build: replace poetry with uv, enforce 30-day package age limit, fix vulnerable deps#54
Open
Copilot wants to merge 4 commits into
Open
build: replace poetry with uv, enforce 30-day package age limit, fix vulnerable deps#54Copilot wants to merge 4 commits into
Copilot wants to merge 4 commits into
Conversation
2 tasks
Copilot
AI
changed the title
[WIP] Replace poetry with uv and set package age restriction
build: replace poetry with uv, enforce 30-day package age limit, fix vulnerable deps
May 13, 2026
obrusvit
force-pushed
the
copilot/replace-poetry-with-uv
branch
from
e6e21ed to
b62171f
Compare
Co-authored-by: obrusvit <[email protected]>
Co-authored-by: obrusvit <[email protected]>
- cryptography: 42.0.8 → 46.0.7 (fixes subgroup attack on SECT curves, CVE patched in 46.0.5; 46.0.7 is >30 days old, no exclusion needed) - urllib3: 2.6.3 → 2.7.0 (fixes decompression-bomb bypass and sensitive header forwarding; 2.7.0 released 2026-05-07, added exclude-newer-package exception as security fix whitelist) - requires-python: >=3.9 → >=3.10 (urllib3 2.7.0 requires Python >=3.10; Python 3.9 reached EOL October 2025) Agent-Logs-Url: https://github.com/trezor/definitions/sessions/4804d083-6f1f-48d6-9909-79d47760d34f Co-authored-by: obrusvit <[email protected]>
obrusvit
force-pushed
the
copilot/replace-poetry-with-uv
branch
from
b62171f to
04f2dfd
Compare
Collaborator
|
I tried to run the We should review 04f2dfd |
obrusvit
approved these changes
May 14, 2026
There was a problem hiding this comment.
Pull request overview
Migrates the Python dependency tooling from Poetry to uv, introduces a 30-day supply-chain freshness policy via exclude-newer, and upgrades two vulnerable transitive deps (cryptography 42.0.8 → 46.0.7 and urllib3 to 2.7.0, the latter whitelisted as an exception to the 30-day rule). requires-python is also bumped to >=3.10 because urllib3 2.7.0 drops Python 3.9.
Changes:
- Replace
poetry.lock/[tool.poetry]withuv.lockand a standard PEP 621[project]table; markpackage = false. - Add
[tool.uv] exclude-newer = "30 days"with anexclude-newer-packageexemption for urllib3. - Bump
cryptography>=46.0.5,<47andurllib3>=2.7.0,<3to fix known CVEs; raiserequires-pythonto>=3.10.
Reviewed changes
Copilot reviewed 1 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pyproject.toml | Rewrites project metadata for PEP 621 / uv; adds supply-chain freshness policy and bumped security-relevant deps. |
| uv.lock | New uv-generated lockfile recording the resolved dependency tree under the 30-day rule and the urllib3 exemption. |
| poetry.lock | Deleted now that uv is the source of truth for resolution. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+21
to
+26
| [build-system] | ||
| requires = ["poetry-core>=1.0.0"] | ||
| build-backend = "poetry.core.masonry.api" | ||
| requires = ["flit_core>=3.11,<5"] | ||
| build-backend = "flit_core.buildapi" | ||
|
|
||
| [tool.uv] | ||
| package = false |
Author
There was a problem hiding this comment.
Done in 76a6580. Removed the [build-system] section entirely — with package = false, uv never invokes the build backend so it was dead configuration. Also tightened the urllib3 exclude-newer-package exception from 2026-05-13 to 2026-05-08 (one day after the actual 2.7.0 release date) to minimise the exemption window.
| [tool.uv] | ||
| package = false | ||
| exclude-newer = "30 days" | ||
| exclude-newer-package = { urllib3 = "2026-05-13" } |
…date - Remove [build-system] table: package=false means uv never invokes the build backend, making flit_core a dead dependency that would break non-uv tools attempting to build this scripts-only project - Narrow urllib3 exclude-newer-package exception from 2026-05-13 to 2026-05-08 (one day after the actual 2026-05-07 release date), minimising the whitelist window Agent-Logs-Url: https://github.com/trezor/definitions/sessions/e686abb6-7faf-48a2-a71f-cdf8f2799f47 Co-authored-by: obrusvit <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrates the Python dependency manager from poetry to uv and adds a supply-chain safeguard that prevents installing packages released within the last 30 days. Also fixes two vulnerable dependencies discovered as a result.
Dependency manager migration
poetry.lock+[tool.poetry]withuv.lock+ standard PEP 621[project]table[build-system]section entirely — withpackage = falsethis is a scripts-only project and no build backend is ever invoked by uvpackage = false(scripts-only project)Supply chain protection
exclude-newer = "30 days"in[tool.uv]— uv refuses to resolve packages uploaded less than 30 days agouv.lockrecords this asexclude-newer-span = "P30D"exclude-newer-packageSecurity fixes
cryptographyurllib3urllib3 2.7.0was released 2026-05-07 (within the 30-day window), so it is whitelisted as a security exception with the exemption date set to one day after the actual release to minimise the window:requires-pythonbumped to>=3.10sinceurllib3 2.7.0dropped Python 3.9 (EOL October 2025).