LCORE-1140: Updated deps

[tisnik]

Description

LCORE-1140: Updated deps

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-1140

Summary by CodeRabbit

• Chores
  • Updated dependency versions: google-auth to 2.46.0 and tokenizers to 0.22.2.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Dependencies updated in architecture-specific requirements files: google-auth from 2.45.0 to 2.46.0 and tokenizers from 0.22.1 to 0.22.2 with corresponding hash updates for verification.

Changes

Cohort / File(s)	Summary
Dependency version updates requirements.aarch64.txt, requirements.x86_64.txt	google-auth bumped from 2.45.0 to 2.46.0; tokenizers bumped from 0.22.1 to 0.22.2; associated hash entries updated for package verification

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• lightspeed-stack#917: Preceded this PR by updating google-auth to 2.45.0; this PR continues the dependency update chain to 2.46.0 in the same requirements files.

Pre-merge checks

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'LCORE-1140: Updated deps' is vague and generic, using non-descriptive terms that don't clearly convey which dependencies were updated or why.	Revise the title to be more specific about the changes, such as 'Update google-auth to 2.46.0 and tokenizers to 0.22.2' to provide meaningful context about the actual dependency versions being bumped.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ee88333 and 149a848.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• requirements.aarch64.txt
• requirements.x86_64.txt

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: build-pr
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: E2E: library mode / azure
• GitHub Check: E2E: library mode / vertexai
• GitHub Check: E2E: library mode / ci
• GitHub Check: E2E: server mode / ci
• GitHub Check: E2E: server mode / vertexai
• GitHub Check: E2E: server mode / azure

🔇 Additional comments (4)

requirements.aarch64.txt (2)

954-956: google-auth bump appears consistent; just confirm downstream auth flows

The version bump to google-auth==2.46.0 with updated hashes looks fine and matches the uv-generated format. Please ensure:

• other arch-specific requirement files remain in sync, and
• any kubernetes / Google API auth integrations still pass integration tests after this upgrade.

---

3462-3487: tokenizers 0.22.2 upgrade looks good; validate HF/LLM paths on aarch64

The tokenizers==0.22.2 bump plus refreshed hashes is structurally correct for a uv lockfile. Given this is a compiled/Rust-backed package and heavily used by transformers/LLM tooling, please:

• run the relevant LLM/tokenization test suites on aarch64, and
• confirm the same version is used consistently in other platform-specific requirement files.

requirements.x86_64.txt (2)

954-956: Confirm google-auth==2.46.0 exists on your package index and matches these hashes

The bump itself is fine, but as of now the public PyPI index still advertises 2.45.0 as the latest google-auth release, so 2.46.0 may not be available from there. (pypi.org)

Please double‑check that:

• google-auth==2.46.0 is published on the index(es) your builds use (or is intentionally coming from an internal mirror), and
• The two SHA256 hashes here correspond exactly to the wheels you expect to install.

This avoids hash‑mismatch or resolution failures in CI and runtime images, especially for kubernetes‑related auth flows that rely on this pin.

---

3463-3487: Patch bump to tokenizers==0.22.2 looks reasonable; validate against your transformer stack

Moving from 0.22.1 to 0.22.2 is a small, recent patch and wheels/conda artifacts for 0.22.2 are available in the ecosystem. (anaconda.org) With transformers==4.57.3 and huggingface-hub==0.36.0 pinned nearby, this should be compatible, but subtle regressions tend to surface only under real workloads.

Please:

• Run your model/LLM integration tests (especially tokenization‑heavy paths via litellm and transformers) on both x86_64 and aarch64 images.
• Confirm these hashes match the exact wheels you intend to consume for Linux x86_64.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}