Skip to content
This repository was archived by the owner on Jun 20, 2026. It is now read-only.

chore(deps): update markdownify requirement from >=1.2.0 to >=1.2.2#315

Merged
brooksmcmillin merged 3 commits into
mainfrom
dependabot/pip/markdownify-gte-1.2.2
May 3, 2026
Merged

chore(deps): update markdownify requirement from >=1.2.0 to >=1.2.2#315
brooksmcmillin merged 3 commits into
mainfrom
dependabot/pip/markdownify-gte-1.2.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Updates the requirements on markdownify to permit the latest version.

Release notes

Sourced from markdownify's releases.

1.2.2

fix: include py.typed file by @​G-Rath in matthewwithanm/python-markdownify#235

Full Changelog: matthewwithanm/python-markdownify@1.2.0...1.2.2

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Apr 15, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/markdownify-gte-1.2.2 branch from f91a3f4 to cddb1fd Compare May 2, 2026 06:34
@dependabot
chore(deps): update markdownify requirement from >=1.2.0 to >=1.2.2
876ad81 
Updates the requirements on [markdownify](https://github.com/matthewwithanm/python-markdownify) to permit the latest version.
- [Release notes](https://github.com/matthewwithanm/python-markdownify/releases)
- [Commits](matthewwithanm/python-markdownify@1.2.0...1.2.2)

---
updated-dependencies:
- dependency-name: markdownify
  dependency-version: 1.2.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/markdownify-gte-1.2.2 branch from cddb1fd to 876ad81 Compare May 2, 2026 22:56
@claude

claude Bot commented May 3, 2026
edited
Loading

Copy link
Copy Markdown

Claude finished @brooksmcmillin's task in 1m 38s —— View job

Security Review

  • Gather context
  • Read previous bot comments (none with prior findings)
  • Review changed files
  • Post security assessment

All clear. This is a routine patch dependency bump with no security implications.

Summary of changes:

  • markdownify bumped from >=1.2.0>=1.2.2 in root pyproject.toml (dependency + constraint)
  • uv.lock updated with new package hashes for markdownify==1.2.2

Assessment:

The 1.2.2 release of markdownify contains a single change: including the py.typed marker file for PEP 561 type-checking support. This is not a security fix — it purely improves type checker interoperability and has no functional impact at runtime.

No new attack surface is introduced, no CVEs are addressed, and the dependency supply chain follows standard PyPI distribution via dependabot.

Minor observation: packages/agent-framework/pyproject.toml still declares markdownify>=1.2.0 (line 29) while the root workspace enforces >=1.2.2 via constraint-dependencies. This is functionally safe — the workspace constraint wins during resolution — but the library's own floor is slightly stale. Not a security concern.

No action required.

@claude

claude Bot commented May 3, 2026
edited
Loading

Copy link
Copy Markdown

Claude finished @brooksmcmillin's task in 50s —— View job

New Issues

Inconsistent version floor in packages/agent-framework/pyproject.toml

packages/agent-framework/pyproject.toml:29 still declares markdownify>=1.2.0 while the root pyproject.toml was bumped to >=1.2.2 in both dependencies and constraint-dependencies. The lock file correctly resolves to 1.2.2 (constrained by the root), but the agent-framework package's own floor is now stale and could allow an older version if the package were ever installed in isolation.

Fix this →

Otherwise this is a straightforward, low-risk dependency bump. The only change in markdownify 1.2.2 is the inclusion of the py.typed marker file for PEP 561 compliance — no API changes, no behaviour changes. Lock file hashes look correct and resolve cleanly to 1.2.2.

@brooksmcmillin
fix(deps): lower litellm floor to >=1.82.0 to resolve transitive conf…
f47a223 
…lict

litellm 1.83.7-1.83.13 pin python-dotenv==1.0.1 (conflicts with
agent-framework's python-dotenv>=1.2.2), and 1.83.14 pins pydantic==2.12.5
(conflicts with root's pydantic>=2.13.3). Lowering the floor lets uv resolve
to 1.83.0, which has neither pin.
@claude

claude Bot commented May 3, 2026
edited
Loading

Copy link
Copy Markdown

Claude finished @brooksmcmillin's task in 55s —— View job

All clear. This is a routine patch dependency bump with no correctness, security, or maintainability concerns.

Still Open

Previously flagged and still unaddressed:

  • packages/agent-framework/pyproject.toml:29markdownify>=1.2.0 while root pyproject.toml (lines 21 & 42) is now >=1.2.2. The workspace constraint-dependencies ensure resolution always lands on 1.2.2+, so this is safe in the monorepo context. But if the agent-framework package is ever published or installed in isolation the stale floor could allow 1.2.0/1.2.1. Fix this →

New Issues

None.

The 1.2.2 release only adds the py.typed marker for PEP 561 compliance — no API changes, no runtime behaviour changes. Lock file hashes are correct and resolve cleanly.

@claude

claude Bot commented May 3, 2026
edited
Loading

Copy link
Copy Markdown

Claude finished @brooksmcmillin's task in 1m 54s —— View job

Security Review

  • Read previous bot comments
  • Review changed files
  • Post security assessment

All clear. No security issues introduced by this PR.

Still Open

  • Stale markdownify floor in packages/agent-framework/pyproject.toml:29 — still declares markdownify>=1.2.0 while root enforces >=1.2.2. Previously flagged; root's workspace constraint wins during resolution so there's no functional impact, but the sub-package floor is stale.

    Fix this →

New Commits (since last review)

Two additional commits landed on this branch (f47a223, f4ab460) that are outside the original dependabot scope:

  • pydantic floor loosened: >=2.13.3>=2.12.5 — Done to unblock litellm>=1.83.7, which pins pydantic==2.12.5. The lock resolves to pydantic 2.12.5. The prior floor of >=2.13.3 was a routine dep bump (PR chore(deps): update pydantic requirement from >=2.10.0 to >=2.13.3 #317), not a security fix, so no CVE is reintroduced here. Lock lands on litellm 1.83.14, described as the vulnerability-free target — this tradeoff is sound.
  • litellm floor adjusted — Intermediate commit lowering to >=1.82.0 was superseded by the pydantic fix; final floor is >=1.83.7, resolving to 1.83.14.

No new attack surface or vulnerable version ranges introduced.

@brooksmcmillin
fix(deps): loosen pydantic to >=2.12.5 to allow secure litellm
f4ab460 
Reverts the litellm floor relaxation from the previous commit and instead
loosens pydantic in root from >=2.13.3 to >=2.12.5. All litellm versions
>=1.83.7 pin pydantic==2.12.5, so this is the only constraint shape that
allows a vulnerability-free litellm to resolve. Lock lands on litellm 1.83.14.
@brooksmcmillin brooksmcmillin merged commit 750954b into main May 3, 2026
21 of 22 checks passed
@brooksmcmillin brooksmcmillin deleted the dependabot/pip/markdownify-gte-1.2.2 branch May 3, 2026 05:56
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brooksmcmillin