fix(deps): align linuxfabrik-lib, setuptools and soupsieve across all lockfiles#1360
Merged
Conversation
lib 6.0.0 renamed `lib.huawei` to `lib.huawei_dorado`. The plugins followed that rename in f3ab4b0, but all seven lockfiles still pinned 5.1.0, which only ships `lib/huawei.py`. A package built from main would have failed every huawei-dorado-* check with ModuleNotFoundError at import time. No tagged release is affected; v6.0.0 predates the rename. Dependabot proposed the bump for py312, py313 and py313-windows only. py311 and py314 were missed, py39 and py310 sit outside its `directory:` allowlist. Bumping all seven at once avoids a state in which half the target distros ship a broken library. Also bumps soupsieve 2.8.3 -> 2.8.4 in the py39 lockfile (GHSA ReDoS and memory exhaustion in the selector parser). soupsieve 2.8.4 still declares Requires-Python >=3.9. Verified with `pip install --dry-run --require-hashes` under UBI9 (Python 3.9.25).
The py39 guard closed every Dependabot PR touching that lockfile, including security updates that do still support Python 3.9. It silently discarded the soupsieve 2.8.4 fix in #1334. Frozen lockfiles are now commented on and left open for a human. py310 is added to the guard: it is excluded in dependabot.yml too, but security updates ignore that allowlist, so a bump requiring Python 3.11 could previously have auto-merged.
Dependabot bumped setuptools in py311, py313 and py314 only, leaving py310 and py312 on 82.0.1. 83.0.0 requires Python >= 3.10, so both can take it, and it carries the MANIFEST.in unicode-normalization fix (GHSA-h35f-9h28-mq5c). py39 stays on 82.0.1. Resolution verified with `pip install --dry-run --require-hashes` under UBI9/python-312 and Ubuntu 22.04 (Python 3.10.12; no RHEL-family image ships 3.10).
This was referenced Jul 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the four open Dependabot advisories and a latent breakage on
main.linuxfabrik-lib 5.1.0 -> 6.0.0 (all seven lockfiles)
lib 6.0.0 renamed
lib.huaweitolib.huawei_dorado. The plugins followed that rename in f3ab4b0, but every lockfile still pinned 5.1.0, which only shipslib/huawei.py. A package built frommainwould have failed everyhuawei-dorado-*check withModuleNotFoundErrorat import time.No tagged release is affected:
v6.0.0(2026-06-14) predates the rename (2026-07-03) and pins lib 5.0.0.Verified in a CI-like checkout (the tracked
lib -> ../libsymlink dangles, soimport lib.*resolves to the installed package):linuxfabrik-lib==5.1.0->ModuleNotFoundError: No module named 'lib.huawei_dorado', exit 1linuxfabrik-lib==6.0.0-> plugin starts normallyDependabot proposed this bump for
py312,py313andpy313-windowsonly.py311andpy314were missed;py39andpy310sit outside itsdirectory:allowlist. Superseded PRs: #1342, #1343, #1347.soupsieve 2.8.3 -> 2.8.4 (py39)
Fixes the ReDoS and memory-exhaustion advisories in the CSS selector parser (Dependabot alerts #52 and #53). soupsieve 2.8.4 still declares
Requires-Python >=3.9.Dependabot had already proposed exactly this in #1334, but the
py39guard independabot-auto-merge.ymlauto-closed it.setuptools 82.0.1 -> 83.0.0 (py310, py312)
Dependabot covered
py311,py313andpy314(#1338, #1344, #1348). 83.0.0 requires Python >= 3.10, sopy310andpy312can take it too; it carries theMANIFEST.inunicode-normalization fix (GHSA-h35f-9h28-mq5c).py39stays on 82.0.1.dependabot-auto-merge.yml
The
py39guard closed every Dependabot PR touching that lockfile, including security updates that do still support Python 3.9 - that is how the soupsieve fix was lost. Frozen lockfiles are now commented on and left open for a human.py310is added to the guard. It is excluded independabot.ymlas well, but Dependabot security updates ignore thedirectory:allowlist, so a bump requiring Python 3.11 could previously have auto-merged into it.Verification
pip install --dry-run --require-hashesagainstpy39(UBI9, Python 3.9.25),py312(UBI9/python-312) andpy310(Ubuntu 22.04, Python 3.10.12 - no RHEL-family image ships 3.10). All resolve.actionlintclean on the changed workflow.