Dependency Audit: Pending Updates and UV Compliance Review

[Coldaine]

Dependency Audit Report

Date: 2025-12-31
Auditor: Automated dependency review

Summary

This audit reviews dependency freshness, Dependabot PR status, and UV compliance for the ColdVox repository.

1. Dependabot PRs

Open PRs

• PR chore(deps): bump the rust-dependencies group across 1 directory with 6 updates #333 (OPEN): chore(deps): bump the rust-dependencies group with 6 updates
  • Includes major version bump: rubato 0.16.2 → 1.0.0 (breaking changes expected)
  • Other updates: serde_json, ratatui, tempfile, cc, parakeet-rs
  • Action Required: Review rubato 1.0.0 API changes before merging

Recent Activity

• PR chore(deps): bump the rust-dependencies group with 2 updates #314 (CLOSED): Superseded by chore(deps): bump the rust-dependencies group across 1 directory with 6 updates #333
• PR chore(deps): bump the rust-dependencies group across 1 directory with 9 updates #300 (MERGED 2025-12-23): 9 dependency updates
• PR chore(deps): bump the actions group across 1 directory with 2 updates #297 (MERGED 2025-12-17): GitHub Actions updates
• PR chore(deps): bump the rust-dependencies group across 1 directory with 11 updates #251 (MERGED 2025-11-26): 11 dependency updates

Finding: Active Dependabot configuration with regular dependency updates. One pending PR requires attention due to major version bump.

2. UV Compliance

Compliant

✅ pyproject.toml: Properly configured with UV-compatible format
✅ uv.lock: Lock file present and up-to-date (73 packages resolved)
✅ No pip/venv violations: No Pipfile, .venv, or active pip usage detected

Edge Case

⚠️ requirements.txt: File exists but is intentionally empty (only contains comments)

• Content: "No external dependencies currently required for docs validation scripts"
• Usage: Scripts use Python stdlib only
• Verdict: Compliant (no actual pip dependencies listed)

Finding: Repository is fully UV-compliant. Python dependencies managed via pyproject.toml + uv.lock.

3. Dependency Version Freshness

Rust Dependencies (Cargo)

Current State: Generally fresh, with active Dependabot monitoring

• Latest merged update: 2025-12-23 (PR chore(deps): bump the rust-dependencies group across 1 directory with 9 updates #300)
• Pending major update: rubato 0.16.2 → 1.0.0 (API redesign)
• No stale dependencies identified beyond normal Dependabot cycle

Python Dependencies (UV)

Resolved: 73 packages via UV

• librosa v0.11.0 (latest: 0.11.0) ✅
• torch >=2.0.0 (flexible constraint) ✅
• transformers >=4.35.0 (flexible constraint) ✅
• Transitive dependencies managed by UV (e.g., numpy 2.3.5)

Finding: Python dependencies are fresh and appropriately versioned. UV lock file ensures reproducible builds.

4. Recommendations

High Priority

1. Review PR chore(deps): bump the rust-dependencies group across 1 directory with 6 updates #333 - Test rubato 1.0.0 migration before merging
   • Breaking changes: New AudioAdapter API, merged resampler types
   • File: crates/coldvox-audio/src/resampler.rs likely affected

Medium Priority

2. Monitor Dependabot velocity - Currently healthy (weekly updates)
3. Consider dependency update policy - Document tolerance for major version bumps

Low Priority

4. Remove empty requirements.txt - Reduces confusion (not blocking, already compliant)

5. Conclusion

Status: ✅ PASS

• UV compliance: Confirmed
• Dependency freshness: Good (active Dependabot, recent updates)
• Action items: 1 pending PR review (rubato major version)

Next Review: After merging PR #333 or 2026-01-31 (whichever comes first)

[google-labs-jules]

Jules is on it. When finished, you will see another comment and be able to review a PR.

[google-labs-jules]

Ready for a review! A PR has been created.