5104 - Initial dependency updates

[stevenschrayer]

Description

Describe your changes and why you're making them. Please include the context, motivation, and relevant dependencies.

Resolves #5104

Updates package versions for multiple files

• Regenerates 3 test fixtures for airflow
• Bumps versions for:
• aiohttp
• protobuf
• geopandas
• pyasn
• pyjwt
• pillow
• mako
• requests
• litellm

Skipped bumping:

• urllib3 - This breaks a lot of airflow tests, and even regenerating some fixtures + bumping vcrpy left some broken
• airflow - In light of urllib challenges and the fact that airflow is pretty foundation to airflow I deferred this
• airflow-apache - Same as above

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation

How has this been tested?

Include commands/logs/screenshots as relevant.

If making changes to dbt models, make sure they were created or update on Staging. Please run the command uv run dbt run -s CHANGED_MODEL --target staging and uv run dbt test -s CHANGED_MODEL --target staging, then include the output in this section of the PR.

• Used airflow tests, warehouse compile/parse, and other unit tests between updates. All tests passing.

Post-merge follow-ups

Document any actions that must be taken post-merge to deploy or otherwise implement the changes in this PR (for example, running a full refresh of some incremental model in dbt). If these actions will take more than a few hours after the merge or if they will be completed by someone other than the PR author, please create a dedicated follow-up issue and link it here to track resolution.

• No action required
• Actions required (specified below)

Open follow-up ticket to update versions for images, services, etc that do not have existing tests and identify a meaningful test that things work as expected.

[github-actions]

Preview url: https://data-infra-5187--embeddable-maps-calitp-org.netlify.app

[github-actions]

Terraform plan in iac/cal-itp-data-infra/airflow/us

No changes. Your infrastructure matches the configuration.

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

📝 Plan generated in Deploy dbt #1827

[github-actions]

The following changes will be applied to the production Kubernetes cluster upon merge.

BE AWARE this may not reveal changes that have been manually applied to the cluster getting undone—applying manual changes to the cluster should be avoided.

No manifest changes found for prod.

[github-actions]

Terraform plan in iac/cal-itp-data-infra-staging/airflow/us

Plan: 0 to add, 2 to change, 0 to destroy.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place

Terraform will perform the following actions:

  # google_storage_bucket_object.calitp-staging-composer-catalog will be updated in-place
!~  resource "google_storage_bucket_object" "calitp-staging-composer-catalog" {
!~      content             = (sensitive value)
!~      crc32c              = "7vbSEg==" -> (known after apply)
!~      detect_md5hash      = "gzQlzyAjYlTGiWPOSPmt/Q==" -> "different hash"
!~      generation          = 1777921775322636 -> (known after apply)
        id                  = "calitp-staging-composer-data/warehouse/target/catalog.json"
!~      md5hash             = "gzQlzyAjYlTGiWPOSPmt/Q==" -> (known after apply)
        name                = "data/warehouse/target/catalog.json"
#        (16 unchanged attributes hidden)
    }

  # google_storage_bucket_object.calitp-staging-composer-manifest will be updated in-place
!~  resource "google_storage_bucket_object" "calitp-staging-composer-manifest" {
!~      content             = (sensitive value)
!~      crc32c              = "ruSOBg==" -> (known after apply)
!~      detect_md5hash      = "Mw4Cul2QM1zWeUWwGhMlmw==" -> "different hash"
!~      generation          = 1777921776550660 -> (known after apply)
        id                  = "calitp-staging-composer-data/warehouse/target/manifest.json"
!~      md5hash             = "Mw4Cul2QM1zWeUWwGhMlmw==" -> (known after apply)
        name                = "data/warehouse/target/manifest.json"
#        (16 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

📝 Plan generated in Deploy dbt #1827

[github-actions]

Warehouse report: Failed to add ci-report to a comment. Review the ci-report in the Summary.

[github-actions]

The following changes will be applied to the production Kubernetes cluster upon merge.

BE AWARE this may not reveal changes that have been manually applied to the cluster getting undone—applying manual changes to the cluster should be avoided.

No manifest changes found for prod.

[stevenschrayer]

To spin out from this:

• Ticket to add README on approaching security updates/validating - will basically just draw on this approach depending on feedback
• Tickets for developing approach (and updating above) for depdencies/packages not tested in this (e..g, .iac/, gtfs-rt-archiver-v3) - just create the ticket for dependency update approach
• Ticket + tackle some updates to allowing dependabot to potentially handle some updates on its own (need to scope this more)

[stevenschrayer]

per separate discussion, will also pin min version for some lockfile-only packages that dependabot flagged. more explicit than just bumping the lockfile and avoids reintroducing.

[github-actions]

The following changes will be applied to the production Kubernetes cluster upon merge.

BE AWARE this may not reveal changes that have been manually applied to the cluster getting undone—applying manual changes to the cluster should be avoided.

No manifest changes found for prod.

[github-actions]

Warehouse report 📦

DAG

Legend (in order of precedence)

Resource type	Indicator	Resolution
Large table-materialized model	Orange	Make the model incremental
Large model without partitioning or clustering	Orange	Add partitioning and/or clustering
View with more than one child	Yellow	Materialize as a table or incremental
Incremental	Light green
Table	Green
View	White