Skip to content

Loosen dependency constraints to researched minimum versions#7

Merged
onefloid merged 1 commit into
mainfrom
claude/claude-md-docs-746tnm
Jul 5, 2026
Merged

Loosen dependency constraints to researched minimum versions#7
onefloid merged 1 commit into
mainfrom
claude/claude-md-docs-746tnm

Conversation

@onefloid

@onefloid onefloid commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Summary

  • Replace Poetry caret ranges (^) in pyproject.toml and exact pins (==) in requirements.txt with flexible lower-bound constraints (>=), so patch/minor/major updates aren't blocked.
  • Minimum versions were verified against actual API usage in the codebase rather than just relaxing the previously pinned version:
    • TM1py >=2.0.4tm1.sessions.get_threads_for_current() (used by the threads command) was only introduced in TM1py 2.0; 2.0.4 also fixes an uncaught-exception-on-logout bug in TM1Service.__exit__ that the with TM1Service(...) as tm1: pattern used throughout the codebase relies on.
    • typer >=0.9.3Annotated-based Option/Argument declarations (used throughout tm1cli) were introduced in typer 0.9.0, but 0.9.0–0.9.2 have a bug evaluating annotations specifically on Python 3.10, which is this project's minimum supported Python version.
    • pyyaml >=5.4yaml.FullLoader (used in tm1yaml.py to load process dumps) exists since 5.1, but 5.4 is the first release without the arbitrary-code-execution issue (CVE-2020-14343), relevant since process load deserializes user-supplied YAML files.
  • Dev-only tools (isort, pytest, pylint, pytest-mock) and transitive packages in requirements.txt keep their previously pinned version as the floor, since they aren't part of the published package's API surface.
  • poetry.lock was refreshed to match the new constraints; it resolves to the same previously locked versions since Poetry keeps existing compatible versions rather than force-upgrading.

Test plan

  • Ran the mocked command test suite (pytest tests/test_cmd_cubes.py tests/test_cmd_dimension.py tests/test_cmd_subset.py tests/test_cmd_view.py) against a fresh install resolving to the latest available dependency versions (TM1py 2.3.1, typer 0.26.8, pyyaml 6.0.3, rich 15.0.0) — all 13 tests pass.
  • Ran pylint against tm1cli/**/*.py with the same fresh install — 10.00/10.
  • Manually exercised the CLI (--help at top level and for a subcommand) to confirm Typer still renders correctly with the newest resolvable typer version.

Generated by Claude Code

Replace Poetry caret ranges (^) and requirements.txt exact pins (==)
with flexible lower-bound constraints (>=) so patch/minor/major
updates aren't blocked. Minimum versions were verified against actual
API usage rather than just relaxing the previously pinned version:

- TM1py >=2.0.4: tm1.sessions.get_threads_for_current() (used by the
  `threads` command) was only introduced in TM1py 2.0; 2.0.4 also
  fixes an uncaught-exception-on-logout bug in TM1Service.__exit__
  that the `with TM1Service(...) as tm1:` pattern relies on.
- typer >=0.9.3: Annotated-based Option/Argument declarations (used
  throughout tm1cli) were introduced in typer 0.9.0, but 0.9.0-0.9.2
  have a bug evaluating annotations on Python 3.10 specifically,
  which is this project's minimum supported Python version.
- pyyaml >=5.4: yaml.FullLoader (used in tm1yaml.py to load process
  dumps) exists since 5.1, but 5.4 is the first release without the
  arbitrary-code-execution issue (CVE-2020-14343) relevant since
  `process load` deserializes user-supplied YAML files.

Dev-only tools (isort, pytest, pylint, pytest-mock) and transitive
packages in requirements.txt keep their previously pinned version as
the floor, since they aren't part of the published package's API
surface and don't warrant the same investigation.

Verified the mocked test suite, pylint, and the CLI itself against a
fresh install resolving to the latest available versions of every
dependency (TM1py 2.3.1, typer 0.26.8, pyyaml 6.0.3, rich 15.0.0).
poetry.lock was refreshed accordingly; it still resolves to the same
previously locked versions since Poetry keeps existing compatible
versions rather than force-upgrading.
@onefloid onefloid merged commit ef9d37a into main Jul 5, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants