Skip to content

X #1276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
tisnik wants to merge 1 commit into from
Closed

X #1276

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .tekton/lightspeed-stack-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ spec:
],
"requirements_build_files": ["requirements-build.txt"],
"binary": {
"packages": "accelerate,aiohappyeyeballs,aiohttp,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,attrs,autoevals,cffi,charset-normalizer,chevron,click,cryptography,datasets,dill,distro,dnspython,durationpy,faiss-cpu,fire,frozenlist,fsspec,googleapis-common-protos,grpcio,h11,hf-xet,httpcore,httpx,httpx-sse,idna,jinja2,jiter,joblib,jsonschema-specifications,lxml,markdown-it-py,mdurl,mpmath,networkx,nltk,numpy,oauthlib,opentelemetry-api,opentelemetry-exporter-otlp,opentelemetry-exporter-otlp-proto-common,opentelemetry-exporter-otlp-proto-grpc,opentelemetry-exporter-otlp-proto-http,opentelemetry-instrumentation,opentelemetry-proto,opentelemetry-sdk,opentelemetry-semantic-conventions,packaging,pandas,pillow,ply,prompt-toolkit,propcache,psycopg2-binary,pyaml,pyarrow,pyasn1,pyasn1-modules,pydantic,pydantic-core,pydantic-settings,pygments,python-dateutil,python-dotenv,pytz,pyyaml,referencing,requests,requests-oauthlib,rpds-py,rsa,safetensors,scikit-learn,scipy,setuptools,six,sniffio,sqlalchemy,starlette,sympy,threadpoolctl,tiktoken,tokenizers,torch,tornado,transformers,triton,typing-extensions,typing-inspection,tzdata,websocket-client,wrapt,xxhash,yarl,zipp,uv,pip,maturin",
"packages": "aiohappyeyeballs,aiohttp,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,attrs,cffi,charset-normalizer,chevron,click,cryptography,datasets,dill,distro,dnspython,docstring-parser,durationpy,faiss-cpu,fire,frozenlist,fsspec,google-cloud-core,google-crc32c,google-resumable-media,googleapis-common-protos,grpc-google-iam-v1,h11,httpcore,httpx,httpx-sse,idna,jinja2,jiter,joblib,jsonschema-specifications,lxml,markdown-it-py,mdurl,mpmath,networkx,numpy,oauthlib,packaging,pandas,pillow,prompt-toolkit,propcache,psycopg2-binary,pyarrow,pyasn1,pyasn1-modules,pydantic,pydantic-core,pygments,python-dateutil,pyyaml,referencing,requests,requests-oauthlib,rpds-py,rsa,safetensors,scikit-learn,scipy,setuptools,six,sniffio,sqlalchemy,sympy,threadpoolctl,tiktoken,tokenizers,torch,tornado,transformers,triton,typing-extensions,typing-inspection,tzdata,websocket-client,wrapt,xxhash,zipp,uv,pip,maturin",
"os": "linux",
"arch": "x86_64,aarch64",
"py_version": 312
Expand Down
2 changes: 1 addition & 1 deletion .tekton/lightspeed-stack-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ spec:
],
"requirements_build_files": ["requirements-build.txt"],
"binary": {
"packages": "accelerate,aiohappyeyeballs,aiohttp,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,attrs,autoevals,cffi,charset-normalizer,chevron,click,cryptography,datasets,dill,distro,dnspython,durationpy,faiss-cpu,fire,frozenlist,fsspec,googleapis-common-protos,grpcio,h11,hf-xet,httpcore,httpx,httpx-sse,idna,jinja2,jiter,joblib,jsonschema-specifications,lxml,markdown-it-py,mdurl,mpmath,networkx,nltk,numpy,oauthlib,opentelemetry-api,opentelemetry-exporter-otlp,opentelemetry-exporter-otlp-proto-common,opentelemetry-exporter-otlp-proto-grpc,opentelemetry-exporter-otlp-proto-http,opentelemetry-instrumentation,opentelemetry-proto,opentelemetry-sdk,opentelemetry-semantic-conventions,packaging,pandas,pillow,ply,prompt-toolkit,propcache,psycopg2-binary,pyaml,pyarrow,pyasn1,pyasn1-modules,pydantic,pydantic-core,pydantic-settings,pygments,python-dateutil,python-dotenv,pytz,pyyaml,referencing,requests,requests-oauthlib,rpds-py,rsa,safetensors,scikit-learn,scipy,setuptools,six,sniffio,sqlalchemy,starlette,sympy,threadpoolctl,tiktoken,tokenizers,torch,tornado,transformers,triton,typing-extensions,typing-inspection,tzdata,websocket-client,wrapt,xxhash,yarl,zipp,uv,pip,maturin",
"packages": "aiohappyeyeballs,aiohttp,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,attrs,cffi,charset-normalizer,chevron,click,cryptography,datasets,dill,distro,dnspython,docstring-parser,durationpy,faiss-cpu,fire,frozenlist,fsspec,google-cloud-core,google-crc32c,google-resumable-media,googleapis-common-protos,grpc-google-iam-v1,h11,httpcore,httpx,httpx-sse,idna,jinja2,jiter,joblib,jsonschema-specifications,lxml,markdown-it-py,mdurl,mpmath,networkx,numpy,oauthlib,packaging,pandas,pillow,prompt-toolkit,propcache,psycopg2-binary,pyarrow,pyasn1,pyasn1-modules,pydantic,pydantic-core,pygments,python-dateutil,pyyaml,referencing,requests,requests-oauthlib,rpds-py,rsa,safetensors,scikit-learn,scipy,setuptools,six,sniffio,sqlalchemy,sympy,threadpoolctl,tiktoken,tokenizers,torch,tornado,transformers,triton,typing-extensions,typing-inspection,tzdata,websocket-client,wrapt,xxhash,zipp,uv,pip,maturin",
"os": "linux",
"arch": "x86_64,aarch64",
"py_version": 312
Expand Down
1 change: 1 addition & 0 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ dependencies = [
"pyasn1>=0.6.2",
# Used for system prompt template variable rendering
"jinja2>=3.1.0",
"cryptography==46.0.3",
]


Expand Down
139 changes: 133 additions & 6 deletions requirements-build.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,39 @@
#
calver==2025.10.20
# via trove-classifiers
certifi==2026.2.25
# via requests
cffi==2.0.0
# via cryptography
charset-normalizer==3.4.4
# via requests
coherent-licensed==0.5.2
# via importlib-metadata
dunamai==1.25.0
# via
# importlib-metadata
# jaraco-context
# jaraco-functools
# keyring
cryptography==46.0.5
# via secretstorage
cython==3.1.1
Comment on lines +21 to +23

@coderabbitai coderabbitai Bot Mar 5, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

rg -n 'cryptography' pyproject.toml requirements-build.txt

Repository: lightspeed-core/lightspeed-stack

Length of output: 313

🏁 Script executed:

fd -t f 'requirements.*wheel' .

Repository: lightspeed-core/lightspeed-stack

Length of output: 107

🏁 Script executed:

rg -n 'cryptography' requirements.hashes.wheel.txt | head -20

Repository: lightspeed-core/lightspeed-stack

Length of output: 101

Align cryptography pin with project/runtime lock inputs to avoid dependency drift.

requirements-build.txt line 21 pins cryptography==46.0.5, but pyproject.toml (line 72) and requirements.hashes.wheel.txt (line 38) both pin cryptography==46.0.3. Keep a single version across these artifacts.

Proposed alignment 
-cryptography==46.0.5
+cryptography==46.0.3
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
cryptography==46.0.5
# via secretstorage
cython==3.1.1
cryptography==46.0.3
# via secretstorage
cython==3.1.1
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@requirements-build.txt` around lines 21 - 23, requirements-build.txt
currently pins cryptography==46.0.5 which diverges from the project's locked
version; update the cryptography pin in requirements-build.txt to
cryptography==46.0.3 to match pyproject.toml and requirements.hashes.wheel.txt
so all artifacts use the same version.

# via grpcio
docutils==0.22.4
# via readme-renderer
dunamai==1.26.0
# via uv-dynamic-versioning
expandvars==1.1.2
# via yarl
flit-core==3.12.0
# via
# coherent-licensed
# docutils
# id
# idna
# jeepney
# jinja2
# markdown-it-py
# mdurl
# more-itertools
# packaging
# pathspec
# wheel
Expand All @@ -24,6 +49,7 @@ hatch-fancy-pypi-readme==25.1.0
# openai
hatch-vcs==0.5.0
# via
# chardet
# filelock
# jsonschema
# termcolor
Expand All @@ -33,37 +59,83 @@ hatchling==1.26.3
# hatch-fancy-pypi-readme
# llama-stack-client
# openai
hatchling==1.28.0
hatchling==1.29.0
# via
Comment on lines +62 to 63

@coderabbitai coderabbitai Bot Mar 5, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cd /repo && python - <<'PY'
import re
from collections import defaultdict

fname = "requirements-build.txt"
versions = defaultdict(list)

with open(fname, "r", encoding="utf-8") as f:
    for i, line in enumerate(f, 1):
        m = re.match(r'^([A-Za-z0-9_.-]+)==([^\s;]+)', line.strip())
        if m:
            pkg, ver = m.group(1).lower(), m.group(2)
            versions[pkg].append((ver, i))

for pkg in sorted(versions):
    uniq = sorted({v for v, _ in versions[pkg]})
    if len(uniq) > 1:
        print(f"{pkg}: versions={uniq}, lines={[ln for _, ln in versions[pkg]]}")
PY

Repository: lightspeed-core/lightspeed-stack

Length of output: 131

🏁 Script executed:

cd /repo && sed -n '55,65p; 210,220p' requirements-build.txt | cat -n

Repository: lightspeed-core/lightspeed-stack

Length of output: 131

🏁 Script executed:

find . -name "requirements-build.txt" -type f

Repository: lightspeed-core/lightspeed-stack

Length of output: 100

🏁 Script executed:

python - <<'PY'
import re
from collections import defaultdict

fname = "./requirements-build.txt"
versions = defaultdict(list)

with open(fname, "r", encoding="utf-8") as f:
    for i, line in enumerate(f, 1):
        m = re.match(r'^([A-Za-z0-9_.-]+)==([^\s;]+)', line.strip())
        if m:
            pkg, ver = m.group(1).lower(), m.group(2)
            versions[pkg].append((ver, i))

for pkg in sorted(versions):
    uniq = sorted({v for v, _ in versions[pkg]})
    if len(uniq) > 1:
        print(f"{pkg}: versions={uniq}, lines={[ln for _, ln in versions[pkg]]}")
PY

Repository: lightspeed-core/lightspeed-stack

Length of output: 192

🏁 Script executed:

sed -n '55,65p; 210,220p' ./requirements-build.txt | cat -n

Repository: lightspeed-core/lightspeed-stack

Length of output: 684

Remove conflicting duplicate pins that will break package resolution.

requirements-build.txt contains multiple versions of the same packages:

  • hatchling==1.26.3 (line 57) and hatchling==1.29.0 (line 62)
  • setuptools==81.0.0 (line 214) and setuptools==82.0.0 (line 216)

Conflicting pins in the same requirements file break resolver semantics and cause unpredictable install behavior.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@requirements-build.txt` around lines 62 - 63, requirements-build.txt contains
conflicting duplicate pins for the same packages; remove the older/duplicate
pins so each package is pinned only once (e.g., consolidate hatchling to a
single version and setuptools to a single version). Edit requirements-build.txt
and delete the duplicate entries for "hatchling" and "setuptools", leaving only
the intended version for each (pick the most recent/stable version you want to
enforce), and ensure there are no other duplicate pins elsewhere in the file.

# a2a-sdk
# chardet
# einops
# expandvars
# filelock
# hatch-fancy-pypi-readme
# hatch-vcs
# jsonschema
# mcp
# opentelemetry-api
# opentelemetry-exporter-otlp
# opentelemetry-exporter-otlp-proto-common
# opentelemetry-exporter-otlp-proto-grpc
# opentelemetry-exporter-otlp-proto-http
# opentelemetry-instrumentation
# opentelemetry-proto
# opentelemetry-sdk
# opentelemetry-semantic-conventions
# pydantic-settings
# pygments
# python-multipart
# starlette
# termcolor
# urllib3
# uv-dynamic-versioning
# uvicorn
# wcwidth
id==1.6.1
# via twine
idna==3.11
# via requests
jaraco-classes==3.4.0
# via keyring
jaraco-context==6.1.0
# via keyring
jaraco-functools==4.4.0
# via keyring
jeepney==0.9.0
# via
# keyring
# secretstorage
jinja2==3.1.6
# via uv-dynamic-versioning
keyring==25.7.0
# via twine
markdown-it-py==4.0.0
# via rich
markupsafe==3.0.3
# via jinja2
maturin==1.10.2
# via fastuuid
# via
# cryptography
# fastuuid
# hf-xet
# nh3
mdurl==0.1.2
# via markdown-it-py
more-itertools==10.8.0
# via
# jaraco-classes
# jaraco-functools
nh3==0.3.3
# via readme-renderer
packaging==26.0
# via
# dunamai
# google-genai
# hatchling
# setuptools-scm
# wheel
pathspec==1.0.4
# via hatchling
pdm-backend==2.4.7
# via fastapi
pkginfo==1.12.1.2
# via google-genai
pluggy==1.6.0
# via hatchling
poetry-core==2.3.1
Expand All @@ -72,6 +144,26 @@ poetry-core==2.3.1
# litellm
# rich
# tomlkit
pycparser==3.0
# via cffi
pygments==2.19.2
# via
# readme-renderer
# rich
readme-renderer==44.0
# via twine
requests-toolbelt==1.0.0
# via twine
requests==2.32.5
# via
# requests-toolbelt
# twine
rfc3986==2.0.0
# via twine
rich==14.3.3
# via twine
secretstorage==3.5.0
# via keyring
semantic-version==2.10.0
# via setuptools-rust
setuptools-rust==1.12.0
Expand All @@ -80,15 +172,28 @@ setuptools-scm==9.2.2
# via
# hatch-vcs
# importlib-metadata
# jaraco-classes
# jaraco-context
# jaraco-functools
# keyring
# llama-stack-api
# pluggy
# setuptools-rust
# tenacity
# tqdm
# twine
# urllib3
tomlkit==0.14.0
# via uv-dynamic-versioning
trove-classifiers==2026.1.14.14
# via hatchling
twine==6.2.0
# via google-genai
urllib3==2.6.3
# via
# id
# requests
# twine
uv-dynamic-versioning==0.13.0
# via
# a2a-sdk
Expand All @@ -98,23 +203,38 @@ wheel==0.46.3
# authlib
# azure-identity
# cachetools
# google-genai
# grpcio
# grpcio-status
# litellm
# pycparser
# sentence-transformers

# The following packages are considered to be unsafe in a requirements file:
setuptools==80.10.2
setuptools==81.0.0
# via charset-normalizer
setuptools==82.0.0
# via
# authlib
# azure-identity
# blobfile
# cachetools
# calver
# certifi
# cffi
# cryptography
# emoji
# google-api-core
# google-cloud-bigquery
# google-genai
# greenlet
# grpcio
# grpcio-status
# importlib-metadata
# jaraco-classes
# jaraco-context
# jaraco-functools
# keyring
# llama-stack
# llama-stack-api
# markupsafe
Expand All @@ -130,13 +250,20 @@ setuptools==80.10.2
# pycparser
# pycryptodomex
# pyjwt
# python-dotenv
# readme-renderer
# regex
# secretstorage
# semver
# sentence-transformers
# setuptools-rust
# setuptools-scm
# sse-starlette
# tenacity
# tqdm
# tree-sitter
# trl
# trove-classifiers
# twine
# websockets
# yarl
Loading
Loading