LCORE-1108: Updated Konflux references

[tisnik]

Description

LCORE-1108: Updated Konflux references

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-1108

Summary by CodeRabbit

• Chores
  • Updated Python package dependencies including cachetools, litellm, openai, and cryptography to newer versions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updates three Python package versions in requirements.hashes.source.txt: cachetools (6.2.5→6.2.6), litellm (1.81.3→1.81.4), and openai (2.15.0→2.16.0) with corresponding hash values. Adds cryptography==46.0.3 override to requirements.overrides.txt.

Changes

Cohort / File(s)	Summary
Dependency Hashes requirements.hashes.source.txt	Updated version pins and hash digests for cachetools, litellm, and openai packages (3 packages, 2 hash entries each).
Dependency Overrides requirements.overrides.txt	Added explicit version override for cryptography==46.0.3.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• LCORE-1026: Konflux requirements updates #871 — Updates dependency hashes for the same packages (litellm and openai) in requirements.hashes.source.txt.
• LCORE-1108: updated Konflux requirements #1053 — Modifies requirements.hashes.source.txt with litellm package version and hash updates.
• LCORE-1216: Updated Konflux references #1060 — Previously introduced cachetools; this PR bumps cachetools to the next patch version with updated hashes.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title mentions 'Updated Konflux references' but the actual changes only update Python package versions and hashes with no Konflux-related modifications visible.	Update the title to accurately reflect the actual changes, such as 'Bump cachetools, litellm, openai, and add cryptography override' or provide context on how these dependency updates relate to Konflux.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.tekton/lightspeed-stack-pull-request.yaml (1)

58-62: OpenSSL development headers missing from build tooling.

Removing cryptography from binary packages forces source builds requiring Rust/cargo (present) AND OpenSSL development headers. The Containerfile installs cargo but does not explicitly include openssl-devel or equivalent. Verify the base image (UBI 9 python-312) provides libssl-devel, or add it explicitly to the dnf install command on line 21 to prevent build failures.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@requirements.overrides.txt`:
- Line 8: The change adds a cryptography pin (cryptography==46.0.3) but the PR
title ("Updated Konflux references") and commit message ("Fixed cffi") do not
match this edit; clarify intent by either (A) if you intended to pin
cryptography, update the PR title and commit message to mention the cryptography
override and consider using the newer 46.0.4 release, or (B) if you intended to
fix cffi/Konflux, revert this cryptography line and make the correct change to
the cffi/Konflux dependency instead; reference the exact token
"cryptography==46.0.3" when making or reverting the edit so reviewers can verify
the intended change.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify cryptography version 46.0.3 details

echo "=== Checking cryptography versions on PyPI ==="
curl -s https://pypi.org/pypi/cryptography/json | jq -r '.info | "Latest: \(.version)\nLicense: \(.license)\nHome Page: \(.home_page)"'

echo -e "\n=== Checking if version 46.0.3 exists ==="
curl -s https://pypi.org/pypi/cryptography/46.0.3/json | jq -r 'if .info then "Version exists - Released: \(.info.release_date)\nSummary: \(.info.summary)" else "Version not found" end'

echo -e "\n=== All 46.x versions available ==="
curl -s https://pypi.org/pypi/cryptography/json | jq -r '.releases | keys[] | select(startswith("46."))' | sort -V

echo -e "\n=== Recent 46.0.x versions ==="
curl -s https://pypi.org/pypi/cryptography/json | jq -r '.releases | keys[] | select(startswith("46.0."))' | sort -V | tail -5

Repository: lightspeed-core/lightspeed-stack

Length of output: 490

---

🏁 Script executed:

#!/bin/bash
# Get detailed info about cryptography 46.0.3 and check for security issues

echo "=== Detailed info for cryptography 46.0.3 ==="
curl -s https://pypi.org/pypi/cryptography/46.0.3/json | jq -r '.info | "Release: \(.release_date)\nAuthor: \(.author)\nRequires Python: \(.requires_python)\nClassifiers: \(.classifiers | length) items"'

echo -e "\n=== Release history for 46.0.x versions ==="
curl -s https://pypi.org/pypi/cryptography/json | jq -r '.releases | to_entries[] | select(.key | startswith("46.0.")) | .value[0] | "Version: \(.filename | split("-")[1])\n  Upload time: \(.upload_time)"' 2>/dev/null | head -40

echo -e "\n=== Checking Python version requirement ==="
curl -s https://pypi.org/pypi/cryptography/46.0.3/json | jq -r '.info.requires_python'

echo -e "\n=== Known security issues (checking changelog) ==="
curl -s https://raw.githubusercontent.com/pyca/cryptography/main/CHANGELOG.rst 2>/dev/null | head -100 || echo "Cannot fetch changelog"

Repository: lightspeed-core/lightspeed-stack

Length of output: 5891

---

Version 46.0.3 is valid and published. The cryptography version exists on PyPI (released 2025-10-15) and appears stable. Note that version 46.0.4 was recently released (2026-01-28) and may be worth considering.

However, there's an inconsistency in the PR metadata: the title mentions "Updated Konflux references", the commit message says "Fixed cffi", but the actual change adds a cryptography version override. Please clarify the intent of this change.

🤖 Prompt for AI Agents

In `@requirements.overrides.txt` at line 8, The change adds a cryptography pin
(cryptography==46.0.3) but the PR title ("Updated Konflux references") and
commit message ("Fixed cffi") do not match this edit; clarify intent by either
(A) if you intended to pin cryptography, update the PR title and commit message
to mention the cryptography override and consider using the newer 46.0.4
release, or (B) if you intended to fix cffi/Konflux, revert this cryptography
line and make the correct change to the cffi/Konflux dependency instead;
reference the exact token "cryptography==46.0.3" when making or reverting the
edit so reviewers can verify the intended change.