fix: address PR #230 review feedback

Triaged comments from coderabbit, gemini-code-assist, codex, and the
ongoing snyk investigation. Three valid actionable items + one false
positive class to flag.

1. Snyk: [tool.poetry] block was incomplete — Poetry requires
   name/version/description/authors as required fields. Without them,
   snyk's poetry parser rejects the block as invalid and reports
   "pyproject.toml error Failed to detect issues" before even getting
   to dependencies. Add the required identity fields, mirroring values
   from [project] above. poetry-core 2.x prefers [project] when both
   are present, so this duplication doesn't affect builds. Verified:
   `python -m build` produces wheel + sdist correctly.

2. coderabbit: attrs missing upper bound for consistency with other
   deps. Added `<27.0.0`. attrs uses year-based major versioning, so
   this caps at the next year boundary — same pattern as other caret
   constraints. Mirrored in [tool.poetry.dependencies] shim.

3. gemini-code-assist (medium) + coderabbit (nitpick): Dockerfile
   builder stage had redundant `apt-get upgrade -y` (already done in
   base stage) and missing `--no-install-recommends`. Removed the
   redundant upgrade and added the flag. Verified: `docker build` +
   `docker run --version` both work.

4. gemini-code-assist (3x "hallucination" comments on attrs 26.1.0,
   ruff 0.15.12, uv 0.11.13): false positives. All three are real,
   current package versions (verified via PyPI / GitHub releases /
   ghcr.io image registry). Gemini's training data appears to predate
   these releases; will reply on the comments rather than change code.

5. codex requirements.txt comment was already addressed in commit
   7aa59b5 by adding `--quiet` to the export command — now generates
   clean output without the resolver status line.

293/293 tests pass. Docker image builds in ~4s. Wheel + sdist build.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: bluet

Dockerfile

@@ -48,9 +48,12 @@ FROM base AS builder
 
 WORKDIR /app
 
+# Install build deps for native Python extensions. No `apt-get upgrade`
+# here — the base stage already upgraded the system, so re-running just
+# adds time without changing state. `--no-install-recommends` keeps the
+# image tight by skipping suggested-but-not-required packages.
 RUN apt-get update && \
-    apt-get upgrade -y &&\
-    apt-get install -y gcc libc-dev libffi-dev && \
+    apt-get install -y --no-install-recommends gcc libc-dev libffi-dev && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 

pyproject.toml

@@ -18,7 +18,7 @@ requires-python = ">=3.10,<4.0"
 dependencies = [
     "aiohttp>=3.13.5,<4.0.0",
     "aiodns>=3.6.1,<4.0.0",
-    "attrs>=26.1.0",
+    "attrs>=26.1.0,<27.0.0",
     "maxminddb>=2.8.2,<3.0.0",
     "cachetools>=5.5.2,<6.0.0",
     "click>=8.3.3,<9.0.0",
@@ -87,14 +87,23 @@ dev = [
 # is read only by snyk. DELETE this whole [tool.poetry.dependencies]
 # section once snyk's PR app uses uv preview natively.
 [tool.poetry]
+# name/version/description/authors are required Poetry fields — without
+# them snyk's poetry parser rejects the [tool.poetry] block as invalid
+# and reports "pyproject.toml error Failed to detect issues". Mirror the
+# values from [project] above. poetry-core 2.x prefers [project] when
+# both are present, so this duplication doesn't affect builds.
+name = "proxybroker2"
+version = "2.0.0b3"
+description = "The New (auto rotate) Proxy [Finder | Checker | Server]. HTTP(S) & SOCKS."
+authors = ["BlueT - Matthew Lien - 練喆明 <bluet@bluet.org>", "Denis Constverum <constverum@gmail.com>"]
 packages = [{include = "proxybroker"}]
 include = ["proxybroker/data/*.mmdb"]
 
 [tool.poetry.dependencies]
 python = "^3.10"
 aiohttp = "^3.13.5"
 aiodns = "^3.6.1"
-attrs = ">=26.1.0"
+attrs = ">=26.1.0,<27.0.0"
 maxminddb = "^2.8.2"
 cachetools = "^5.5.2"
 click = "^8.3.3"