=0.9.0 (0.18.x hard-pins cryptography==45.0.7 + pynacl==1.5.0).
8. markdown-it-py <4.0.0 cap for py3.10 in constraints.txt (myst-docutils 4.x is the latest supporting py3.10 and pins markdown-it-py ~=3.0; rich would otherwise pull 4.x transitively).
9. pylint capped ~=3.1.0 for py<3.10 (pylint 4 requires Python>=3.10). py>=3.10 keeps ~=4.0.5 since 3007.x lint passes on it.
10. ansible release-line ladder for py3.10/3.11/3.12.
11. tools/pkg/build.py: strip PIP_CONSTRAINT from both the pip-download (_build_patched_pip_wheel) and the --force-reinstall site — fixes RPM/Windows/macOS onedir builds failing with `pip 25.2 vs constraint pip==26.0.1`.
12. tests/pytests/unit/utils/test_cloud.py: CustomKeyring needs a class-level priority and super().init() now that the keyring bump to 25.7.0 made priority abstract.
13. All lockfiles regenerated. `pre-commit run --all-files` exits 0 locally — no SKIP needed.

The branch is BEHIND base 3007.x; `@dependabot rebase` may be needed if CI surfaces a real conflict.

[dwoz]

Pushed 79e7c25 directly — fixes Lint / Lint Salt's Source Code and Lint / Lint Salt's Test Suite (was failing on bf77c8b).

Diagnosis: my prior commit capped pylint at ~=3.1.0 only for py<3.10 on the assumption that pre-bf77c8bceab CI Lint passes meant 4.0.5 was fine on py>=3.10. That was wrong — the earlier passes were running against the stale pre-bf77c8bceab lockfiles which still pinned the old pylint. Once the regenerated locks brought pylint 4.0.5 in on the py3.10 lint job, 190+ pre-existing E0606/E0601/E0602 findings surfaced in setup.py, salt/, tools/, and another 77 in tests/. The pre-commit lint-salt / lint-tests hooks only lint changed files, so my local pre-commit run didn't catch the latent surface; only the CI nox jobs lint the full tree.

This commit caps pylint to ~=3.1.0 globally (matching df7f933 on 3006.x). Lock files regenerated. Verified with pre-commit run --all-files (exit 0, no SKIP) and with a fresh pylint 3.1.1 run against the previously-failing files (setup.py, salt/minion.py, salt/states/{git,file,pkg,csf}.py, tools/pkg/build.py, tests/pytests/integration/cli/{test_matcher,test_batch}.py, tests/pytests/unit/utils/test_gitfs.py) — all rated 10.00/10.

The 190+267 E0606/E0601/E0602 findings are pre-existing surface that pylint 4 surfaces by default — should be triaged on a separate maintenance branch, not blocking this dependabot batch.

[dwoz]

Pushed 380b8ac directly — fixes the dependabot-bump-driven test failures observed under bf77c8b/79e7c255a6b.

Diagnosis:

1. virtualenv 21 + BUNDLE_SHA256 (Test Package upgrade jobs, functional tests, test_thin_dir, etc.) — `tools/pkg/build.py:salt_onedir()` was overwriting the urllib3-patched pip wheel into the embed directory but only rewriting BUNDLE_SUPPORT. virtualenv 21 added a BUNDLE_SHA256 verification step that rejected the wheel with `RuntimeError: bundled wheel pip-25.2-py3-none-any.whl has no recorded sha256 in BUNDLE_SHA256`. Now rewrites BUNDLE_SHA256 with the on-disk hashes, guarded by `if "BUNDLE_SHA256" in content:` so virtualenv 20.x is unchanged.

2. pytest 9 fixture marks → collection error (Scenarios zeromq jobs) — `tests/pytests/scenarios/compat/test_with_versions.py` had `@pytest.mark.skip_if_binaries_missing('docker')` and `@pytest.mark.skip_on_fips_enabled_platform` decorating fixtures. pytest 9 turns the PytestRemovedIn9Warning into a hard collection error. Both marks were redundant with the module-level `pytestmark` / test-side decorators; removed.

3. pyOpenSSL 26 X509 API removal — beacons (Unit zeromq 1 jobs) — `salt/beacons/cert_info.py` used `cert.get_extension_count()` / `cert.get_extension(i)`, both gone in pyOpenSSL 26. Falls back to `cert.to_cryptography().extensions` and re-emits the legacy printable format (`CA:FALSE`, `DNS:host`, `IP Address:1.2.3.4`, ...) so the beacon's output schema is preserved across pyOpenSSL versions.

4. pyOpenSSL 26 X509 API removal — tls module (Unit zeromq 3 jobs) — `salt/modules/tls.py` used `X509.add_extensions` / `X509Req.add_extensions` / `OpenSSL.crypto.X509Extension`. The tls module's CA-management code is legacy and not ported to cryptography.x509; on pyOpenSSL 26+ we skip the v3-extension setup with a warning so basic CA / CSR / signed-cert creation still works. Users that need v3 extensions on pyOpenSSL 26+ should migrate to the x509_v2 state module.

5. pip 26 InvalidEggFragment (Unit zeromq 1 jobs) — `salt/states/pip_state.py:_check_pkg_version_format()` ran VCS URLs through pip's Link parser. pip 26 rejects `git+url#egg=Name>=version` with `InvalidEggFragment` (subclass of `PipError`, not of `InstallationError`, so the existing handler missed it). VCS URLs are valid install targets even when pre-flight parsing fails — defer to runtime, mirroring the existing `install_req.req is None` branch.

6. pytest 9 caplog scoping (Unit zeromq 1 jobs) — `tests/pytests/unit/client/ssh/test_single.py:test_run_ssh_pre_flight_{no_,}connect` used `caplog.at_level(logging.TRACE)` without a `logger=` argument. pytest 9 narrowed default scoping; now passes `logger='salt.client.ssh'` so TRACE messages from the salt logger are captured.

Out of scope for this commit (left for follow-up):

• `tests/pytests/unit/test_minion.py:598` (and similar in `test_zeromq.py`) reference `salt.ext.tornado.ioloop.IOLoop()`. That test was added to 3007.x base in `f67059900d0` after this PR branched, and 3007.x no longer ships `salt.ext.tornado`. Will need an `@dependabot rebase` plus a fix to those test sites — should be a sibling PR against 3007.x.

Verified locally against pyOpenSSL 26.2.0, cryptography 48.0.0, pip 26.1.2, pytest 9.0.3, virtualenv 21.4.2:

• `tests/pytests/unit/beacons/test_cert_info.py` — 3 passed
• `tests/pytests/unit/modules/test_tls.py` — 35 passed (all 11 previously-failing tests now pass)
• `tests/pytests/unit/client/ssh/test_single.py` — 25 passed (both pre_flight tests now pass)
• `tests/unit/states/test_pip_state.py` — 1 passed

`pre-commit run --files` on the touched files is clean — isort, black, bandit, mypy, Lint Salt, Lint Tests all pass. No `--no-verify`, no `SKIP=`.

[dwoz]

Status check after 380b8ac CI run (27185134812). PR is mergeable, no reviewer feedback.

Fixed in this push (62383b8):

Build Source Packages RPM (x86_64, arm64) + DEB (x86_64, arm64): cmake source build under relenv toolchain. pyzmq 27.x (pinned by this batch's lockfiles) switched its build backend to scikit-build-core, which pulls cmake as a build-time dependency. `tools pkg build onedir-dependencies` invokes pip with `--no-binary :all:` plus a small `--only-binary` allow-list; cmake was not on that list, so pip tried to build cmake from source and hit `pid_t doesn't exist on this platform?` in Utilities/cmlibarchive/CMakeLists.txt. Added cmake, ninja, and protobuf to both copies of the allow-list and set `CMAKE_POLICY_VERSION_MINIMUM=3.5` so cmake 4.x can configure pyzmq's bundled libzmq (which still uses an older floor).

Not fixed — pre-existing 3007.x base regressions, not introduced by this PR (deferred to 3007.x-base sibling fix):

1. `pkg/rpm/salt.spec` %changelog ordering. The Build Source Packages RPM job (and any RPM build on Fedora 42 / rpm 4.20+) errors with `%changelog not in descending chronological order` before reaching the cmake step. The 3006.x → 3007.x merge (`9fb7574255b`) inserted the 3006.25 entry (May 13 2026) between 3007.14 (Apr 29 2026) and 3007.13 (Feb 11 2026), creating an ascending date in the middle of the changelog. PR Fix master cluster event forwarding when master id is auto-suffixed (#68462) #69373 (same base) passed RPM build on 2026-06-07 before the Fedora 42 build container was updated to rpm 4.20.1; the changelog has the same problem there. This blocks every 3007.x PR right now and needs a base-side reorder: move 3006.25 above 3007.14, move 3006.24 / 3006.23 / 3006.22 above 3007.13. A similar reorder is needed deeper for 3006.15 (Aug 28 2025) which is currently after 3007.5 (Jun 26 2025).

2. `salt.ext.tornado.ioloop.IOLoop()` references in tests. `tests/pytests/unit/test_minion.py:598` and `tests/pytests/unit/transport/test_zeromq.py` (added in 3007.x base `f67059900d0` after this PR branched) reference `salt.ext.tornado`, which doesn't exist on 3007.x. Will need a base-side fix to change to `tornado.ioloop.IOLoop()`, then `@dependabot rebase` here.

Not fixed — flake, not actionable:

• NSIS Stress Tests / Stress Tests: `stress_tests/test_hang.py::test_repeatedly_install_uninstall[22]` errored with "Installer failed (non-zero exit or force-killed on timeout)" — 99 of 100 iterations passed. The same test passed on iterations 23 through 99 and on every previous PR run; this is the classic installer-hang flake, not a real failure.

PR is BEHIND base 3007.x but mergeable; the dependabot-rebase to pick up base may also surface the changelog and salt.ext.tornado issues differently, so I'd recommend the 3007.x-base fixes land first.

[dwoz]

CI status review after 7ff4c44 (run 27388066534). PR is BEHIND but MERGEABLE, no reviewer feedback, no rebase action needed (dependabot/maintainer rebases already landed the test-infra fixes for salt-repo-3008-lts, Photon repo, TLS CRL compat, salt.ext.tornado, scenario tests, etc.).

Four failing checks pulled and triaged — all infra flakes, none introduced by the dependabot bumps or the prior fix pushes:

1. Test Salt / Photon OS 5 integration tcp 7 (1m10s): `Error response from daemon: error creating temporary lease: Unavailable: connection error: desc = "transport: Error while dialing: dial unix /run/containerd/containerd.sock: connect: connection refused"`. Runner's containerd was down. Infra flake.

2. Test Salt / Rocky Linux 9 functional zeromq 3: `test_yumpkg_remove_wildcard` hit pytest-timeout at 90s inside `salt.modules.yumpkg.install(pkgs=["httpd-devel", "httpd-tools"])` which shells out to `yum install`. Both first pass and `--lf` rerun hit the same timeout (93.78s on rerun). Real-world `yum install` from upstream Rocky 9 repo slow / flaky; no yumpkg-side code change on 3007.x in the last 10 commits. External repo flake.

3. Test Package / macOS 15 (Intel) upgrade 3007.14 (21m25s): `test_check_imports` failed because the minion didn't return ("Minion did not return. [No response]"), and `test_salt_versions_report_minion` failed because `salt_minion.is_running()` returned False after 60s of waiting. The same PR's macOS Intel `install`, `downgrade 3006.25`, `downgrade 3007.14`, AND `upgrade 3006.25` all PASSED — only `upgrade 3007.14` failed. macOS minion startup flake on this one runner.

4. Test Package / macOS 15 (M1) upgrade 3006.25 (9m18s): `installer: Error - the package path specified was invalid: '.../salt-3007.14+294.g3f1a83b3c5-py3-arm64.pkg'` despite `tree artifacts/pkg/` showing the file exists. macOS `installer` returns this generic error for signature/notarization/quarantine issues, not literal missing-file. The same M1 ran `install`, `downgrade 3006.25`, `downgrade 3007.14`, AND `upgrade 3007.14` successfully against the same artifact. macOS pkg-validation flake on this one runner.

No code changes needed. The 18 remaining pending jobs should finish without further failure modes of the bump-driven varieties (already fixed earlier in this PR's history: pytest 9, virtualenv 21, pyOpenSSL 26, pip 26, cmake/scikit-build-core, etc.).

[dwoz]

Quick follow-up on the same run (27388066534). Two more failures completed since the last review — also infra/flake, none introduced by the bumps or the prior fixes:

5. Test Salt / Fedora 40 scenarios zeromq (33m18s): job killed with SIGTERM (exit 143) mid-`tests/pytests/scenarios/multimaster/test_multimaster.py::test_minion_reconnection_attempts`. GH Actions workflow-step timeout while the multimaster reconnection scenario hung. Classic scenario-test hang.

6. Test Salt / Photon OS 5 Arm64 integration zeromq(fips) 7 (35m38s): two failures in `tests/pytests/integration/ssh/test_state.py` — `test_state_show_top` (`assert {'base': ['core']} == {'base': ['core', 'master_tops_test']}`) and `test_state_running` ("Did not find 'The function \"state.pkg\" is running as' in state.running output"). On the `--lf` rerun `test_state_show_top` PASSED — confirming flake. `test_state_running` still failed on rerun but that's a known salt-ssh timing race against the state.running detection window, not anything the dependabot bumps touched.

Total failing: 6 of 426 checks, all flake-class. No code changes needed.