Skip to content

[py] update python dependencies#17490

Merged
titusfortner merged 3 commits into
trunkfrom
py_updates
May 19, 2026
Merged

[py] update python dependencies#17490
titusfortner merged 3 commits into
trunkfrom
py_updates

Conversation

@titusfortner

@titusfortner titusfortner commented May 16, 2026

Copy link
Copy Markdown
Member

🔗 Related Issues

From #13964

💥 What does this PR do?

  • Bumps 3 versions that are currently hard coded. No issues detected.
  • UPDATE I'm also removing dependency-groups from pyproject.toml because it isn't actually being used with bazel. Since it is tox-only and tox is essentially a convenience right now for local development, I've moved the versions to there directly.
  • I've removed transitive dependencies from requirements.txt since they get pulled in by pip
  • Had to put back the architecture dependent transitive dependencies so that we get what we need from any OS run.
  • Updated all requirements to use ranges for easier updating within ranges using existing bazel target

Verified that lockfile is equivalent before and after change.

@titusfortner titusfortner requested a review from cgoldberg May 16, 2026 16:35
@qodo-code-review

Copy link
Copy Markdown
Contributor

Review Summary by Qodo

Update Python dependencies to latest patch versions

✨ Enhancement

Grey Divider

Walkthroughs

Description
• Bumps ruff from 0.15.12 to 0.15.13
• Updates jaraco.functools from 4.4.0 to 4.5.0
• Updates requests from 2.34.1 to 2.34.2
• Updates dependency hashes in lock file
Diagram
flowchart LR
  A["Python Dependencies"] -->|ruff 0.15.12→0.15.13| B["pyproject.toml"]
  A -->|jaraco.functools 4.4.0→4.5.0| C["requirements.txt"]
  A -->|requests 2.34.1→2.34.2| C
  C -->|Update hashes| D["requirements_lock.txt"]
Loading

Grey Divider

File Changes

1. py/pyproject.toml Dependencies +1/-1

Bump ruff linting dependency version

• Updates ruff linting tool from version 0.15.12 to 0.15.13

py/pyproject.toml


2. py/requirements.txt Dependencies +2/-2

Update jaraco.functools and requests versions

• Updates jaraco.functools from 4.4.0 to 4.5.0
• Updates requests from 2.34.1 to 2.34.2

py/requirements.txt


3. py/requirements_lock.txt Dependencies +6/-6

Update locked dependency versions and hashes

• Updates jaraco-functools version and SHA256 hashes from 4.4.0 to 4.5.0
• Updates requests version and SHA256 hashes from 2.34.1 to 2.34.2

py/requirements_lock.txt


Grey Divider

Qodo Logo

@selenium-ci selenium-ci added the C-py Python Bindings label May 16, 2026
@qodo-code-review

qodo-code-review Bot commented May 16, 2026

Copy link
Copy Markdown
Contributor

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider


Action required

1. Tox groups now missing ✓ Resolved 🐞 Bug ☼ Reliability
Description
py/tox.ini still configures dependency_groups = lint/validate, but this PR removes the
corresponding [dependency-groups] definitions from py/pyproject.toml. As a result, `tox -e
linting and tox -e validate will fail (and won’t install/run ruff / validate-pyproject`).
Code

py/pyproject.toml[L45-52]

-[dependency-groups]
-lint = [
-    "ruff==0.15.12",
-]
-validate = [
-    "validate-pyproject==0.25",
-    "packaging==26.2",
-]
Evidence
The PR removes the only declared lint/validate dependency groups from py/pyproject.toml, while
tox still tries to install those groups and run validate-pyproject/ruff. The updated
py/requirements.txt also doesn’t declare those tools, so tox can’t obtain them from the lockfile
either.

py/tox.ini[8-13]
py/tox.ini[38-43]
py/pyproject.toml[37-47]
py/requirements.txt[6-22]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`py/tox.ini` references dependency groups (`dependency_groups = lint` / `validate`) that no longer exist because `[dependency-groups]` was removed from `py/pyproject.toml`. This breaks `tox -e linting` and `tox -e validate`, and also removes the only declarations of `ruff` and `validate-pyproject` used by those envs.

## Issue Context
- `tox` uses `dependency_groups` to install tools like `ruff` and `validate-pyproject`.
- This PR deletes the group definitions from `py/pyproject.toml`, and the new `py/requirements.txt` does not include those tools either.

## Fix approach options (pick one)
1) **Re-add `[dependency-groups]`** to `py/pyproject.toml` with `lint` and `validate` entries (include `ruff` and `validate-pyproject`, and any other needed pins/ranges).

2) **Stop using dependency groups in tox**:
  - Update `py/tox.ini` `validate` and `linting` envs to install from `-r requirements_lock.txt` (or a dedicated dev-tools requirements file).
  - Add `ruff` and `validate-pyproject` (and any required companions like `packaging` if needed) to `py/requirements.txt`, then regenerate `py/requirements_lock.txt`.

## Fix Focus Areas
- py/pyproject.toml[37-56]
- py/tox.ini[8-13]
- py/tox.ini[38-43]
- py/requirements.txt[6-22]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Remediation recommended

2. Ruff version drift 🐞 Bug ☼ Reliability
Description
The PR bumps the pip/tox ruff pin to 0.15.13, but the Bazel-provided ruff binary used by `./go
format / //py:ruff-check` remains pinned at 0.15.12, so different workflows can produce different
lint/format output for the same codebase. This can create CI-vs-local inconsistencies and formatting
churn depending on which entrypoint contributors use.
Code

py/pyproject.toml[47]

+    "ruff==0.15.13",
Evidence
The repo has two independent ruff installation paths: tox uses the pinned ruff==0.15.13 from
py/pyproject.toml, while Bazel formatting/linting resolves the ruff executable from the multitool
runfiles whose downloads are pinned to 0.15.12 in multitool.lock.json. CI runs ./go format,
which formats Python via Bazel //py:ruff-format, so CI continues to use the multitool ruff version
unless the multitool lock is updated too.

py/pyproject.toml[45-48]
py/tox.ini[38-43]
multitool.lock.json[91-129]
py/private/ruff_check.py[18-43]
rake_tasks/python.rake[168-178]
Rakefile[128-144]
.github/workflows/ci-lint.yml[47-62]
scripts/format.sh[114-122]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`py/pyproject.toml` updates the ruff version used by tox/pip tooling, but the Bazel/multitool ruff binary remains on the previous version. This introduces a split-brain setup where `tox -e linting` and `./go format` (CI) may not agree on lint/format behavior.

## Issue Context
- `tox -e linting` installs from `[dependency-groups].lint` and runs `ruff`.
- `./go format` (used in GitHub Actions) runs Bazel targets that invoke a ruff binary coming from `@multitool//tools/ruff`, whose version is pinned in `multitool.lock.json`.

## Fix Focus Areas
- py/pyproject.toml[45-48]
- multitool.lock.json[91-129]

### Suggested fix
Either:
1) Update `multitool.lock.json` to ruff `0.15.13` (all platform URLs and sha256s), keeping Bazel/CI aligned with the new pin; **or**
2) Revert the ruff bump in `py/pyproject.toml` until multitool is updated in the same PR.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

@qodo-code-review

qodo-code-review Bot commented May 18, 2026

Copy link
Copy Markdown
Contributor

Persistent review updated to latest commit ba3c704

Comment thread py/pyproject.toml
@titusfortner titusfortner requested a review from Copilot May 18, 2026 23:34
@qodo-code-review

qodo-code-review Bot commented May 18, 2026

Copy link
Copy Markdown
Contributor

Persistent review updated to latest commit 0cf1a72

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates several Python development dependencies (cachetools, requests, types-PySocks, jaraco.functools, ruff, lxml, ast-serialize) in the lock file, and restructures py/requirements.txt and py/tox.ini to remove the dependency-groups mechanism in pyproject.toml in favor of explicit deps = ... in tox and a curated direct-dependencies list in requirements.txt.

Changes:

  • Bump cachetools→7.1.3, requests→2.34.2, types-PySocks→1.7.1.20260518, jaraco-functools→4.5.0, ruff→0.15.13 (plus lxml 6.1.1, ast-serialize 0.5.0 in lock).
  • Remove the [dependency-groups] table from pyproject.toml and replace dependency_groups = ... in tox.ini with explicit pinned deps.
  • Rewrite py/requirements.txt from a fully pinned flat list into a curated set of direct dev tooling using ~= version constraints, plus platform-specific transitive deps.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
py/pyproject.toml Removes [dependency-groups] (lint/validate) now defined inline in tox.
py/tox.ini Replaces dependency_groups = lint/validate with explicit pinned deps.
py/requirements.txt Rewrites file as curated direct deps using ~= constraints, with platform-specific extras.
py/requirements_lock.txt Refreshes lock with version bumps; drops several -r py/requirements.txt markers for deps now treated as transitive.

@qodo-code-review

qodo-code-review Bot commented May 18, 2026

Copy link
Copy Markdown
Contributor

Persistent review updated to latest commit ec78b44

@titusfortner titusfortner merged commit 4fea2dd into trunk May 19, 2026
40 checks passed
@titusfortner titusfortner deleted the py_updates branch May 19, 2026 01:41
shs96c added a commit to shs96c/selenium that referenced this pull request May 19, 2026
* origin/trunk: (97 commits)
  [py] update python dependencies (SeleniumHQ#17490)
  [build] fix renovate reported issues with configuration
  [build] remove base-ref from renovate workflows it does not work for the use case I had for them
  [build] add renovate dependency workflow (SeleniumHQ#17504)
  [build] simplify commit-changes workflow (SeleniumHQ#17503)
  [build] clarify dependency pin and update tasks (SeleniumHQ#17463)
  [build] do not rerun or attempt to upload logs unless workflow failure is from the Bazel step
  [build] fix renovate ignore rules_python to v2 until upstream fixed
  [build] renovate ignore rules_python until upstream fixed
  [build] bump rules_closure version (SeleniumHQ#17500)
  [build] bump rules_jvm_external (SeleniumHQ#17501)
  [js] remove npm dependency by using bazel for everything (SeleniumHQ#17499)
  [build] bump ruby versions to latest patch releases (SeleniumHQ#17496)
  [dotnet] [build] Support deterministic build output (SeleniumHQ#17497)
  [build] remove renovate update requests pending work done in SeleniumHQ#17427 (SeleniumHQ#17498)
  [dotnet] [build] Fix remote linkage in SourceLink (SeleniumHQ#17495)
  [rust] update reqwest to 0.13 (SeleniumHQ#17488)
  [build] bump low-risk Bazel module dependencies (SeleniumHQ#17494)
  [dotnet] run format against slnx instead of looping csproj (SeleniumHQ#17483)
  [build] ignore renovate.json references in renovate recommendations
  ...

# Conflicts:
#	MODULE.bazel
#	rust/BUILD.bazel
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

C-py Python Bindings

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants