molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity
07a17c2e59
molecule-core/workspace/requirements.txt
Hongming Wang 0cdbc2c4f6 chore(deps): batch dep bumps — 11 safe upgrades from 2026-04-28 dependabot wave 
Consolidates 11 of the 17 open Dependabot PRs (#2215, #2217, #2219-#2225,
#2227, #2229) into one PR. Every entry is a patch / minor / floor bump
where the impact surface is small and CI carries the proof.

Same pattern as the 2026-04-15 batch.

Go (workspace-server/go.mod + go.sum, regenerated via `go mod tidy`):
  - golang.org/x/crypto                    0.49.0  → 0.50.0   (#2225)
  - github.com/golang-jwt/jwt/v5           5.2.2   → 5.3.1    (#2222)
  - github.com/gin-contrib/cors            1.7.2   → 1.7.7    (#2220)
  - github.com/docker/go-connections       0.6.0   → 0.7.0    (#2223)
  - github.com/redis/go-redis/v9           9.7.3   → 9.19.0   (#2217)

Python floor bumps (workspace/requirements.txt; current pip-resolved
versions don't change unless they happen to be below the new floor):
  - httpx                                  >=0.27  → >=0.28.1 (#2221)
  - uvicorn                                >=0.30  → >=0.46   (#2229)
  - temporalio                             >=1.7   → >=1.26   (#2227)
  - websockets                             >=12    → >=16     (#2224)
  - opentelemetry-sdk                      >=1.24  → >=1.41.1 (#2219)

GitHub Actions (SHA-pinned per existing convention):
  - dorny/paths-filter@d1c1ffe (v3) → @fbd0ab8 (v4.0.1)        (#2215)

REMOVED from this batch (lockfile platform mismatch):
  - #2231 @types/node ^22 → ^25.6   (npm install on macOS strips
    Linux-only @emnapi/* entries from package-lock.json that CI's
    `npm ci` then refuses; needs a Linux-side install to land cleanly)
  - #2230 jsdom ^25 → ^29.1          (same)

NOT included in this batch (deferred to per-PR human review):
  - #2228 github/codeql-action     v3 → v4   (CodeQL CLI alignment risk)
  - #2218 actions/setup-node       v4 → v6   (default Node version drift)
  - #2216 actions/upload-artifact  v4 → v7   (3 major versions)
  - #2214 actions/setup-python     v5 → v6   (action major)

NOT merged (CI failing on dependabot's own PR):
  - #2233 next 15 → 16
  - #2232 tailwindcss 3 → 4
  - #2226 typescript 5 → 6

Verified:
  - workspace-server: `go mod tidy && go build ./... && go test ./...` — green
  - workspace requirements.txt: floor bumps only
2026-04-28 16:25:46 -07:00

40 lines
1.4 KiB
Plaintext
Raw Blame History

# Base image — bare minimum for A2A server and adapter loading
# Agent-specific deps are in adapters/<runtime>/requirements.txt
# and installed at container startup via entrypoint.sh
# A2A protocol
# KI-009 a2a-sdk v1 migration (2026-04-24): bumped from ==0.3.25.
# v1.0 removes A2AStarletteApplication → Starlette route factory pattern.
# Rollback: pin ==0.3.25 and revert main.py + executor changes.
a2a-sdk[http-server]>=1.0.0,<2.0
# HTTP / server
httpx>=0.28.1
uvicorn>=0.46.0
starlette>=0.38.0
websockets>=16.0
# Config parsing
pyyaml>=6.0
# Shared tools framework (used by coordinator, delegation, memory, sandbox)
langchain-core>=0.3.0
# OpenTelemetry — workspace-level distributed tracing
# tools/telemetry.py gracefully degrades (noop) when these are absent,
# but they are required for actual trace export.
opentelemetry-api>=1.24.0
opentelemetry-sdk>=1.41.1
# OTLP/HTTP exporter: sends spans to any OTEL collector and to Langfuse ≥4
opentelemetry-exporter-otlp-proto-http>=1.24.0
# SQLAlchemy — used by molecule_audit ledger (EU AI Act Annex III compliance)
sqlalchemy>=2.0.0
# Temporal durable execution (optional)
# tools/temporal_workflow.py wraps task execution in Temporal workflows so
# tasks survive crashes and can resume. The module and TemporalWorkflowWrapper
# load cleanly without this package — all paths fall back to direct execution.
# Requires a running Temporal server; set TEMPORAL_HOST=<host>:7233 to enable.
temporalio>=1.26.0
Reference in New Issue View Git Blame Copy Permalink