Skip to content

Migrate to uv and apply pending Dependabot bumps#55

Merged
steder merged 1 commit into
mainfrom
claude/dependabot-updates-modernize-WbEUJ
May 15, 2026
Merged

Migrate to uv and apply pending Dependabot bumps#55
steder merged 1 commit into
mainfrom
claude/dependabot-updates-modernize-WbEUJ

Conversation

@steder
Copy link
Copy Markdown
Owner

@steder steder commented May 15, 2026

Summary

Replaces Poetry with uv, drops Python 2 vestiges, and subsumes all six open Dependabot PRs by resolving the dep graph from scratch.

Dependabot PRs this closes

PR Bump Result in uv.lock
#54 urllib3 2.5.0 → 2.6.0 2.7.0
#53 pytest 8.4.1 → 9.0.1 9.0.3
#51 click 7.1.1 → 8.2.1 8.3.3
#49 attrs 19.3.0 → 25.3.0 removed (was a transitive of fabric)
#48 jinja2 2.11.1 → 3.1.6 3.1.6 (already there)
#46 colorama 0.4.3 → 0.4.6 0.4.6

Tooling changes

  • pyproject.toml rewritten in PEP 621 form; poetry.lockuv.lock
  • requires-python = ">=3.13"
  • Dockerfile rewritten around ghcr.io/astral-sh/uv:latest
  • .github/workflows/python-app.yml rewritten to use uv + Python 3.13 — and moved out of .github/ and into .github/workflows/ where Actions will actually find it (the old file was misplaced and never ran)
  • .travis.yml removed (Python 2.7/3.7/3.8 era)

Python 2 cleanup

  • Removed from __future__ import absolute_import / division / print_function from giraffe.py
  • import mockfrom unittest import mock in test_giraffe.py; dropped the mock PyPI dep
  • Dropped fabric / fabtools / hammock dev deps and fabfile.py
  • Removed etc/old_fabfile.py (Python-2 print syntax)

Incidental fix

image_to_buffer(..., compress=True) was broken on wand 0.7+ because wand now calls file.fileno() on the save target, which gzip.GzipFile wrapping BytesIO doesn't support. Fixed by saving to a buffer first, then gzipping the bytes. The compressed path is only exercised by a test today, but the fix keeps the helper honest.

Test plan

  • uv sync --all-groups --frozen succeeds on Python 3.13
  • uv run pytest — 87 passed, 0 failed
  • uv run flake8 . --select=E9,F63,F7,F82 --exclude=.venv,.git,__pycache__ clean
  • CI green on this PR
  • Docker image still builds (untested locally — no Docker available in the dev sandbox)

Generated by Claude Code

@claude
Migrate from Poetry to uv and apply pending Dependabot bumps
c26761a 
Drop Python 2 vestiges (`from __future__` imports, `mock` package) and
modernize the project's tooling around uv. Replaces poetry.lock with
uv.lock, which subsumes all outstanding Dependabot PRs (#46, #48, #49,
#51, #53, #54) by resolving to the newest compatible versions:

  - pytest 8.4.1 -> 9.0.3
  - urllib3 2.5.0 -> 2.7.0
  - click 7.1.1 -> 8.3.3 (transitive)
  - colorama 0.4.3 -> 0.4.6 (transitive)
  - jinja2 already at 3.1.6
  - attrs no longer in the tree (came from removed fabric stack)

Also:
  - require Python 3.13 explicitly
  - rewrite Dockerfile to use uv with the Astral image
  - relocate workflow into .github/workflows/ (it was misplaced and so
    was never being executed) and rewrite to use uv + Python 3.13
  - remove .travis.yml (Python 2.7/3.7/3.8 era)
  - drop fabric/fabtools/hammock dev deps and fabfile.py
  - drop etc/old_fabfile.py (Python 2 syntax)
  - fix image_to_buffer compress path to work with wand 0.7+ which now
    requires file.fileno() on save target
  - point README CI badge at the GitHub Actions workflow
@steder steder marked this pull request as ready for review May 15, 2026 16:32
@steder steder merged commit c415605 into main May 15, 2026
5 checks passed
@steder steder deleted the claude/dependabot-updates-modernize-WbEUJ branch May 15, 2026 16:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@steder @claude