Skip to content

chore: min age for dependencies#1218

Merged
leonardmq merged 2 commits into
mainfrom
leonard/kil-513-chore-min-age-for-deps
May 12, 2026
Merged

chore: min age for dependencies#1218
leonardmq merged 2 commits into
mainfrom
leonard/kil-513-chore-min-age-for-deps

Conversation

@leonardmq
Copy link
Copy Markdown
Collaborator

@leonardmq leonardmq commented Apr 4, 2026
edited by coderabbitai Bot
Loading

What does this PR do?

Add exclude-newer in pyproject.toml files so that uv add installs dependencies not newer than a certain age (7 days) to decrease the risk of installing attacked deps.

Also added min-release-age to do the same for npm i - the flag is relatively recent in npm, so you need npm >= 11.x. Update your npm with npm install -g npm@latest.

You also need to run uv sync.

Checklists

  • Tests have been run locally and passed
  • New tests have been added to any work in /lib

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 4, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: dbc71955-83c3-4d6e-b13d-a9e1f083d26f

📥 Commits

Reviewing files that changed from the base of the PR and between f6c4273 and ad3a042.

⛔ Files ignored due to path filters (1)
  • app/web_ui/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (2)
  • app/desktop/pyproject.toml
  • app/web_ui/.npmrc
🚧 Files skipped from review as they are similar to previous changes (2)
  • app/web_ui/.npmrc
  • app/desktop/pyproject.toml

Walkthrough

The PR adds version-age constraints to dependency resolution across the codebase: exclude-newer = "7 days" for uv in four Python project files and the root configuration, and min-release-age=7 for npm in the web UI configuration, ensuring only mature releases are considered during package installation and updates.

Changes

Dependency Version Constraints

Layer / File(s) Summary
Python uv tooling configuration
pyproject.toml, app/desktop/pyproject.toml, libs/core/pyproject.toml, libs/server/pyproject.toml		 Four Python project files receive [tool.uv] configuration with exclude-newer = "7 days", constraining uv to select only dependency versions released at least 7 days prior during resolution.
Node/npm tooling configuration
app/web_ui/.npmrc		 The web UI .npmrc file adds min-release-age=7 alongside existing engine enforcement, applying an equivalent 7-day release-age constraint for npm dependency resolution.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

  • Kiln-AI/Kiln#734: Modifies app/web_ui/.npmrc configuration entries for npm behavior.
  • Kiln-AI/Kiln#1104: Related uv tooling configuration and usage adjustments across CI and build processes.

Suggested reviewers

  • sfierro
  • chiang-daniel

Poem

🐰 Seven days of wisdom we now require,
No packages fresh from the release wire,
Stable versions in our nest we place,
Dependencies mature at every pace,
Constraints aligned from Python to Node's embrace!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding minimum age constraints for dependencies across uv and npm configurations.
Description check ✅ Passed The PR description covers the main changes and rationale, but is missing the 'Related Issues' section and has incomplete checkboxes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch leonard/kil-513-chore-min-age-for-deps

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@leonardmq leonardmq marked this pull request as draft April 4, 2026 05:14
@leonardmq
Copy link
Copy Markdown
Collaborator Author

leonardmq commented Apr 4, 2026

Not ideal - it updated all the existing dependencies

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 4, 2026
edited
Loading

📊 Coverage Report

Overall Coverage: 92%

Diff: origin/main...HEAD

No lines with coverage information in this diff.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request implements dependency age constraints by adding exclude-newer to uv configurations and min-release-age to npm settings. It also removes peer dependency flags from package-lock.json and adjusts the asyncio fixture scope in pytest.ini. Feedback indicates that the npm min-release-age value is incorrectly set to 7 seconds instead of 7 days, and the [tool.uv] settings in workspace member files are redundant as they are inherited from the root configuration.

Comment thread app/web_ui/.npmrc
Comment thread app/desktop/pyproject.toml Outdated
Comment thread libs/core/pyproject.toml
Comment thread libs/server/pyproject.toml
@leonardmq leonardmq force-pushed the leonard/kil-513-chore-min-age-for-deps branch from 6dc43a4 to ad3a042 Compare May 12, 2026 08:18
@leonardmq leonardmq marked this pull request as ready for review May 12, 2026 08:21
chiang-daniel
chiang-daniel reviewed May 12, 2026
View reviewed changes
Comment thread app/web_ui/package-lock.json
"resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.0.tgz",
"integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
"license": "MIT",
"peer": true,
Copy link
Copy Markdown
Contributor

@chiang-daniel chiang-daniel May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this thing comes and goes

@leonardmq leonardmq merged commit deafed0 into main May 12, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chiang-daniel chiang-daniel chiang-daniel approved these changes

@scosman scosman Awaiting requested review from scosman

@sfierro sfierro Awaiting requested review from sfierro

@tawnymanticore tawnymanticore Awaiting requested review from tawnymanticore

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@leonardmq @chiang-daniel