Skip to content

fix(deps): align linuxfabrik-lib, setuptools and soupsieve across all lockfiles#1360

Merged
markuslf merged 3 commits into
mainfrom
fix/lockfiles-lib-6-and-soupsieve
Jul 10, 2026
Merged

fix(deps): align linuxfabrik-lib, setuptools and soupsieve across all lockfiles#1360
markuslf merged 3 commits into
mainfrom
fix/lockfiles-lib-6-and-soupsieve

Conversation

@markuslf

Copy link
Copy Markdown
Member

Closes the four open Dependabot advisories and a latent breakage on main.

linuxfabrik-lib 5.1.0 -> 6.0.0 (all seven lockfiles)

lib 6.0.0 renamed lib.huawei to lib.huawei_dorado. The plugins followed that rename in f3ab4b0, but every lockfile still pinned 5.1.0, which only ships lib/huawei.py. A package built from main would have failed every huawei-dorado-* check with ModuleNotFoundError at import time.

No tagged release is affected: v6.0.0 (2026-06-14) predates the rename (2026-07-03) and pins lib 5.0.0.

Verified in a CI-like checkout (the tracked lib -> ../lib symlink dangles, so import lib.* resolves to the installed package):

  • linuxfabrik-lib==5.1.0 -> ModuleNotFoundError: No module named 'lib.huawei_dorado', exit 1
  • linuxfabrik-lib==6.0.0 -> plugin starts normally

Dependabot proposed this bump for py312, py313 and py313-windows only. py311 and py314 were missed; py39 and py310 sit outside its directory: allowlist. Superseded PRs: #1342, #1343, #1347.

soupsieve 2.8.3 -> 2.8.4 (py39)

Fixes the ReDoS and memory-exhaustion advisories in the CSS selector parser (Dependabot alerts #52 and #53). soupsieve 2.8.4 still declares Requires-Python >=3.9.

Dependabot had already proposed exactly this in #1334, but the py39 guard in dependabot-auto-merge.yml auto-closed it.

setuptools 82.0.1 -> 83.0.0 (py310, py312)

Dependabot covered py311, py313 and py314 (#1338, #1344, #1348). 83.0.0 requires Python >= 3.10, so py310 and py312 can take it too; it carries the MANIFEST.in unicode-normalization fix (GHSA-h35f-9h28-mq5c). py39 stays on 82.0.1.

dependabot-auto-merge.yml

The py39 guard closed every Dependabot PR touching that lockfile, including security updates that do still support Python 3.9 - that is how the soupsieve fix was lost. Frozen lockfiles are now commented on and left open for a human.

py310 is added to the guard. It is excluded in dependabot.yml as well, but Dependabot security updates ignore the directory: allowlist, so a bump requiring Python 3.11 could previously have auto-merged into it.

Verification

  • pip install --dry-run --require-hashes against py39 (UBI9, Python 3.9.25), py312 (UBI9/python-312) and py310 (Ubuntu 22.04, Python 3.10.12 - no RHEL-family image ships 3.10). All resolve.
  • actionlint clean on the changed workflow.

markuslf added 3 commits July 10, 2026 16:04
lib 6.0.0 renamed `lib.huawei` to `lib.huawei_dorado`. The plugins
followed that rename in f3ab4b0, but all seven lockfiles still
pinned 5.1.0, which only ships `lib/huawei.py`. A package built from
main would have failed every huawei-dorado-* check with
ModuleNotFoundError at import time. No tagged release is affected;
v6.0.0 predates the rename.

Dependabot proposed the bump for py312, py313 and py313-windows only.
py311 and py314 were missed, py39 and py310 sit outside its
`directory:` allowlist. Bumping all seven at once avoids a state in
which half the target distros ship a broken library.

Also bumps soupsieve 2.8.3 -> 2.8.4 in the py39 lockfile
(GHSA ReDoS and memory exhaustion in the selector parser). soupsieve
2.8.4 still declares Requires-Python >=3.9. Verified with
`pip install --dry-run --require-hashes` under UBI9 (Python 3.9.25).
The py39 guard closed every Dependabot PR touching that lockfile,
including security updates that do still support Python 3.9. It
silently discarded the soupsieve 2.8.4 fix in #1334.

Frozen lockfiles are now commented on and left open for a human.
py310 is added to the guard: it is excluded in dependabot.yml too,
but security updates ignore that allowlist, so a bump requiring
Python 3.11 could previously have auto-merged.
Dependabot bumped setuptools in py311, py313 and py314 only, leaving
py310 and py312 on 82.0.1. 83.0.0 requires Python >= 3.10, so both
can take it, and it carries the MANIFEST.in unicode-normalization fix
(GHSA-h35f-9h28-mq5c). py39 stays on 82.0.1.

Resolution verified with `pip install --dry-run --require-hashes`
under UBI9/python-312 and Ubuntu 22.04 (Python 3.10.12; no RHEL-family
image ships 3.10).
@markuslf markuslf merged commit 57311ab into main Jul 10, 2026
6 checks passed
@markuslf markuslf deleted the fix/lockfiles-lib-6-and-soupsieve branch July 10, 2026 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant