build(deps): bump packaging from 26.0 to 26.1

[dependabot]

Bumps packaging from 26.0 to 26.1.

Release notes

Sourced from packaging's releases.

26.1

Features:

• PEP 783: add handling for Emscripten wheel tags by @​hoodmane in pypa/packaging#804 (old name used in implementation, will be fixed in next release)
• PEP 803: add handling for the abi3.abi3t free-threading tag by @​ngoldbaum in pypa/packaging#1099
• PEP 723: add packaging.dependency_groups module, based on the dependency-groups package by @​sirosen in pypa/packaging#1065
• Add the packaging.direct_url module by @​sbidoul in pypa/packaging#944
• Add the packaging.errors module by @​henryiii in pypa/packaging#1071
• Add SpecifierSet.is_unsatisfiable using ranges (new internals that will be expanded in future versions) by @​notatallshaw in pypa/packaging#1119
• Add create_compatible_tags_selector to select compatible tags by @​sbidoul in pypa/packaging#1110
• Add a key argument to SpecifierSet.filter() by @​frostming in pypa/packaging#1068
• Support & and | for Marker's by @​henryiii in pypa/packaging#1146
• Normalize Version.__replace__ and add Version.from_parts by @​henryiii in pypa/packaging#1078
• Add an option to validate compressed tag set sort order in parse_wheel_filename by @​r266-tech in pypa/packaging#1150

Behavior adaptations:

• Narrow exclusion of pre-releases for <V.postN to match spec by @​notatallshaw in pypa/packaging#1140
• Narrow exclusion of post-releases for >V to match spec by @​notatallshaw in pypa/packaging#1141
• Rename format_full_version to _format_full_version to make it visibly private by @​r266-tech in pypa/packaging#1125
• Restrict local version to ASCII by @​henryiii in pypa/packaging#1102

Pylock (PEP 751) updates:

• Add pylock select function by @​sbidoul in pypa/packaging#1092
• Document pylock select() method and PylockSelectError by @​r266-tech in pypa/packaging#1153
• Add filename property to PackageSdist and PackageWheel, more validation by @​sbidoul in pypa/packaging#1095
• Give preference to path over url by @​sbidoul in pypa/packaging#1128
• Validate name/version consistency in file names by @​sbidoul in pypa/packaging#1114

Fixes:

• Fix > comparison for versions with dev+local segments by @​veeceey in pypa/packaging#1097
• Fix incorrect self-comparison for InfinityType and NegativeInfinityType by @​bysiber in pypa/packaging#1093
• Canonicalize when deduplicating specifiers in SpecifierSet by @​notatallshaw in pypa/packaging#1109
• Fix charset error message formatting by @​notatallshaw in pypa/packaging#1121
• Handle the key parameter in SpecifierSet.filter when specifiers are empty and prerelease is False by @​notatallshaw in pypa/packaging#1096
• Standardize inner components of repr output by @​henryiii in pypa/packaging#1090
• Specifier's === uses original string, not normalized, when available by @​notatallshaw in pypa/packaging#1124
• Propagate int-max-str-digits ValueError by @​notatallshaw in pypa/packaging#1155

Performance:

• Add fast path for parsing simple versions (digits and dots only) by @​notatallshaw in pypa/packaging#1082
• Add fast path for Version to Version comparison by skipping _key property by @​notatallshaw in pypa/packaging#1083
• Cache Version hash value in dedicated slot by @​notatallshaw in pypa/packaging#1118
• Overhaul _cmpkey to remove use of custom objects by @​notatallshaw in pypa/packaging#1116
• Skip __replace__ in Specifier comparison if not needed by @​notatallshaw in pypa/packaging#1081
• SpecifierSet use tuple instead of frozenset for _specs by @​notatallshaw in pypa/packaging#1108
• Speed up complex SpecifierSet filtering by implementing cost-based ordering by @​notatallshaw in pypa/packaging#1105

... (truncated)

Changelog

Sourced from packaging's changelog.

26.1 - 2026-04-14

Features:

PEP 783: add handling for Emscripten wheel tags in (:pull:804) (old name used in implementation, fixed in next release)
PEP 803: add handling for the abi3.abi3t free-threading tag in (:pull:1099)
PEP 723: add packaging.dependency_groups module, based on the dependency-groups package in (:pull:1065)
Add the packaging.direct_url module in (:pull:944)
Add the packaging.errors module in (:pull:1071)
Add SpecifierSet.is_unsatisfiable using ranges (new internals that will be expanded in future versions) in (:pull:1119)
Add create_compatible_tags_selector to select compatible tags in (:pull:1110)
Add a key argument to SpecifierSet.filter() in (:pull:1068)
Support & and | for Marker's in (:pull:1146)
Normalize Version.__replace__ and add Version.from_parts in (:pull:1078)
Add an option to validate compressed tag set sort order in parse_wheel_filename in (:pull:1150)

Behavior adaptations:

Narrow exclusion of pre-releases for <V.postN to match spec in (:pull:1140)
Narrow exclusion of post-releases for >V to match spec in (:pull:1141)
Rename format_full_version to _format_full_version to make it visibly private in (:pull:1125)
Restrict local version to ASCII in (:pull:1102)

Pylock (PEP 751) updates:

Add pylock select function in (:pull:1092)
Document pylock select() method and PylockSelectError in (:pull:1153)
Add filename property to PackageSdist and PackageWheel, more validation in (:pull:1095)
Give preference to path over url in (:pull:1128)
Validate name/version consistency in file names in (:pull:1114)

Fixes:

Fix > comparison for versions with dev+local segments in (:pull:1097)
Fix incorrect self-comparison for InfinityType and NegativeInfinityType in (:pull:1093)
Canonicalize when deduplicating specifiers in SpecifierSet in (:pull:1109)
Fix charset error message formatting in (:pull:1121)
Handle the key parameter in SpecifierSet.filter when specifiers are empty and prerelease is False in (:pull:1096)
Standardize inner components of repr output in (:pull:1090)
Specifier's === uses original string, not normalized, when available in (:pull:1124)
Propagate int-max-str-digits ValueError in (:pull:1155)

Performance:

Add fast path for parsing simple versions (digits and dots only) in (:pull:1082)
Add fast path for Version to Version comparison by skipping _key property in (:pull:1083)
Cache Version hash value in dedicated slot in (:pull:1118)
Overhaul _cmpkey to remove use of custom objects in (:pull:1116)
Skip __replace__ in Specifier comparison if not needed in (:pull:1081)

</tr></table>

... (truncated)

Commits

• c1a88a3 Bump for release
• 702c25e docs: update changelog for 26.1 (#1156)
• 3f4f5d4 Implement is_unsatisfiable on SpecifierSet using ranges (#1119)
• 06c6555 Propagate int-max-str-digits ValueError (#1155)
• 905c90c feat: option to validate compressed tag set sort order in `parse_wheel_filena...
• af0026c docs(pylock): document select() method and PylockSelectError (#1153)
• 668da86 Rename format_full_version to _format_full_version to make it visibly private...
• f294d52 tests: do not reload the tags module (#1152)
• 2c6c7df feat: add handling for Emscripten wheels tags per PEP 783 (#804)
• 6762eea docs(markers): document & and | operators for combining Marker objects (#1151)
• Additional commits viewable in compare view

---

Note

Low Risk
Dependency-only update that bumps packaging and regenerates the Poetry lockfile; main risk is subtle behavior changes in the upstream library affecting version/specifier parsing.

Overview
Updates the Python dependency constraint for packaging from >=24.0 to >=26.1 in pyproject.toml.

Regenerates poetry.lock with packaging locked to 26.1, updated artifact hashes/content hash, and an updated Poetry generator version comment.

^{Reviewed by Cursor Bugbot for commit a577ecc. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​packaging@​26.0 ⏵ 26.1	+1

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 9c59e4c88d67d65c8201932645e07df89e91e9fa. Configure here.}

[cursor]

Minimum version constraint unnecessarily tightened from 24.0 to 26.1

Medium Severity

The packaging minimum version in pyproject.toml was raised from >=24.0 to >=26.1, but the codebase only uses packaging.version.Version — a feature available since much older versions. This Dependabot PR is meant to bump the lock file only, not tighten the minimum constraint. Raising it unnecessarily restricts compatibility for downstream consumers and environments that may not yet have packaging 26.1 available.

 

^{Reviewed by Cursor Bugbot for commit 9c59e4c88d67d65c8201932645e07df89e91e9fa. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verdict: benign

Why this looks safe

• Provenance: The bump is to pypa/packaging 26.1, a normal PyPA release with public tag, changelog, and compare range 26.0...26.1 — not a typosquat or mystery version.
• Classic obfuscation / exfiltration: Nothing in your materials points to encoded payloads, odd hosts, persistence, or credential theft; the release notes match ordinary library work (PEPs, specifiers, markers, pylock, etc.).
• Scanner vs. PR scope: The report’s 81 files, .github/workflows/ touches, noxfile.py, docs/, etc. reflect a scan of the upstream git range for packaging, not proof that the Chia Dependabot PR rewrites your CI. For this repo, expect pyproject.toml / poetry.lock (and hashes there should match PyPI — verify in the real PR diff).
• Heuristic “subprocess” / exec: Matches are expected upstream: tests use subprocess; noxfile/tasks use it; packaging.tags has historically used subprocess for platform/toolchain probes. That is not supply-chain smoke by itself.
• Unicode findings: Emoji in tests/test_metadata.py is consistent with encoding/metadata tests, not invisible-Unicode Trojan Source in production code.

Residual risk (not malware)

• Compatibility: 26.1 tightens some version/specifier behavior (e.g. local segment ASCII, prerelease/postrelease edge cases). That can affect edge-case tooling/tests, not security compromise — rely on CI.

If scanner and story disagreed: Here they don’t — workflow/subprocess hits are explained by full upstream delta and normal dev/test code, not by a minimal Dependabot manifest change being malicious.

Compatibility Analysis

Searching the codebase for direct packaging usage and reviewing dependency constraints.

1) Where packaging shows up

Area	Role
pyproject.toml	Direct dependency: packaging = ">=26.1" (line 70).
poetry.lock	Resolved wheel/sdist for packaging (e.g. 26.1).
Application code	Only packaging.version: Version (and InvalidVersion in chia/util/chia_version.py).

Files (excluding vendored .upstream-dependency):

from packaging.version import InvalidVersion, Version

- ```39:39:chia/full_node/full_node.py
from packaging.version import Version

from packaging.version import Version

- ```12:12:chia/farmer/farmer_api.py
from packaging.version import Version

from packaging.version import Version

- ```8:68:chia/cmds/dev/installers.py
import packaging.version
# ... packaging.version.Version(...) for CLI/installer checks

Uses: parse handshake / CLI version strings into Version, compare with literals (e.g. Version("0.0.35"), Version("2.6.0")), build short display strings via major / minor / micro / pre in chia_version.

Tests under chia/_tests/ mirror the same imports.

---

2) Overlap with 26.1 changes

No meaningful overlap.

26.1’s listed changes target markers (& / |), specifiers (PEP‑style ranges, SpecifierSet.*, prerelease/postrelease edge cases), wheel/tags/pylock, new modules (dependency_groups, direct_url, errors), parse_wheel_filename options, renaming format_full_version → _format_full_version, etc.

Chia does not import specifiers, requirements, markers, tags/utils, or private helpers. Its usage is limited to Version / InvalidVersion parsing and ordering for simple protocol-style strings.

The comparison / normalization fixes (e.g. dev+local, infinity edge cases, ASCII local segments) could only matter if you depended on quirky version strings or pickled Version objects; Chia’s paths are straightforward comparisons on normal semver-like literals.

---

3) Risks / unknowns

• Low: Tooling/other deps also use packaging; that’s normal and exercised by CI.
• Niche: Extremely unusual version strings (huge ints, exotic locals) might parse or compare differently due to PEP alignment and bugfixes—unlikely for handshake/protocol checks.
• No Chia code references the renamed private format_full_version.

---

4) Recommendation

Merge.

The repo already declares packaging >= 26.1; bumping the lockfile to 26.0 → 26.1 matches that and touches APIs Chia does not use beyond packaging.version, which stays stable for this usage.

Optional caveat for the PR thread: behavior of ** specifier-oriented** PEP edge cases changed in upstream, but that does not apply to current Chia call sites unless you later add specifier-based parsing.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 81
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved upstream range: 3b77a26f5a27473ad3b08194d773f325d018a2d0..c1a88a3e035e8bfe47dbc957f4a2493e8a7b4f3c
• Resolved refs: from=3b77a26f5a27473ad3b08194d773f325d018a2d0 to=c1a88a3e035e8bfe47dbc957f4a2493e8a7b4f3c
• Unicode findings (post-allowlist): 2
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 26

Top findings

• tests/test_metadata.py:1083 unicode :: ("Foo", "🕵️"),
• tests/test_metadata.py:1085 unicode :: "Foo: 🕵️\n",
• tests/test_tags.py:8 shell_process_spawn :: import subprocess
• tests/test_tags.py:351 shell_process_spawn :: subprocess,
• tests/test_tags.py:353 shell_process_spawn :: lambda *args, **kwargs: subprocess.CompletedProcess(
• tests/test_musllinux.py:4 shell_process_spawn :: import subprocess
• tests/test_musllinux.py:82 shell_process_spawn :: monkeypatch.setattr(_musllinux.subprocess, "run", run_recorder) # type: ignore[attr-defined]
• tests/test_musllinux.py:91 shell_process_spawn :: stderr=subprocess.PIPE,
• tasks/check_frozen_revs.py:49 shell_process_spawn :: stdout=asyncio.subprocess.PIPE,
• tasks/check_frozen_revs.py:50 shell_process_spawn :: stderr=asyncio.subprocess.DEVNULL,
• noxfile.py:15 shell_process_spawn :: import subprocess
• noxfile.py:310 shell_process_spawn :: result = subprocess.run(
• noxfile.py:461 shell_process_spawn :: result = subprocess.run(
• noxfile.py:470 shell_process_spawn :: result = subprocess.run(
• noxfile.py:480 shell_process_spawn :: result = subprocess.run(
• noxfile.py:491 shell_process_spawn :: result = subprocess.run(
• noxfile.py:514 shell_process_spawn :: subprocess.run(["git", "add", str(file)], check=False)
• noxfile.py:515 shell_process_spawn :: subprocess.run(["git", "commit", "-m", f"Bump for {kind}"], check=False)
• docs/conf.py:12 shell_process_spawn :: exec(f.read(), ABOUT)
• src/packaging/tags.py:12 shell_process_spawn :: import subprocess

[coveralls-official]

Coverage Report for CI Build 25218660389

Coverage decreased (-0.02%) to 91.265%

Details

• Coverage decreased (-0.02%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 40 coverage regressions across 10 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

40 previously-covered lines in 10 files lost coverage.

File	Lines Losing Coverage	Coverage
chia/_tests/core/util/test_lockfile.py	22	77.42%
chia/full_node/full_node.py	5	87.64%
chia/server/node_discovery.py	3	80.21%
chia/data_layer/data_layer.py	2	85.68%
chia/full_node/full_node_api.py	2	86.55%
chia/server/server.py	2	85.92%
chia/_tests/core/util/test_file_keyring_synchronization.py	1	96.88%
chia/_tests/simulation/test_simulation.py	1	96.49%
chia/timelord/timelord.py	1	73.08%
chia/wallet/wallet_node.py	1	87.23%

---

Coverage Stats

Relevant Lines:	118860
Covered Lines:	108646
Line Coverage:	91.41%
Relevant Branches:	11810
Covered Branches:	10610
Branch Coverage:	89.84%
Branches in Coverage %:	Yes
Coverage Strength:	1.83 hits per line

---

💛 - Coveralls

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Checking how Chia declares packaging and whether the workspace reflects a minimal Dependabot diff.

Verdict: benign

Why this looks safe

• Package identity — packaging is maintained by PyPA; 26.0 → 26.1 is a normal release on the same package name (no typosquat). Your constraint is already aligned with that bump (packaging = ">=26.1" in pyproject.toml).

• Classic obfuscation / exfiltration — The scanner report does not show encoded payloads, unexpected URLs, startup persistence, or credential theft patterns. Heuristic hits are dominated by subprocess in src/packaging/tags.py and tests — that matches long-standing upstream behavior (e.g. probing the environment for tags), not a novel injection pattern introduced by this bump alone.

• Invisible Unicode / Trojan Source — The unicode findings are tests/test_metadata.py strings containing an emoji in metadata tests — visible, intentional test data, not invisible-operator tricks in shipped identifiers.

• Scanner vs interpretation — workflow_path_touch on .github/workflows/** reflects files that changed between upstream packaging tags in the scan range, not evidence that a Chia Dependabot PR is rewriting chia-blockchain’s workflows. For a typical Poetry bump, expect pyproject.toml / poetry.lock only; if the real PR diff touches .github/ under Chia, that would warrant a separate manual check (the supplied scan alone doesn’t prove that).

• Integrity — Lock entries pointing at packaging-26.1 wheels/sdists with normal PyPI-style hashes are consistent with a standard dependency bump; no ghost package name swap.

Actionable note: Rely on green CI and confirm the PR diff is limited to dependency manifests (plus lock refresh). Treat spec/local-version parsing changes in the release notes as possible behavior shifts if Chia or tools depended on edge-case PEP 440 behavior — unrelated to malware.

Compatibility Analysis

Searching the codebase for packaging usage and comparing it to upstream changes.

1) Where packaging is used

Direct imports are only under chia/ (plus matching tests):

Area	API
chia/util/chia_version.py	InvalidVersion, Version — parse/display helpers (.major, .minor, .micro, .pre)
chia/server/ws_connection.py, chia/wallet/wallet_node.py, chia/full_node/full_node.py, chia/farmer/farmer_api.py	Version — protocol / peer version comparisons (<, <=, >, ==)
chia/cmds/dev/installers.py	packaging.version.Version — installer/dev checks
chia/_tests/...	Same Version usage in tests

pyproject.toml already pins packaging = ">=26.1".

No use of SpecifierSet, Requirement, Marker, parse_wheel_filename, dependency_groups, direct_url, format_full_version / _format_full_version, or pylock in project code (only in .upstream-dependency, which is an unpacked upstream tree for review, not the app).

2) Overlap with 26.1 changes

Low overlap. 26.1 is heavy on specifiers, markers, wheel tags, pylock, new modules, and pickle layout. Chia only uses packaging.version.Version (and InvalidVersion in one fallback path).

Relevant 26.1 items at the margin:

• Version ordering / parsing — comparison fixes and “simple version” fast paths can change edge cases (e.g. dev + local); Chia mostly uses simple strings like "0.0.36", "2.6.0".
• Local segment restricted to ASCII — versions with + locals must stay ASCII; existing tests use ASCII locals (e.g. 1.8.2+og-1.4.0).
• Private rename format_full_version → _format_full_version — unused here.

So there is no direct dependency on the new/changed APIs called out in the release notes.

3) Risks / unknowns

• Exotic version strings (non-ASCII local, odd prerelease/dev combos) could parse or compare differently; unlikely for handshake protocol versions and normal chia version / plotter output.
• Transitive behavior — installers (pip, build, etc.) use packaging more deeply; any ecosystem breakage would show up in CI/install, not from Chia’s few Version calls.
• Malware-scan noise on tags.py + subprocess refers to upstream packaging sources under .upstream-dependency, not something Chia vendors; the runtime package is still the normal PyPI wheel.

4) Recommendation

Merge. This is a small step from 26.0 → 26.1, Chia’s surface is only Version/InvalidVersion, and the breaking-ish items in the notes do not match that usage. Optionally treat as merge-with-caveats only if you maintain custom builds whose version strings use non-ASCII local segments.

Rely on existing CI after the lockfile bump; no code changes are implied by this review.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 81
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved upstream range: 3b77a26f5a27473ad3b08194d773f325d018a2d0..c1a88a3e035e8bfe47dbc957f4a2493e8a7b4f3c
• Resolved refs: from=3b77a26f5a27473ad3b08194d773f325d018a2d0 to=c1a88a3e035e8bfe47dbc957f4a2493e8a7b4f3c
• Unicode findings (post-allowlist): 2
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 26

Top findings

• tests/test_metadata.py:1083 unicode :: ("Foo", "🕵️"),
• tests/test_metadata.py:1085 unicode :: "Foo: 🕵️\n",
• tests/test_tags.py:8 shell_process_spawn :: import subprocess
• tests/test_tags.py:351 shell_process_spawn :: subprocess,
• tests/test_tags.py:353 shell_process_spawn :: lambda *args, **kwargs: subprocess.CompletedProcess(
• tests/test_musllinux.py:4 shell_process_spawn :: import subprocess
• tests/test_musllinux.py:82 shell_process_spawn :: monkeypatch.setattr(_musllinux.subprocess, "run", run_recorder) # type: ignore[attr-defined]
• tests/test_musllinux.py:91 shell_process_spawn :: stderr=subprocess.PIPE,
• src/packaging/tags.py:12 shell_process_spawn :: import subprocess
• src/packaging/tags.py:605 shell_process_spawn :: version_str = subprocess.run(
• src/packaging/tags.py:614 shell_process_spawn :: stdout=subprocess.PIPE,
• tasks/check_frozen_revs.py:49 shell_process_spawn :: stdout=asyncio.subprocess.PIPE,
• tasks/check_frozen_revs.py:50 shell_process_spawn :: stderr=asyncio.subprocess.DEVNULL,
• noxfile.py:15 shell_process_spawn :: import subprocess
• noxfile.py:310 shell_process_spawn :: result = subprocess.run(
• noxfile.py:461 shell_process_spawn :: result = subprocess.run(
• noxfile.py:470 shell_process_spawn :: result = subprocess.run(
• noxfile.py:480 shell_process_spawn :: result = subprocess.run(
• noxfile.py:491 shell_process_spawn :: result = subprocess.run(
• noxfile.py:514 shell_process_spawn :: subprocess.run(["git", "add", str(file)], check=False)

[dependabot]

Superseded by #20853.