build(deps): bump types-aiofiles from 25.1.0.20251011 to 25.1.0.20260508

[dependabot]

Bumps types-aiofiles from 25.1.0.20251011 to 25.1.0.20260508.

Commits

• See full diff in compare view

---

Note

Low Risk
Low risk dependency metadata update limited to optional dev typing stubs; no runtime code or production dependencies are changed.

Overview
Updates the optional dev dependency types-aiofiles to 25.1.0.20260508 in pyproject.toml.

Refreshes poetry.lock accordingly (new artifact hashes/content hash) and reflects the stub package’s updated python-versions requirement (>=3.10).

^{Reviewed by Cursor Bugbot for commit e57212d. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​types-aiofiles@​25.1.0.20251011 ⏵ 25.1.0.20260508

View full report

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing the dependency update: checking lockfile changes, upstream typeshed diff, and malware-scan findings.
Verdict: benign

This is a routine typeshed stub refresh with no supply-chain red flags. The malware scanner’s two warnings are false positives for this package class, not evidence of compromise.

Top evidence

1. Legitimate publisher and version — types-aiofiles on PyPI is owned by typeshed_bot for both 25.1.0.20251011 and 25.1.0.20260508. The new release exists on PyPI (uploaded 2026-05-08), is not yanked, and poetry.lock SHA256 hashes match PyPI exactly.

2. Stubs-only, no runtime behavior — The package contains only .pyi typing stubs (dev optional extra for mypy). Upstream diff between the two published typeshed commits is benign: metadata field renames and one new annotation (wrap: _SingleDispatchCallable[Any] in threadpool/__init__.pyi). No eval/exec, network calls, install scripts, or new transitive dependencies (requires_dist: null).

3. Scanner findings are expected false positives — ghost_version_or_missing_tag occurs because typeshed publishes dated PyPI versions from commits, not per-version git tags; the scanner could not resolve refs (resolution_strategy: unresolved, changed_files_count: 0). maintainer_drift uses an npm-maintainers heuristic that does not apply here — PyPI ownership is unchanged. Zero unicode, confusable, or IOC findings.

4. Minimal PR scope — Changes are limited to pyproject.toml (>=25.1.0.20260508) and the corresponding poetry.lock entry. No suspicious workflow or vendor changes tied to this bump.

Actionable note: Safe to merge from a supply-chain perspective. The scanner warn status reflects heuristic limits on typeshed packages, not malicious content. Optionally run mypy in CI to catch any typing regressions from the updated stubs.

Compatibility Analysis

Analyzing how types-aiofiles is used and what changed upstream between these versions.

Compatibility & adoption analysis — types-aiofiles 25.1.0.20251011 → 25.1.0.20260508

1) Where it appears / what it types

Role	Location
Declared	pyproject.toml — optional dev extra only (with mypy); not a runtime/production dependency
Runtime package typed	aiofiles >=24.1.0 (unchanged by this PR)

Repo usage of aiofiles (what the stubs cover):

File	API
chia/consensus/block_height_map.py	aiofiles.open(..., "rb" | "r+b" | "wb") — read/write/seek
chia/server/address_manager.py	aiofiles.open(..., "rb")
chia/util/files.py	aiofiles.tempfile.NamedTemporaryFile(..., delete=False)
tools/validate_rpcs.py	aiofiles.open(..., "rb") (dev tool)
benchmarks/address_manager_store.py	aiofiles.open(..., "rb") (benchmark)

No imports of aiofiles.threadpool, aiofiles.wrap, stdin/stdout/stderr, or other submodules.

2) Upstream stub changes vs usage

Between the two published typeshed snapshots (.upstream-dependency diff 33414287a..3f74e6eba):

1. METADATA.toml — field renames (upstream_repository → upstream-repository, ci_platforms → ci-platforms). No typing impact.
2. aiofiles/threadpool/__init__.pyi — adds wrap: _SingleDispatchCallable[Any]; moves TypeAlias import from typing_extensions to typing.

No changes to aiofiles.open() overloads or aiofiles/tempfile/ stubs. Repo usage (open binary modes, NamedTemporaryFile) does not intersect with the changed surface.

3) Risks / unknowns

Area	Risk
Runtime	None — types-aiofiles is .pyi stubs only; production installs do not include it.
Build / CI (mypy)	Very low — no signature changes to APIs this repo calls. files.py already uses # type: ignore on tempfile usage; unlikely to regress.
Release notes	Unavailable (routine typeshed date-stamped refresh).
Malware scan warnings	ghost_version_or_missing_tag / maintainer_drift are known false positives for typeshed PyPI packages (dated versions, not npm).

Residual unknown: mypy CI has not been re-run in this review context; impact should be nil given the diff.

4) Recommendation

Merge.

Routine typeshed stub refresh with no overlap between upstream changes and repo aiofiles usage. Zero runtime risk; typing risk is negligible. Optional sanity check: confirm the mypy CI job passes on the PR branch.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 0
• Resolution strategy: unresolved
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved refs: from=n/a to=n/a
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 2

Top findings

• types-aiofiles:0 ghost_version_or_missing_tag :: 25.1.0.20260508
• types-aiofiles:0 maintainer_drift :: 25.1.0.20251011->25.1.0.20260508

[coveralls-official]

Coverage Report for CI Build 26259326140

Coverage decreased (-0.01%) to 91.474%

Details

• Coverage decreased (-0.01%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 26 coverage regressions across 8 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

26 previously-covered lines in 8 files lost coverage.

File	Lines Losing Coverage	Coverage
chia/timelord/timelord.py	11	73.36%
chia/data_layer/data_layer.py	3	85.68%
chia/server/node_discovery.py	3	80.34%
chia/server/server.py	3	85.99%
chia/full_node/full_node_api.py	2	88.46%
chia/full_node/full_node.py	2	88.28%
chia/_tests/simulation/test_simulation.py	1	96.5%
chia/wallet/wallet_node.py	1	87.09%

---

Coverage Stats

Relevant Lines:	122097
Covered Lines:	111863
Line Coverage:	91.62%
Relevant Branches:	12036
Covered Branches:	10834
Branch Coverage:	90.01%
Branches in Coverage %:	Yes
Coverage Strength:	1.83 hits per line

---

💛 - Coveralls

[emlowe]

@dependabot rebase

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Investigating the dependency update, lockfile changes, and upstream package metadata for supply-chain risk.
Verdict: benign

This is a routine typeshed stub refresh with no supply-chain red flags. The malware scanner’s two warn heuristics look like false positives for this package class, not evidence of compromise.

Top evidence

1. Package identity is correct. types-aiofiles is an official typeshed stub package (PyPI owner: typeshed_bot, classifier “Typing :: Stubs Only”, Apache-2.0). It has no runtime dependencies (requires_dist: null) and is only pulled in via the dev extra for mypy.

2. Lockfile integrity matches PyPI. poetry.lock SHA256 hashes for the wheel/tarball match PyPI exactly (c35d2be2…, d26b07bb…), and the release is not yanked.

3. Upstream content is benign stub-only changes. Between the old and new snapshot dates, typeshed changes under stubs/aiofiles/ are limited to typing/metadata updates: METADATA key renames, import cleanup (typing vs typing_extensions), addition of wrap: _SingleDispatchCallable[Any], and formatting. No executable code, obfuscation, network calls, shell/process logic, or lifecycle scripts.

4. Scanner findings are explainable false positives.

   • ghost_version_or_missing_tag: typeshed versions are date-stamped snapshots (25.1.0.20260508 = May 8, 2026), not per-package git tags. The version exists on PyPI and matches the lockfile.
   • maintainer_drift (npm-maintainers pattern): not applicable to Python/typeshed publishing; publisher remains typeshed_bot.
   • Unicode/confusable/IOC counts are all 0; no upstream file diff was resolved by the scanner (changed upstream files scanned: 0), but manual review of typeshed history supports the same conclusion.

5. PR scope is appropriate. The commit only bumps types-aiofiles in pyproject.toml/poetry.lock; no workflow, vendor, or unrelated dependency graph changes.

Action: Safe to merge from a supply-chain perspective. The scanner warnings can be noted as expected noise for typeshed date-versioned stub packages.

Compatibility Analysis

Analyzing types-aiofiles usage in the repo and upstream stub changes between versions.

1) Where it’s used

Role	Location
Declared	pyproject.toml — optional dev extra only (types-aiofiles); not a runtime dependency
Runtime aiofiles (separate package, >=24.1.0, lock has 25.1.0)	chia/util/files.py (aiofiles.tempfile.NamedTemporaryFile), chia/consensus/block_height_map.py, chia/server/address_manager.py, tools/validate_rpcs.py, benchmarks/address_manager_store.py

APIs touched in app code: aiofiles.open(...) (binary/text modes) and tempfile.NamedTemporaryFile(...). No aiofiles.threadpool.wrap, aiofiles.os, or stdin/stdout stubs.

Mypy: mypy.ini.template includes chia, tools, benchmarks; the aiofiles call sites above are not in mypy-exclusions.txt.

---

2) Intersection with upstream stub changes

Between 25.1.0.20251011 and 25.1.0.20260508, typeshed stubs/aiofiles changes are effectively:

• cherry-pick #5423 #15626 — add wrap: _SingleDispatchCallable[Any] in threadpool/__init__.pyi (new symbol; repo does not use it).
• build(deps): bump boto3 from 1.26.161 to 1.28.0 #15711 — TypeAlias imported from typing instead of typing_extensions in that same file (stub-internal).
• stop using pip cache #15614 — METADATA.toml key renames (upstream-repository, ci-platforms; packaging metadata only).
• Minor formatting in os.pyi / tempfile/__init__.pyi (blank lines).

No changes to open() or NamedTemporaryFile() overloads that chia uses. chia/util/files.py already suppresses tempfile typing issues with # type: ignore[...].

---

3) Risks / unknowns

Area	Risk
Runtime / prod installs	None — stubs ship only with [dev]; production wheels don’t depend on types-aiofiles.
Runtime aiofiles behavior	Unchanged by this PR (lockfile still pins runtime aiofiles 25.1.0).
Mypy / CI	Low — additive wrap stub should not affect existing checks; possible edge case if warn_unused_ignores fires on now-redundant ignores in files.py (unlikely). Confirm mypy job in .github/workflows/upload-pypi-source.yml passes on the PR branch.
Malware heuristics	ghost_version_or_missing_tag / maintainer_drift are expected noise for typeshed dated stub releases, not compatibility blockers.

---

4) Recommendation

Merge — routine typeshed snapshot aligned with runtime aiofiles 25.1.x; no usage overlap with the only substantive stub delta (threadpool.wrap). Treat green mypy CI as the only gate worth watching.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 0
• Resolution strategy: unresolved
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved refs: from=n/a to=n/a
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 2

Top findings

• types-aiofiles:0 ghost_version_or_missing_tag :: 25.1.0.20260508
• types-aiofiles:0 maintainer_drift :: 25.1.0.20251011->25.1.0.20260508