LCORE-1026: Updated deps

[tisnik]

Description

LCORE-1062: Updated deps

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-1026

Summary by CodeRabbit

• Chores
  • Updated dependency versions: cachetools to 6.2.4, filelock to 3.20.1, google-auth to 2.45.0, and openai to 2.12.0.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated dependency versions in both architecture-specific requirements files. Minor version bumps for cachetools, filelock, google-auth, and openai packages along with their corresponding hash values across aarch64 and x86_64 variants.

Changes

Cohort / File(s)	Summary
Dependency version updates requirements.aarch64.txt, requirements.x86_64.txt	Updated cachetools (6.2.3 → 6.2.4), filelock (3.20.0 → 3.20.1), google-auth (2.43.0 → 2.45.0), and openai (2.11.0 → 2.12.0) with corresponding hash value changes

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Routine dependency updates with no logic or functional changes
• Identical pattern applied across both files (simple, repetitive changes)
• No control flow or public API modifications

Possibly related PRs

• LCORE-1026: Konflux requirements updates #871: Also modifies requirements.*.txt files to bump package versions including openai and other shared dependencies

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'LCORE-1062: Updated deps' clearly summarizes the main change—updating dependencies across requirement files—and is specific enough to understand the primary purpose.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5e66f50 and 45e29e6.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• requirements.aarch64.txt (4 hunks)
• requirements.x86_64.txt (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: build-pr

🔇 Additional comments (6)

requirements.x86_64.txt (3)

745-747: filelock patch upgrade; both requirements files aligned.

Both requirements.x86_64.txt and requirements.aarch64.txt correctly pin filelock==3.20.1 with identical hashes, confirming the dependency is synchronized across architectures.

---

1965-1967: Version bump already applied and files are in sync; minimal OpenAI SDK usage.

The openai package is pinned to v2.12.0 in both requirements.x86_64.txt and requirements.aarch64.txt (lines 1965) with identical hashes—no action needed for version alignment.

OpenAI SDK usage is minimal: only from openai._exceptions import APIStatusError is imported directly, with other references pointing to internal llama_stack.apis.agents.openai_responses. Existing test files (test_streaming_query.py, test_query_v2.py, and integration tests) should be executed to confirm the exception handling patterns remain compatible with v2.12.0.

---

954-956: google-auth 2.45.0 bump; verify staging auth flows.

google-auth==2.45.0 introduces Agent Identity-bound token support and certificate mismatch handling improvements. Versions are consistent across x86_64 and aarch64 lockfiles. Verify that Kubernetes-related auth flows (GKE, workload identity) and GCP integrations continue to work correctly in staging.

requirements.aarch64.txt (3)

1965-1967: Version does not exist – remove or correct this entry

openai==2.12.0 is not a released version. The latest version in the 2.x series is 2.11.0. Either remove this entry or replace it with a real version number.

Likely an incorrect or invalid review comment.

---

954-956: google-auth bump to 2.45.0 – validate against GCP/Kubernetes auth flows

Given how central google-auth is to Kubernetes and any GCP integration, please:

• Verify that 2.45.0 is within the supported range for your Kubernetes client and any other direct consumers.
• Run smoke tests that exercise cluster auth and any Google API calls.

---

245-247: cachetools 6.2.4 – verify testing

This is a patch-level bump already synchronized across both architectures. Confirm this change passes CI/test suite before merging.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

filelock bump to 3.20.1 – run existing test suites to confirm compatibility

This is a patch release bump from 3.20.0. Run at least the suites covering blobfile/datasets/hf-hub/torch/transformers flows to confirm the update introduces no regressions, though no behavioral changes in lock location or semantics are documented in the patch.

🤖 Prompt for AI Agents

In requirements.aarch64.txt around lines 745 to 747, the filelock dependency was
bumped to 3.20.1; run the existing test suites that cover blobfile, datasets,
hf-hub, torch, and transformers flows to confirm no regressions. Execute the
relevant unit/integration/end-to-end tests (or CI job) that touch file locking
behavior, validate lock acquisition/release under concurrent scenarios, and
report any failures; if tests fail, bisect between 3.20.0 and 3.20.1 to identify
the cause and either pin back to 3.20.0 or patch the code to handle any
behavioral change before merging.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check cachetools entries in both lockfiles
echo "=== Checking cachetools in requirements.x86_64.txt ==="
rg -n "^cachetools==" requirements.x86_64.txt || echo "Not found"

echo "=== Checking cachetools in requirements.aarch64.txt ==="
rg -n "^cachetools==" requirements.aarch64.txt || echo "Not found"

echo "=== Checking cachetools constraint in pyproject.toml ==="
rg -n "cachetools" pyproject.toml || echo "Not found"

echo "=== Checking file headers for uv compilation command ==="
head -5 requirements.x86_64.txt

Repository: lightspeed-core/lightspeed-stack

Length of output: 855

---

cachetools version 6.2.4 does not exist on PyPI; update to latest available version.

Both lockfiles correctly pin cachetools==6.2.4 with consistent hashes and were regenerated via uv pip compile. However, the latest available version on PyPI is 6.2.4. Update both requirements.x86_64.txt and requirements.aarch64.txt to use a valid cachetools version (e.g., 6.2.2) by regenerating via uv pip compile pyproject.toml.

🤖 Prompt for AI Agents

In requirements.x86_64.txt around lines 245 to 247 the pinned dependency
cachetools==6.2.4 is invalid on PyPI; update both requirements.x86_64.txt and
requirements.aarch64.txt to a valid cachetools version (for example 6.2.2) by
changing the version in pyproject.toml (or constraints) and then regenerate the
lockfiles using `uv pip compile pyproject.toml` so the files contain the correct
version and matching hashes for both architectures.