build(deps): bump packaging from 26.0 to 26.2

[dependabot]

Bumps packaging from 26.0 to 26.2.

Release notes

Sourced from packaging's releases.

26.2

What's Changed

Fixes:

• Fix incorrect sysconfig var name for pyemscripten by @​ryanking13 in pypa/packaging#1160
• Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe and backward-compatible with pickles created in 25.0-26.1 (including references to the removed packaging._structures module) by @​eachimei and @​henryiii in pypa/packaging#1163, pypa/packaging#1168, pypa/packaging#1170, and pypa/packaging#1171
• fix: re-export ExceptionGroup for now by @​henryiii in pypa/packaging#1164

Documentation:

• docs: add errors section and fix missing details by @​henryiii in pypa/packaging#1159
• docs(dev): document property-based test suite by @​r266-tech in pypa/packaging#1167
• Fix typo in DirectUrl documentation by @​sbidoul in pypa/packaging#1169
• docs(specifiers): add is_unsatisfiable() usage example by @​r266-tech in pypa/packaging#1166

Internal:

• Enable the auditor persona on zizmor by @​henryiii in pypa/packaging#1158
• Test new pickle guarantees by @​henryiii in pypa/packaging#1174
• Use native uv integration in rtd by @​henryiii in pypa/packaging#1175

New Contributors

• @​ryanking13 made their first contribution in pypa/packaging#1160
• @​eachimei made their first contribution in pypa/packaging#1163

Full Changelog: pypa/packaging@26.1...26.2

26.1

Features:

• PEP 783: add handling for Emscripten wheel tags by @​hoodmane in pypa/packaging#804 (old name used in implementation, will be fixed in next release)
• PEP 803: add handling for the abi3.abi3t free-threading tag by @​ngoldbaum in pypa/packaging#1099
• PEP 723: add packaging.dependency_groups module, based on the dependency-groups package by @​sirosen in pypa/packaging#1065
• Add the packaging.direct_url module by @​sbidoul in pypa/packaging#944
• Add the packaging.errors module by @​henryiii in pypa/packaging#1071
• Add SpecifierSet.is_unsatisfiable using ranges (new internals that will be expanded in future versions) by @​notatallshaw in pypa/packaging#1119
• Add create_compatible_tags_selector to select compatible tags by @​sbidoul in pypa/packaging#1110
• Add a key argument to SpecifierSet.filter() by @​frostming in pypa/packaging#1068
• Support & and | for Marker's by @​henryiii in pypa/packaging#1146
• Normalize Version.__replace__ and add Version.from_parts by @​henryiii in pypa/packaging#1078
• Add an option to validate compressed tag set sort order in parse_wheel_filename by @​r266-tech in pypa/packaging#1150

Behavior adaptations:

• Narrow exclusion of pre-releases for <V.postN to match spec by @​notatallshaw in pypa/packaging#1140

... (truncated)

Changelog

Sourced from packaging's changelog.

26.2 - 2026-04-24

Fixes:

Fix incorrect sysconfig var name for pyemscripten in (:pull:1160)
Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe

and backward-compatible with pickles created in 25.0-26.1 (including references to the removed

packaging._structures module) (:pull:1163, :pull:1168, :pull:1170, :pull:1171)
Re-export ExceptionGroup in metadata for now in (:pull:1164)

Documentation:

Add errors section and fix missing details in (:pull:1159)
Document our property-based test suite in (:pull:1167)
Fix a DirectUrl typo in (:pull:1169)
Add example of is_unsatisfiable in (:pull:1166)

Internal:

Enable the auditor persona on zizmor in (:pull:1158)
Test new pickle guarantees in (:pull:1174)
Use new native ReadTheDocs uv integration in (:pull:1175)

26.1 - 2026-04-14

Features:

• PEP 783: add handling for Emscripten wheel tags in (:pull:804) (old name used in implementation, fixed in next release)
• PEP 803: add handling for the abi3.abi3t free-threading tag in (:pull:1099)
• PEP 723: add packaging.dependency_groups module, based on the dependency-groups package in (:pull:1065)
• Add the packaging.direct_url module in (:pull:944)
• Add the packaging.errors module in (:pull:1071)
• Add SpecifierSet.is_unsatisfiable using ranges (new internals that will be expanded in future versions) in (:pull:1119)
• Add create_compatible_tags_selector to select compatible tags in (:pull:1110)
• Add a key argument to SpecifierSet.filter() in (:pull:1068)
• Support & and | for Marker's in (:pull:1146)
• Normalize Version.__replace__ and add Version.from_parts in (:pull:1078)
• Add an option to validate compressed tag set sort order in parse_wheel_filename in (:pull:1150)

Behavior adaptations:

• Narrow exclusion of pre-releases for <V.postN to match spec in (:pull:1140)
• Narrow exclusion of post-releases for >V to match spec in (:pull:1141)
• Rename format_full_version to _format_full_version to make it visibly private in (:pull:1125)
• Restrict local version to ASCII in (:pull:1102)

Pylock (PEP 751) updates:

... (truncated)

Commits

• 84a87ee Bump for release
• 4a616b6 docs: a few more updates to prepare for 26.2 (#1176)
• 9de6f44 ci: use native uv integration in rtd (#1175)
• bc76e14 chore: update changelog for 26.2 (#1161)
• 3f00091 tests: add a pickle check (#1174)
• 48a8a06 fix: make Requirements/Markers pickle-safe (#1171)
• 823b44e fix: make Tags pickle-safe (#1170)
• 4bed32d fix: make Specifier / SpecifierSet pickle-safe (#1168)
• 963118e fix: re-export ExceptionGroup for now (#1164)
• 66e34a8 docs(specifiers): add is_unsatisfiable() usage example (#1166)
• Additional commits viewable in compare view

---

Note

Low Risk
Low risk dependency bump limited to Python packaging metadata; main risk is subtle behavior changes in version/specifier parsing impacting dependency resolution at runtime/build time.

Overview
Updates the packaging dependency requirement to >=26.2 and refreshes poetry.lock to lock packaging at 26.2 (with updated artifact hashes and lock content-hash).

^{Reviewed by Cursor Bugbot for commit 23814e7. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verdict: benign

Why (aligned with your checklist and the scanner report)

• Package / publisher: packaging is the canonical PyPA library (https://github.com/pypa/packaging); the bump is 26.0 → 26.2 with public release notes and tags, not a ghost or typosquat name.
• Classic obfuscation / exfiltration: Release notes and typical wheel contents for this bump are fixes (Emscripten sysconfig, pickle compatibility, ExceptionGroup re-export) plus docs/CI housekeeping—no credible signal of encoded payloads, eval chains, or odd network endpoints in what you’ve summarized.
• Invisible Unicode: The scanner’s unicode hits point at test strings with a visible emoji in test_metadata.py (lines called out in the report). That matches normal test metadata, not empty-looking or bidi/PUA smuggling. Scanner vs interpretation: treat as benign noise unless you see non-test sources with ZW/bidi/PUA in the actual wheel contents.
• Process spawning: Heuristic hits on subprocess in src/packaging/tags.py and tests are known, long-standing patterns for platform/tag probing in packaging and its tests—not evidence of compromise by themselves.
• Dependency integrity: For Chia, the meaningful change set should be pyproject.toml / poetry.lock (hashes for packaging-26.2 wheels/sdists on PyPI). Verify on the PR that there are no unexpected new direct/transitive deps beyond what Poetry needs to satisfy the bump; if the lock only moves the packaging stanza and pins, that’s expected.
• Dependabot / workflow caveat: The report’s .github/workflows/ touches are in the upstream packaging repo diff (your scan range spans upstream commits), not inherently “Chia’s workflows got edited.” Flag only if the chia-blockchain PR diff itself changes .github/ or other unrelated paths.

Actionable check before merge: Confirm the PR diff is only dependency manifests/lockfile (and maybe installhelper.py only if accidentally touched), CI is green, and poetry.lock packaging section matches PyPI for 26.2 (sha256 in the lock matches published artifacts).

Compatibility Analysis

Searching the codebase for packaging usage and comparing it to upstream changes.

1) Where packaging is used

Direct use is limited to packaging.version:

Location	Use
chia/util/chia_version.py	Version, InvalidVersion — parse/format display versions (.major/.minor/.micro, .pre)
installhelper.py	Version — semver helper for GUI (release, pre, dev, local)
chia/server/ws_connection.py	Version — protocol version parsing/comparison
chia/full_node/full_node.py	Version — peer/software version checks
chia/farmer/farmer_api.py	Version — protocol version gates
chia/wallet/wallet_node.py	Version — protocol version check
chia/cmds/dev/installers.py	packaging.version.Version — installer/version assertions
chia/_tests/util/test_chia_version.py, chia/_tests/core/server/test_server.py, chia/_tests/core/full_node/test_full_node.py	tests mirroring above

Declared in pyproject.toml as packaging = ">=26.2" with poetry.lock pinning 26.2 (typical Dependabot outcome).

.upstream-dependency/ is upstream packaging source/tests only, not Chia runtime code.

---

2) Overlap with 26.1 / 26.2 changes

• 26.2 (pickle compatibility, ExceptionGroup re-export, pyemscripten sysconfig): no overlap — Chia does not pickle Version / other packaging types (no matches for that pattern).
• 26.1 (specifiers, markers, wheel tags, SpecifierSet.is_unsatisfiable, Marker &/|, prerelease/post-release specifier tweaks, local-version ASCII rule, etc.): no overlap — Chia does not import Specifier, SpecifierSet, Requirement, Marker, or wheel/metadata helpers from packaging.

Usage stays on Version(...) plus comparisons (<, <=, >) and simple attributes — stable, documented surface.

---

3) Risks / unknowns

• Low: Dependency is a declared runtime dependency; transitive pins elsewhere are Poetry’s concern and already resolved in lockfile for this bump.
• Theoretical: Stricter local-version handling (26.1) could affect parsing only if real Chia version strings carried unusual/non-ASCII locals — unlikely for normal releases.
• Not a concern here: Pickle migrations, specifier semantics, Emscripten wheel tags.

---

4) Recommendation

Merge. Narrow API usage (Version / InvalidVersion) does not intersect the substantive behavioral/API churn called out for 26.1–26.2; 26.2 is largely corrective. Rely on CI as usual after lockfile/update lands.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 87
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved upstream range: 3b77a26f5a27473ad3b08194d773f325d018a2d0..84a87ee42483d7352f9502d78a9553da8859aa7a
• Resolved refs: from=3b77a26f5a27473ad3b08194d773f325d018a2d0 to=84a87ee42483d7352f9502d78a9553da8859aa7a
• Unicode findings (post-allowlist): 2
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 26

Top findings

• tests/test_metadata.py:1083 unicode :: ("Foo", "🕵️"),
• tests/test_metadata.py:1085 unicode :: "Foo: 🕵️\n",
• tests/test_tags.py:8 shell_process_spawn :: import subprocess
• tests/test_tags.py:351 shell_process_spawn :: subprocess,
• tests/test_tags.py:353 shell_process_spawn :: lambda *args, **kwargs: subprocess.CompletedProcess(
• tasks/check_frozen_revs.py:49 shell_process_spawn :: stdout=asyncio.subprocess.PIPE,
• tasks/check_frozen_revs.py:50 shell_process_spawn :: stderr=asyncio.subprocess.DEVNULL,
• tests/test_musllinux.py:4 shell_process_spawn :: import subprocess
• tests/test_musllinux.py:82 shell_process_spawn :: monkeypatch.setattr(_musllinux.subprocess, "run", run_recorder) # type: ignore[attr-defined]
• tests/test_musllinux.py:91 shell_process_spawn :: stderr=subprocess.PIPE,
• src/packaging/tags.py:12 shell_process_spawn :: import subprocess
• src/packaging/tags.py:605 shell_process_spawn :: version_str = subprocess.run(
• src/packaging/tags.py:614 shell_process_spawn :: stdout=subprocess.PIPE,
• noxfile.py:15 shell_process_spawn :: import subprocess
• noxfile.py:310 shell_process_spawn :: result = subprocess.run(
• noxfile.py:461 shell_process_spawn :: result = subprocess.run(
• noxfile.py:470 shell_process_spawn :: result = subprocess.run(
• noxfile.py:480 shell_process_spawn :: result = subprocess.run(
• noxfile.py:491 shell_process_spawn :: result = subprocess.run(
• noxfile.py:514 shell_process_spawn :: subprocess.run(["git", "add", str(file)], check=False)

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 0bdeaf5a8365f782f7c1b5465fe69ad4dbbfe812. Configure here.}

[coveralls-official]

Coverage Report for CI Build 26295026561

Warning

Build has drifted: This PR's base is out of sync with its target branch, so coverage data may include unrelated changes.
Quick fix: rebase this PR. Learn more →

Coverage decreased (-0.004%) to 91.497%

Details

• Coverage decreased (-0.004%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 24 coverage regressions across 7 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

24 previously-covered lines in 7 files lost coverage.

File	Lines Losing Coverage	Coverage
chia/timelord/timelord.py	11	73.36%
chia/wallet/wallet_node.py	4	87.23%
chia/simulator/setup_services.py	3	96.3%
chia/farmer/farmer.py	2	72.52%
chia/full_node/full_node.py	2	88.28%
chia/_tests/core/util/test_lockfile.py	1	90.78%
chia/_tests/simulation/test_simulation.py	1	96.5%

---

Coverage Stats

Relevant Lines:	122097
Covered Lines:	111891
Line Coverage:	91.64%
Relevant Branches:	12036
Covered Branches:	10837
Branch Coverage:	90.04%
Branches in Coverage %:	Yes
Coverage Strength:	1.83 hits per line

---

💛 - Coveralls

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

I'll review how packaging is declared and used in this repo, then cross-check the malware scan and upstream changes for supply-chain risk.
Verdict: benign

Summary: This is a routine Dependabot bump of the official PyPA packaging package (26.0 → 26.2). The chia-blockchain PR itself only tightens the direct constraint in pyproject.toml (packaging = ">=26.2"); there are no vendored paths, no new install scripts, and no lockfile anomalies reported in the PR scan (changed lockfiles: 0).

Checklist review

Category	Result
Classic obfuscation	Clear. No base64/eval payloads, no unexpected network exfiltration, no persistence writes. ast.literal_eval in upstream _parser.py is normal marker parsing.
Invisible Unicode / GlassWorm	Clear. Scanner’s 2 unicode hits are visible emoji (🕵️) in upstream tests for metadata parsing — not zero-width, bidi, or homoglyph attacks. 0 confusable findings. No suspicious Unicode in src/packaging/.
Dependency integrity	Clear. Legitimate upstream repo (pypa/packaging), tags 26.0/26.1/26.2 present, release commit 84a87ee is a normal “Bump for release”, and packaging has zero runtime dependencies.
Dependabot-specific	Clear. No node_modules//vendor/ changes. Workflow edits flagged by the scanner are in the upstream repo’s CI/docs, not in chia-blockchain’s PR diff.

Scanner interpretation (warn → benign): The warn status is from heuristic false positives, not IOCs:

• subprocess in src/packaging/tags.py — pre-existing, bounded macOS version probe via sys.executable -c "import platform..." (no shell, fixed command).
• .github/workflows/ touches — upstream maintainer CI only; not consumed by chia installs.
• Unicode in tests/test_metadata.py — intentional emoji test data; I do not treat this as GlassWorm.

Chia usage note (non-security): The repo imports packaging.version.Version for protocol/version checks only (chia/util/chia_version.py, full_node.py, etc.). No direct use of new 26.1 modules (dependency_groups, direct_url, etc.).

Action: Safe to merge from a supply-chain/malware perspective, assuming CI passes. No extra malware-specific follow-up required.

Compatibility Analysis

Analyzing how packaging is used in this repo and whether the 26.0→26.2 changes affect those call sites.

Compatibility analysis: packaging 26.0 → 26.2

1) Where it’s used

Direct dependency in pyproject.toml (packaging = ">=26.2"), resolved in poetry.lock to 26.2.

Direct imports — all limited to packaging.version:

Area	Files	Usage
Runtime (protocol gating)	chia/server/ws_connection.py, chia/full_node/full_node.py, chia/farmer/farmer_api.py, chia/wallet/wallet_node.py	Parse/compare peer protocol_version (<, <=, >, ==)
Version formatting	chia/util/chia_version.py	Version, InvalidVersion; reads .major/.minor/.micro/.pre
GUI/install tooling	installhelper.py, chia/cmds/dev/installers.py	Parse Chia/plotter versions; semver conversion via .release/.pre/.dev/.local
Tests	chia/_tests/util/test_chia_version.py, test_server.py, test_full_node.py	Version parsing/comparison coverage

No direct use of specifiers, markers, requirements, tags, metadata, dependency_groups, _structures, or pickling Version objects in application code.

Transitive use via pip, setuptools, pytest, build, pyinstaller (all declare packaging>=20–24); Chia does not call those APIs directly.

---

2) Intersection with upstream changes

Changed area (26.0→26.2)	Chia overlap
Version internals, pickle support, _structures shim	Low — uses public Version/InvalidVersion API only; no pickling
Specifier behavior fixes (<V.postN, >V)	None — no Specifier/SpecifierSet usage
New modules (dependency_groups, direct_url, errors, etc.)	None
Wheel/tag/Emscripten changes	None — not a wheel consumer at runtime
Local version ASCII restriction (26.1)	None — Chia versions are ASCII (e.g. 1.8.2+og-1.4.0)
ExceptionGroup re-export	None

Chia’s usage sits on the stable, unchanged surface: construct Version(str), compare, read standard attributes. Existing tests in test_chia_version.py cover the non-trivial version strings Chia actually parses.

---

3) Risks / unknowns

• 26.1 skipped in practice: This bump spans 26.1 as well (large internal Version refactor). Risk is mitigated by Chia’s narrow API usage and existing version tests, but protocol-version gate behavior is the one place worth CI confirmation.
• Transitive resolver behavior: Pip/setuptools may see stricter specifier semantics in 26.1+; unlikely to affect Chia’s direct pin, but could subtly change optional-extra resolution — monitor CI lock/install step only.
• Malware scan: warn from benign upstream patterns (test unicode, subprocess in tags.py for platform detection). Not a supply-chain blocker.

---

4) Recommendation: merge

Low-risk dependency bump. Chia uses only packaging.version for PEP 440 parsing and comparison; upstream changes are mostly fixes, additive APIs, and internals Chia does not touch. test_chia_version.py plus protocol/server tests are sufficient validation; no code changes required.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 87
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved upstream range: 3b77a26f5a27473ad3b08194d773f325d018a2d0..84a87ee42483d7352f9502d78a9553da8859aa7a
• Resolved refs: from=3b77a26f5a27473ad3b08194d773f325d018a2d0 to=84a87ee42483d7352f9502d78a9553da8859aa7a
• Unicode findings (post-allowlist): 2
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 26

Top findings

• tests/test_metadata.py:1083 unicode :: ("Foo", "🕵️"),
• tests/test_metadata.py:1085 unicode :: "Foo: 🕵️\n",
• tests/test_tags.py:8 shell_process_spawn :: import subprocess
• tests/test_tags.py:351 shell_process_spawn :: subprocess,
• tests/test_tags.py:353 shell_process_spawn :: lambda *args, **kwargs: subprocess.CompletedProcess(
• tasks/check_frozen_revs.py:49 shell_process_spawn :: stdout=asyncio.subprocess.PIPE,
• tasks/check_frozen_revs.py:50 shell_process_spawn :: stderr=asyncio.subprocess.DEVNULL,
• tests/test_musllinux.py:4 shell_process_spawn :: import subprocess
• tests/test_musllinux.py:82 shell_process_spawn :: monkeypatch.setattr(_musllinux.subprocess, "run", run_recorder) # type: ignore[attr-defined]
• tests/test_musllinux.py:91 shell_process_spawn :: stderr=subprocess.PIPE,
• src/packaging/tags.py:12 shell_process_spawn :: import subprocess
• src/packaging/tags.py:605 shell_process_spawn :: version_str = subprocess.run(
• src/packaging/tags.py:614 shell_process_spawn :: stdout=subprocess.PIPE,
• noxfile.py:15 shell_process_spawn :: import subprocess
• noxfile.py:311 shell_process_spawn :: result = subprocess.run(
• noxfile.py:462 shell_process_spawn :: result = subprocess.run(
• noxfile.py:471 shell_process_spawn :: result = subprocess.run(
• noxfile.py:481 shell_process_spawn :: result = subprocess.run(
• noxfile.py:492 shell_process_spawn :: result = subprocess.run(
• noxfile.py:515 shell_process_spawn :: subprocess.run(["git", "add", str(file)], check=False)