Update dependencies to latest compatible versions

[naomi-robusta]

Summary

This PR updates several project dependencies to their latest compatible versions, including both direct and development dependencies.

Key Changes

• Production dependencies:

  • pillow: 12.1.1 → 12.2.0
  • pyasn1: 0.6.2 → 0.6.3
  • pygments: 2.17.2 → 2.20.0
  • requests: 2.32.5 → 2.33.0 (with pinned constraint in pyproject.toml: >=2.33.0,<2.33.1)

• Development dependencies:

  • black: ^23.1.0 → >=26.3.1 (major version bump)
  • pytest: ^7.2.2 → >=9.0.3 (major version bump)
  • pathspec: Added as new dependency (>=1.0.0,<1.1.0) - likely required by updated black

Notable Details

• The requests dependency constraint in pyproject.toml was tightened from >2.32.4 to >=2.33.0,<2.33.1, ensuring a specific patch version
• The black formatter was upgraded from v23 to v26, which is a significant update that may affect code formatting
• Added explicit pathspec dependency to support the newer version of black
• Poetry lockfile was regenerated with 233 additions and 165 deletions reflecting the transitive dependency changes

https://claude.ai/code/session_01CSENfJ5u4nVLrpBqD8npqa

[coderabbitai]

Walkthrough

Update dev tooling and pinned dependencies: bump black constraint in pyproject and pre-commit, add a constrained pathspec entry, and update three pinned packages in requirements.txt (pillow, pyasn1, pygments).

Changes

Cohort / File(s)	Summary
Project metadata / dev deps pyproject.toml	Replace black specifier ^23.1.0 with >=26.3.1; add pathspec constraint >=1.0.0,<1.1.0 with an inline comment.
Pinned runtime deps requirements.txt	Bump pinned versions: pillow 12.1.1→12.2.0, pyasn1 0.6.2→0.6.3, pygments 2.17.2→2.20.0. No other entries changed.
Pre-commit hooks .pre-commit-config.yaml	Update black hook rev from 23.1.0 to 26.3.1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Upgrade pyasn1 and pyasn1-modules dependencies #504 — Updates pyasn1 pinned version in requirements (same package updated here).

Suggested reviewers

• arikalon1

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: updating dependencies to latest compatible versions, which aligns with the changeset modifications to pyproject.toml, requirements.txt, and .pre-commit-config.yaml.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed information about dependency updates across production and development dependencies, explaining the rationale and impact.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/fix-security-vulnerabilities-rVgju

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

pyproject.toml (1)

49-49: Adding pathspec as a direct dev dependency is redundant — it's a transitive dep of black.

black's required dependencies include click, mypy-extensions, packaging, pathspec, platformdirs, pytokens, tomli, typing-extensions, uvloop, winloop, so Poetry will already resolve a compatible pathspec version through black 26. Black 26 bumped pathspec to v1, so pinning it here only helps if you specifically need to override black's resolved version. If the goal is to keep pathspec on a specific branch (e.g., 1.0.x), that's fine, but document it; otherwise this line can be removed and let black pull it in.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` at line 49, The pyproject.toml currently lists pathspec =
">=1.0.0,<1.1.0" as a direct dev dependency which is redundant because Black
(black 26) already depends on pathspec; either remove the pathspec entry so
Poetry lets Black resolve it transitively, or if you intentionally need to
pin/override Black's version (e.g., enforce 1.0.x), add a brief comment
documenting that intent; locate the pathspec line in pyproject.toml (and the
Black entry) to perform the removal or add the explanatory comment next to the
pathspec pin.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pyproject.toml`:
- Line 36: The requests dependency is pinned too tightly to exactly 2.33.0;
update the version constraint in pyproject.toml to allow patch releases (e.g.,
change the spec to a caret range like ^2.33.0 or at minimum >=2.33.0,<2.34) so
downstream consumers can receive 2.33.1+ security/bug fixes; ensure you update
the requests line and run poetry lock/install to regenerate the lockfile and
then run the test suite (check places using requests such as
robusta_krr/utils/version.py, robusta_krr/utils/intro.py, and
robusta_krr/core/runner.py) to confirm no behavior regressions.
- Around line 55-56: The pytest-asyncio version constraint is incompatible with
pytest 9; update the pyproject.toml constraint for pytest-asyncio from
">=0.21,<0.24" to ">=1.3.0" (or a later compatible release) so it supports
pytest 9.x, and also update the pinned version in requirements.txt from
pytest-asyncio==0.23.7 to pytest-asyncio==1.3.0 (or a newer compatible version)
to keep both manifests consistent.
- Line 48: The pre-commit hook for black is pinned to an older rev while
pyproject.toml specifies black = ">=26.3.1", and the [tool.black] target-version
is set to ['py39']; update .pre-commit-config.yaml's black hook rev to a
matching 26.x release (e.g., 26.3.1) so the hook uses the same major/minor
behavior as the dev dependency, and change the [tool.black] target-version
setting from ['py39'] to ['py310'] in the pyproject.toml so target-version
aligns with the project's python = ">=3.10,<=3.12.9" constraint.

In `@requirements.txt`:
- Around line 27-40: Update the pytest-asyncio constraint in pyproject.toml from
">=0.21,<0.24" to a range that allows 1.x (e.g., ">=0.21,<2") so pytest-asyncio
1.3.0+ can be selected; then regenerate your lock/requirements (e.g., run your
dependency tool: poetry lock && poetry export or pip-compile) to produce an
updated requirements.txt that pulls a pytest-asyncio compatible with pytest
9.0.3, and verify the resulting requirements.txt contains pytest-asyncio 1.3.0+.

---

Nitpick comments:
In `@pyproject.toml`:
- Line 49: The pyproject.toml currently lists pathspec = ">=1.0.0,<1.1.0" as a
direct dev dependency which is redundant because Black (black 26) already
depends on pathspec; either remove the pathspec entry so Poetry lets Black
resolve it transitively, or if you intentionally need to pin/override Black's
version (e.g., enforce 1.0.x), add a brief comment documenting that intent;
locate the pathspec line in pyproject.toml (and the Black entry) to perform the
removal or add the explanatory comment next to the pathspec pin.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bd778d73-e7f7-4a2a-acd3-c04ec134367d

📥 Commits

Reviewing files that changed from the base of the PR and between d53c2f4 and 09241a9.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• pyproject.toml
• requirements.txt

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pyproject.toml`:
- Around line 49-50: The explicit transitive pin pathspec = ">=1.0.0,<1.1.0" can
conflict with an unbounded black = ">=26.3.1" if a future black raises its
pathspec floor; either remove the explicit pathspec pin and let black's declared
dependency control the version, or tighten the black constraint to a bounded
range that guarantees compatibility with the 1.0.x pathspec (e.g., replace black
= ">=26.3.1" with a bounded spec like black = ">=26.3.1,<27.0.0"); update the
pyproject.toml accordingly so pathspec and black constraints cannot produce an
unsatisfiable resolution.
- Line 48: The black dependency entry 'black = ">=26.3.1"' is open-ended and can
pull future major releases that change formatting; update that constraint to add
an upper bound (for example change it to a bounded range like ">=26.3.1,<27" or
use compatible semantics like "~=26.3.1") so the dev environment matches the
pre-commit/CI pinned rev; modify the pyproject.toml dependency line for 'black'
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d5b4f5ac-d913-4675-970b-fdc22e8bcebe

📥 Commits

Reviewing files that changed from the base of the PR and between 2d24c50 and ad90643.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• pyproject.toml
• requirements.txt

✅ Files skipped from review due to trivial changes (1)

• requirements.txt

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

black release notes 26.x stable style annual formatting changes

💡 Result:

Black's 26.x stable releases introduce the 2026 stable style in 26.1.0, with annual formatting changes stabilized per Black's stability policy (major style updates in the first release of the year). Subsequent 26.x releases (26.3.0, 26.3.1) include bug fixes to the stable style without major formatting changes. Key 2026 stable style changes from 26.1.0: - Always force one blank line after import statements (except before comments/imports) (#4489) - Fix # fmt: skip on one-liners like def foo: return "mock" # fmt: skip (#4800) - Fix module docstrings treated as normal strings if preceded by comments (#4764) - Fix type expansions splitting in generic functions (#4777) - More compact multiline string expressions (#1879) - Normalize \r newlines (#4710) - Remove parens around multiple except types without 'as' (#4720) - Remove unnecessary parens from assignment LHS, preserving trailing commas (#4865) - Standardize type comments to # type: (value) (#4645) - Regenerate width table with Khmer support (#4253) 26.3.0 stable style fixes: - Fix non-UTF-8 corruption (#4964) - Fix crash on lambda default arg comments (#4993) - Preserve parens for # type: ignore merging (#4888) 26.3.1 stable style fix: - Fix Jupyter magic masking (#5038) Official sources: Black docs change log, GitHub releases for 26.1.0/26.3.0/26.3.1.

Citations:

• 1: https://black.readthedocs.io/en/stable/change_log.html
• 2: https://github.com/psf/black/releases/tag/26.3.0
• 3: https://github.com/psf/black/blob/bf446601d93ed2bab3993b88a88ba452b59df8a8/CHANGES.md
• 4: https://github.com/psf/black/releases
• 5: https://www.change8.dev/package/black/26.1.0
• 6: psf/black@26.3.0...26.3.1
• 7: https://github.com/psf/black/releases/tag/26.3.1
• 8: https://github.com/psf/black/releases/tag/26.1.0

---

Add an upper bound to the black constraint to avoid surprise reformats.

black = ">=26.3.1" is open-ended. Black introduces a new "stable style" annually (the 2026 stable style landed in 26.1.0 with multiple formatting changes), so a future install picking up black 27.x/28.x will silently reformat the codebase and diverge from CI/pre-commit (which is pinned to rev: 26.3.1). Bound the upper end to keep the dev formatter aligned with pre-commit:

♻️ Suggested change

-black = ">=26.3.1"
+black = ">=26.3.1,<27"

(or ~=26.3.1 if you prefer compatible release semantics.)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` at line 48, The black dependency entry 'black = ">=26.3.1"'
is open-ended and can pull future major releases that change formatting; update
that constraint to add an upper bound (for example change it to a bounded range
like ">=26.3.1,<27" or use compatible semantics like "~=26.3.1") so the dev
environment matches the pre-commit/CI pinned rev; modify the pyproject.toml
dependency line for 'black' accordingly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Pinning a transitive of black is fragile when black itself is unbounded.

The explicit pathspec >=1.0.0,<1.1.0 is fine today (black 26.3.1 only requires pathspec >=1.0.0), but combined with the unbounded black = ">=26.3.1" above, a future black release that bumps its pathspec floor to >=1.1.0 will produce an unsolvable resolution. If you intentionally want to stay on the 1.0.x line, please pair this with a bounded black constraint (see comment on line 48) so Poetry can't pull a black version whose dependencies conflict with this pin. Otherwise, consider dropping the explicit pin and letting black's own constraint govern.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` around lines 49 - 50, The explicit transitive pin pathspec =
">=1.0.0,<1.1.0" can conflict with an unbounded black = ">=26.3.1" if a future
black raises its pathspec floor; either remove the explicit pathspec pin and let
black's declared dependency control the version, or tighten the black constraint
to a bounded range that guarantees compatibility with the 1.0.x pathspec (e.g.,
replace black = ">=26.3.1" with a bounded spec like black = ">=26.3.1,<27.0.0");
update the pyproject.toml accordingly so pathspec and black constraints cannot
produce an unsatisfiable resolution.