Fix Dependabot resolver and bump GitPython for security (#42)

* Fix Dependabot security updates and bump GitPython to 3.1.47+ Dependabot's uv ecosystem resolver was inferring Python 3.9 from the workspace root's requires-python, then failing because sub-packages require >=3.12. Adding .python-version=3.12 tells the resolver to use a compatible Python. Also bumps gitpython>=3.1.47 to resolve the two open security advisories (GHSA unsafe option check, command injection). * Bump codeflash-core and codeflash-python versions for release
2026-05-04 18:25:19 +00:00 · 2026-04-28 20:28:42 -05:00 · 2026-04-28 20:28:42 -05:00 · 1e8cbbede4
commit 1e8cbbede4
parent 0ad5e60523
6 changed files with 18 additions and 11 deletions
--- a/.python-version
+++ b/.python-version
@ -0,0 +1 @@
+3.12
--- a/packages/codeflash-core/changelogs/fix-dependabot-python-version.md
+++ b/packages/codeflash-core/changelogs/fix-dependabot-python-version.md
@ -0,0 +1,3 @@
+### Fixes
+
+- Bump gitpython>=3.1.47 to resolve security advisories (unsafe option check, command injection)
--- a/packages/codeflash-core/pyproject.toml
+++ b/packages/codeflash-core/pyproject.toml
@ -1,10 +1,10 @@
 [project]
 name = "codeflash-core"
-version = "0.1.0"
+version = "0.1.1.dev0"
 requires-python = ">=3.9"
 dependencies = [
    "attrs>=26.1.0",
-    "gitpython>=3.1.0",
+    "gitpython>=3.1.47",
    "posthog>=3.0.0",
    "requests>=2.32.0",
    "sentry-sdk>=2.0.0",
--- a/packages/codeflash-python/changelogs/fix-dependabot-python-version.md
+++ b/packages/codeflash-python/changelogs/fix-dependabot-python-version.md
@ -0,0 +1,3 @@
+### Fixes
+
+- Bump gitpython>=3.1.47 to resolve security advisories (unsafe option check, command injection)
--- a/packages/codeflash-python/pyproject.toml
+++ b/packages/codeflash-python/pyproject.toml
@ -1,12 +1,12 @@
 [project]
 name = "codeflash-python"
-version = "0.1.1.dev0"
+version = "0.1.2.dev0"
 requires-python = ">=3.9"
 dependencies = [
    "codeflash-core",
    "coverage[toml]>=7.0",
    "dill>=0.3",
-    "gitpython>=3.1",
+    "gitpython>=3.1.47",
    "isort>=5.0",
    "jedi>=0.19",
    "junitparser>=3.2",
--- a/uv.lock
+++ b/uv.lock
@ -602,7 +602,7 @@ requires-dist = [

 [[package]]
 name = "codeflash-core"
-version = "0.1.0"
+version = "0.1.1.dev0"
 source = { editable = "packages/codeflash-core" }
 dependencies = [
    { name = "attrs" },
@ -616,7 +616,7 @@ dependencies = [
 [package.metadata]
 requires-dist = [
    { name = "attrs", url = "https://github.com/KRRT7/attrs/releases/download/26.1.0.post1/attrs-26.1.0.post1-py3-none-any.whl" },
-    { name = "gitpython", specifier = ">=3.1.0" },
+    { name = "gitpython", specifier = ">=3.1.47" },
    { name = "platformdirs", specifier = ">=4.0.0" },
    { name = "posthog", specifier = ">=3.0.0" },
    { name = "requests", specifier = ">=2.32.0" },
@ -648,7 +648,7 @@ requires-dist = [{ name = "codeflash-core", editable = "packages/codeflash-core"

 [[package]]
 name = "codeflash-python"
-version = "0.1.1.dev0"
+version = "0.1.2.dev0"
 source = { editable = "packages/codeflash-python" }
 dependencies = [
    { name = "codeflash-core" },
@ -676,7 +676,7 @@ requires-dist = [
    { name = "coverage", extras = ["toml"], specifier = ">=7.0" },
    { name = "crosshair-tool", marker = "python_full_version < '3.15'", specifier = ">=0.0.78" },
    { name = "dill", specifier = ">=0.3" },
-    { name = "gitpython", specifier = ">=3.1" },
+    { name = "gitpython", specifier = ">=3.1.47" },
    { name = "isort", specifier = ">=5.0" },
    { name = "jedi", specifier = ">=0.19" },
    { name = "junitparser", specifier = ">=3.2" },
@ -1451,14 +1451,14 @@ wheels = [

 [[package]]
 name = "gitpython"
-version = "3.1.46"
+version = "3.1.49"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "gitdb" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/df/b5/59d16470a1f0dfe8c793f9ef56fd3826093fc52b3bd96d6b9d6c26c7e27b/gitpython-3.1.46.tar.gz", hash = "sha256:400124c7d0ef4ea03f7310ac2fbf7151e09ff97f2a3288d64a440c584a29c37f", size = 215371, upload-time = "2026-01-01T15:37:32.073Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/e1/63/210aaa302d6a0a78daa67c5c15bbac2cad361722841278b0209b6da20855/gitpython-3.1.49.tar.gz", hash = "sha256:42f9399c9eb33fc581014bedd76049dfbaf6375aa2a5754575966387280315e1", size = 219367, upload-time = "2026-04-29T00:31:20.478Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/6a/09/e21df6aef1e1ffc0c816f0522ddc3f6dcded766c3261813131c78a704470/gitpython-3.1.46-py3-none-any.whl", hash = "sha256:79812ed143d9d25b6d176a10bb511de0f9c67b1fa641d82097b0ab90398a2058", size = 208620, upload-time = "2026-01-01T15:37:30.574Z" },
+    { url = "https://files.pythonhosted.org/packages/fd/6f/b842bfa6f21d6f87c57f9abf7194225e55279d96d869775e19e9f7236fc5/gitpython-3.1.49-py3-none-any.whl", hash = "sha256:024b0422d7f84d15cd794844e029ffebd4c5d42a7eb9b936b458697ef550a02c", size = 212190, upload-time = "2026-04-29T00:31:18.412Z" },
 ]

 [[package]]