-
Notifications
You must be signed in to change notification settings - Fork 255
chore(deps-dev): bump pdoc from 15.0.4 to 16.0.0 #1594
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
dependabot
wants to merge
1
commit into
main
Choose a base branch
from
dependabot/uv/pdoc-16.0.0
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+15
−5
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟡 The pdoc version constraint was updated to
>=15.0.4,<17but the lower bound was not updated to>=16.0.0, meaning environments that install without the lock file (e.g.,pip install langfuse[docs]) could resolve to pdoc 15.x instead of the intended 16.x. Consider changing the constraint topdoc>=16.0.0,<17to match the PR's intent.Extended reasoning...
What the bug is: The PR bumps pdoc from 15.0.4 to 16.0.0, and correctly updates the lock file to pin pdoc 16.0.0. However, the version constraint in
pyproject.tomlwas changed from>=15.0.4,<16to>=15.0.4,<17— only widening the upper bound — rather than>=16.0.0,<17. This means the lower bound still allows any pdoc 15.x release to satisfy the constraint.The specific code path: In
pyproject.tomlline 38, thedocsextra dependency is declared aspdoc>=15.0.4,<17. A resolver that sees this constraint (without the lock file) is free to choose pdoc 15.0.4 as a valid solution.Why existing code doesn't prevent it: The
uv.lockfile pins pdoc to exactly 16.0.0, so anyuv syncoruv runinvocation respects the lock and gets 16.0.0. However, anyone runningpip install "langfuse[docs]"(a common workflow for users installing the docs extra manually, or in CI pipelines not using uv) bypasses the lock file entirely and relies solely on the pyproject.toml constraint. With>=15.0.4,<17, pip could resolve to 15.x.Impact: pdoc 16.0.0 is a major version release with meaningful changes: it adds
markdown2as a new dependency, drops Python 3.9 support, and changes templating behavior. Running with pdoc 15.x versus 16.x would produce different documentation output and could silently fail to includemarkdown2. That said, this is a docs-only dev dependency, so production users are entirely unaffected.How to fix it: Change line 38 in
pyproject.tomlfrompdoc>=15.0.4,<17topdoc>=16.0.0,<17.Step-by-step proof:
pip install "langfuse[docs]"(not using uv, no lock file honored).pdoc>=15.0.4,<17.markdown2dependency and has different rendering behavior compared to 16.x.Addressing the refutation: The refutation correctly notes this is standard Dependabot behavior — Dependabot typically only widens the upper bound. However, "standard Dependabot behavior" and "correct constraint" are different things. The constraint
>=15.0.4,<17is technically imprecise for a PR whose stated goal is to adopt pdoc 16.0.0. This is a nit rather than a blocking issue because the lock file protects most real workflows, but tightening the lower bound is a small, low-risk improvement worth noting.