LCORE-858: Regenerated requirements files

[tisnik]

Description

LCORE-858: Regenerated requirements files

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-858

Summary by CodeRabbit

• Chores
  • Updated package dependencies for improved compatibility, security, and stability across the application stack.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated multiple dependency versions in the requirements.aarch64.txt file. Changes include version increments for anyio, fonttools, fastapi, litellm, pydantic, rpds-py, and related pydantic packages, with corresponding hash updates. One dependency (grpcio) was downgraded from 1.76.0 to 1.67.1.

Changes

Cohort / File(s)	Summary
Dependency version updates requirements.aarch64.txt	Updated package versions: anyio (4.11.0→4.12.0), fonttools (4.60.1→4.61.0), grpcio (1.76.0→1.67.1, downgraded), fastapi (0.122.0→0.123.4), litellm (1.80.5→1.80.7), pydantic (2.12.4→2.12.5), rpds-py (0.29.0→0.30.0), and related pydantic dependency sections; updated corresponding package hashes throughout.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Homogeneous changes following a consistent pattern (version + hash updates repeated across multiple packages)
• Configuration file modification with no logic or functional impact
• Note: Special attention to the grpcio downgrade from 1.76.0 to 1.67.1 to confirm intentionality and compatibility

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'LCORE-858: Regenerated requirements files' clearly and specifically describes the main change—regenerating dependency requirements files. It is concise, directly related to the changeset, and provides meaningful context about the primary modification.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

requirements.aarch64.txt (2)

1418-1419: litellm → 1.80.7: check provider config compatibility.

Minor bump; verify no breaking renames/flags in providers used by lightspeed-stack. Suggest running smoke tests for chat/completions and embeddings.

---

1-20: General: uv-compiled lockfile looks consistent.

Hashes present; aarch64 + CPython 3.12 target preserved. Consider running “pip check” in CI matrix for aarch64 images.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c07604a and 74f12cc.

📒 Files selected for processing (1)

• requirements.aarch64.txt (7 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-08-18T10:57:39.266Z

Learnt from: matysek
Repo: lightspeed-core/lightspeed-stack PR: 292
File: pyproject.toml:59-59
Timestamp: 2025-08-18T10:57:39.266Z
Learning: In the lightspeed-stack project, transitive dependencies like faiss-cpu are intentionally pinned as top-level dependencies to maintain better control over the dependency graph and avoid version conflicts when bundling ML/LLM tooling packages.

Applied to files:

• requirements.aarch64.txt

📚 Learning: 2025-08-18T10:58:14.951Z

Learnt from: matysek
Repo: lightspeed-core/lightspeed-stack PR: 292
File: pyproject.toml:47-47
Timestamp: 2025-08-18T10:58:14.951Z
Learning: psycopg2-binary is required by some llama-stack providers in the lightspeed-stack project, so it cannot be replaced with psycopg v3 or moved to optional dependencies without breaking llama-stack functionality.

Applied to files:

• requirements.aarch64.txt

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: build-pr
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: e2e_tests (ci)
• GitHub Check: e2e_tests (azure)

🔇 Additional comments (8)

requirements.aarch64.txt (8)

157-159: anyio bump to 4.12.0 looks fine.

Compatible with httpx 0.28.x and Starlette 0.50.0; no known breaking changes in this minor bump.
If you want to double‑check, run the verification script below (includes requires_dist checks for peers).

---

767-817: fonttools → 4.61.0 OK.

Used via matplotlib; patch/minor-level changes are usually safe. No action.

---

2643-2644: pydantic → 2.12.5 OK.

Patch release; compatible with pydantic-core 2.41.5 and pydantic-settings 2.12.0. No action.

---

3058-3174: rpds-py → 0.30.0: confirm runtime match with Pydantic.

rpds-py backs Pydantic 2’s internals; 0.30.0 is compatible with Pydantic 2.12.x, but please run a quick import/runtime check on aarch64 wheels.

---

648-664: faiss-cpu pinned at 1.13.0 remains consistent with repo policy.

Top-level pin for transitive ML deps is expected here to avoid conflicts when bundling LLM tooling.
Based on learnings, this matches prior decisions to pin faiss-cpu explicitly.

---

2458-2525: psycopg2-binary correctly retained.

Required by some llama-stack providers; do not swap to psycopg v3.
Based on learnings, keeping psycopg2-binary is necessary for provider compatibility.

---

665-667: Validate FastAPI peer constraints and grpcio advisories using the provided PyPI check script.

This review requests manual verification of dependency constraints for FastAPI 0.123.4 and its peer dependencies (Starlette, Pydantic), as well as OpenTelemetry exporter packages and grpcio 1.67.1. Use the provided shell script to check PyPI metadata and GitHub Security Advisories. Apply the same validation to lines 1038-1096, 1418-1419, 157-159, 2643-2644, and 3058-3174.

---

1038-1096: No action needed. grpcio 1.67.1 meets opentelemetry-exporter-otlp 1.38.0 requirements for all Python versions (1.63.2–1.66.2 lower bounds; 1.67.1 satisfies both), and both CVE-2024-7246 and CVE-2024-11407 are patched in 1.67.1 (fixed in 1.65.4 and 1.66.2 respectively).

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

fastapi 0.123.4 requires_dist dependencies starlette pydantic version constraints site:pypi.org

💡 Result:

Do you want me to fetch the exact requires_dist entries (Starlette/Pydantic version constraints) from PyPI for FastAPI 0.123.4?

---

🏁 Script executed:

#!/bin/bash
# Fetch FastAPI 0.123.4 package metadata from PyPI
curl -s https://pypi.org/pypi/fastapi/0.123.4/json | python3 -c "
import sys, json
data = json.load(sys.stdin)
requires_dist = data.get('info', {}).get('requires_dist', [])
print('FastAPI 0.123.4 requires_dist:')
print('=' * 60)
for req in requires_dist:
    if req:
        print(req)
"

Repository: lightspeed-core/lightspeed-stack

Length of output: 208

---

🌐 Web query:

fastapi 0.123.4 pypi package dependencies starlette pydantic

💡 Result:

FastAPI 0.123.4 depends on Starlette (the ASGI/web framework) and Pydantic (the data model library). FastAPI does not hard‑pin Starlette to a single micro version — recent FastAPI releases (from 0.120.1) constrain Starlette to <0.50.0 — and FastAPI supports Pydantic v1 and v2 (docs show Pydantic compatibility and a typical allowed range for Pydantic v2 such as >=2.7.0,<3.0.0). (pypi.org)

If you want the exact install metadata (Requires‑Dist / version ranges) for the uploaded 0.123.4 wheel/ sdist, I can fetch the package metadata/files and extract the precise Requires‑Dist lines.

Citations:

• 1: https://pypi.org/project/fastapi/

---

🌐 Web query:

fastapi 0.123.4 requires-dist starlette exact version constraint metadata

💡 Result:

I can fetch the exact Requires-Dist metadata for fastapi==0.123.4 (from PyPI / the package METADATA) and show whether it pins starlette to an exact version or a range. Do you want me to look it up now?

---

FastAPI 0.123.4: Starlette 0.50.0 violates peer constraints.

FastAPI 0.123.4 requires Starlette <0.50.0, but the pinned version is 0.50.0. Downgrade Starlette to 0.49.x. Pydantic 2.12.5 is compatible.

🤖 Prompt for AI Agents

In requirements.aarch64.txt around lines 665 to 667, the pinned Starlette 0.50.0
conflicts with FastAPI 0.123.4 which requires Starlette <0.50.0; change the
Starlette pin to a 0.49.x release (e.g., 0.49.0 or the latest 0.49.*), update or
regenerate the corresponding --hash entries for that Starlette version, and
ensure the Pydantic 2.12.5 entry remains compatible.