Regenerate the lockfile so it's consistent with the
post-rebase `pyproject.toml` — which now carries both #461's
landed tooling (`pytest>=9.0.3`, …) and this branch's
tractor deps (`setproctitle`, `pytest-timeout`, `psutil`),
- `uv lock` resolves the merged dep set against the landed
`main` baseline.
(this commit msg was generated in some part by [`claude-code`][claude-code-gh])
[claude-code-gh]: https://github.com/anthropics/claude-code
Tighten the test-dep floor from `>=9.0` to `>=9.0.3` so a
fresh `uv` relock can't resolve back into the vulnerable
9.0.0–9.0.2 window; 9.0.3 is where upstream patched the
insecure-tmpdir advisory (CVE-2025-71176).
- annotate the constraint w/ the CVE id for future readers.
- update the existing bump-rationale comment to name the
precise patched version.
(this commit-msg was generated in some part by [`claude-code`][claude-code-gh])
[claude-code-gh]: https://github.com/anthropics/claude-code
Regenerate the lockfile to match the bumped
`requires-python = ">=3.13, <3.15"` so the shipped venv
state lines up with `pyproject.toml`,
- drop the now-unsupported `cp312` wheels.
- add `cp314` wheels + py3.14 `resolution-markers`.
- bump the lock's own `requires-python` envelope.
The relock also pulls `pytest` 8.3.5 -> 9.1.0 which
resolves the insecure-tmpdir advisory (CVE-2025-71176,
patched in 9.0.3); this closes dependabot alert #3 and
supersedes the bot's standalone bump in #442.
(this commit msg was generated in some part by [`claude-code`][claude-code-gh])
[claude-code-gh]: https://github.com/anthropics/claude-code
Bump lock file to match obvi.
(this commit msg was generated in some part by [`claude-code`][claude-code-gh])
[claude-code-gh]: https://github.com/anthropics/claude-code
Thanks to the `tox`-dev community for such a lovely pkg which seems to
solves all the current cross-platform user-dir problems B)
Also this,
- now passes `platformdirs.user_runtime_dir(appname='tractor')`
and allows caller to pass an optional `subdir` under `tractor/`
if desired.
- drops the `.config._rtdir: Path` mod var.
- bumps the lock file with the new dep.
Namely to get a fix (i patched in) to `pdbp` and the latest
prompt-injection feats from `xonsh` B)
Also leave in a (masked) `.uv.sources.pdbp` section for easy
patch-test-submit in the future from my own fork and bump the lock file
to match!
Namely,
- `devx` for console debugging extras used in `tractor.devx`.
- `repl` for @goodboy's `xonsh` hackin utils.
- `testing` for harness stuffs.
- `lint` for whenever we start doing that; it requires special
separation on nixos in order to pull `ruff` from pkgs.
Oh and bump the lock file.
Since it turns out there's a few gotchas moving to python 3.13,
- we need to pin to new(er) `trio` which now flips to strict exception
groups (something to be handled in a follow up patch).
- since we're now using `uv` we should (at least for now) prefer the
system `python` (over astral's distis) since they compile for
`libedit` in terms of what the (new) `readline.backend: str` will read
as; this will break our tab-completion and vi-mode settings in
the `pdbp` REPL without a user configuring a `~/.editrc`
appropriately.
- go back to using latest `pdbp` (not a local dev version) since it
should work fine presuming the previous bullet is addressed.
Lock bumps,
- for now use latest `trio==0.29.0` (which i gotta feeling might have
broken some existing attempts at strict-eg handling i've tried..)
- update to latest `xonsh`, `pdbp` and its dep `tabcompleter`
Other cleaning,
- put back in various deps "comments" from `poetry` content.
- drop the `xonsh-vox` and `xontrib-vox` dev deps; no `vox` support with
`uv` rn anyway..
Hasn't been needed for a while since the type-annots have been exposed
from core since `trio>=0.24`. Allows us to drop a buncha sub-deps as
well like,
- `async-generator`
- `importlib-metadata`
- `mypy-extensions`
- `typing-extensions`
- `zipp`
Yah, don't really know why i listed all those but..
Namely since i use `xonsh` for a main shell, this includes adding it as
well as related tooling. Obvi bump the `uv.lock`.
Some other stuff retained from `poetry` days,
- add usage-comments around various (optional) deps.
- add toml section separator lines.
- go with 2-space indent.
- add comment on `trio>0.27` needed for py3.13+
Gud Boi
dependabot[bot]
Tyler Goodlet
Guillermo Rodriguez