SK-2872: Clean up and upgrade SDK production dependencies#266
Merged
saileshwar-skyflow merged 8 commits intoJun 12, 2026
Merged
Conversation
- Remove 5 unused/misclassified deps: python_dateutil, setuptools, urllib3, DateTime, coverage - Fix broken PyJWT constraint (>=2.12 never existed; downgrade to >=2.8) - Pin previously unpinned deps: cryptography >=44.0.2, httpx >=0.28.1 - Bump minimums to current stable: pydantic >=2.13.4, typing-extensions >=4.13.2, requests ~=2.32.4, python-dotenv >=1.1.0,<2 - Pin dev deps: codespell >=2.4.1, ruff >=0.9.0 - Fix main.yml: add secrets: inherit so VALID_SKYFLOW_CREDS_TEST is available when shared-tests.yml runs on post-merge pushes - Mirror all install_requires changes in requirements.txt Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
coverage was correctly removed from setup.py install_requires (not a production dep) but also incorrectly removed from requirements.txt. CI runs 'python -m coverage run' so it must be present as a dev/CI dep. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
~= with a patch version locks to the 2.32.x minor series, which would conflict for consumers already on requests 2.33+. Using >= keeps the security floor without blocking future minor releases. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
saileshwar-skyflow
changed the title
- ci-scripts/check_dep_age.py: checks requirements.txt and setup.py against PyPI release dates; blocks deps newer than 14 days - ci-scripts/audit_deps.py: compares dep floor versions against PyPI latest; outputs markdown report for GitHub Issue - .github/workflows/dep-audit.yml: monthly cron on 1st of each month, opens a GitHub Issue listing outdated deps - .github/workflows/shared-tests.yml: added 14-day stability check on every PR and push to main - .pre-commit-config.yaml: local git hook on requirements.txt or setup.py changes - setup.py: pre-commit bumped to >= 4.6.0 in dev extras - requirements.txt: synced PyJWT floor to >= 2.12 matching setup.py Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pre-commit >= 4.6.0 requires Python >= 3.10; CI runs on 3.9. 4.3.0 is the highest version that supports Python 3.9. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…LR2004 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Use minimum versions the SDK actually needs rather than current latest, so existing consumer environments on older stable versions are not forced to upgrade. pydantic floor set to 2.0.0 (v2 API required). Remove 14-day freeze tooling from PR (kept locally for separate PR). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Devesh-Skyflow
approved these changes
Jun 11, 2026
Collaborator
|
LGTM |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
install_requireswere never imported inskyflow/source — everypip install skyflowwas pulling them in unnecessarilycryptography,httpx,coverage,codespell,ruffhad no version constraints, meaning any version including breaking or vulnerable ones could silently installrequests ~= 2.32.3used compatible-release operator which locks to2.32.x— same pattern that caused dependency conflicts for existing customers. Loosened to floor-only>= 2.28.0Goal
pip install skyflowresolves with a clean minimal set of runtime deps that don't conflict with consumers' existing environmentsrequirements.txtmirrorssetup.py install_requiresexactlyChanges
Removed from
install_requires(4 deps)python_dateutilskyflow/setuptoolssetup.pyitself, not at runtimeurllib3requestsDateTimeskyflow/Updated constraints
pydantic>= 2>= 2.0.0>= 1.9.2but floor set to>= 2.0.0— SDK uses pydantic v2 API throughout, v1.x would cause import errorspydantic-core>= 2.18.2typing-extensions>= 4.7.1>= 4.0.0httpx>= 0.21.2PyJWT>= 2.12, < 3>= 2.12, < 3requests~= 2.32.3>= 2.28.0cryptography>= 44.0.2python-dotenv>= 1.0, < 2>= 1.1.0, < 2Dev extras updated
codespell>= 2.4.1ruff>= 0.9.0pre-commit>= 4.3.0Testing
>=(floor-only) as required for a published SDK — consumers can resolve alongside their own dependency graphs without conflicts