LCORE-1140: Updated dependencies

[tisnik]

Description

LCORE-1140: Updated dependencies

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-1140

Summary by CodeRabbit

• Chores
  • Updated internal dependencies across supported system architectures to improve stability and security. Multiple core libraries received version updates with corresponding integrity verification.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated multiple package versions across both aarch64 and x86_64 requirement files, introduced a2a-sdk package, updated hashes, and restructured "via" provenance annotations to reflect new dependency relationships and sources.

Changes

Cohort / File(s)

Summary

Dependency Version & Hash Updates requirements.aarch64.txt, requirements.x86_64.txt

Bumped multiple packages (anyio 4.12.0→4.12.1, grpcio 1.67.1→1.76.0, filelock 3.20.2→3.20.3, protobuf 6.33.2→6.33.3, litellm 1.80.11→1.80.13, openai 2.14.0→2.15.0, scipy 1.16.3→1.17.0, pydantic 2.12.5, peft 0.18.1, pillow 12.1.0, transformers, requests, and others); added a2a-sdk==0.3.22; updated all associated SHAs; reorganized "via" annotations to reflect new dependency provenance (lightspeed-stack, a2a-sdk, google-api-core, llama-stack, mcp, blobfile, datasets, httpx, httpcore, faiss, pydantic).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related PRs

• remove dependency of API agents: inline::meta-reference #963: Updates the same requirements files with overlapping package entries and "via" annotation changes.
• LCORE-1026: Updated deps #917: Modifies the same dependency manifest files with overlapping package version and hash updates.
• LCORE-1062: updated LiteLLM deps #948: Includes LiteLLM dependency bump that overlaps with this PR's litellm version updates.

Suggested reviewers

• radofuchs

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'LCORE-1140: Updated dependencies' is vague and generic, using non-specific language that doesn't convey meaningful information about which dependencies were updated or why.	Consider making the title more specific by mentioning key dependencies updated (e.g., 'LCORE-1140: Bump grpcio, litellm, scipy, and protobuf versions') to better reflect the changeset.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4e5629e and 066cc4f.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• requirements.aarch64.txt
• requirements.x86_64.txt

🧰 Additional context used

🧠 Learnings (4)

📚 Learning: 2026-01-09T15:39:01.299Z

Learnt from: CR
Repo: lightspeed-core/lightspeed-stack PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-09T15:39:01.299Z
Learning: Use `uv sync --group dev --group llslibdev` for dependencies

Applied to files:

• requirements.x86_64.txt

📚 Learning: 2026-01-09T15:39:01.298Z

Learnt from: CR
Repo: lightspeed-core/lightspeed-stack PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-09T15:39:01.298Z
Learning: Applies to src/**/*.py : Use `from llama_stack_client import AsyncLlamaStackClient` for Llama Stack integration

Applied to files:

• requirements.x86_64.txt
• requirements.aarch64.txt

📚 Learning: 2025-08-18T10:57:39.266Z

Learnt from: matysek
Repo: lightspeed-core/lightspeed-stack PR: 292
File: pyproject.toml:59-59
Timestamp: 2025-08-18T10:57:39.266Z
Learning: In the lightspeed-stack project, transitive dependencies like faiss-cpu are intentionally pinned as top-level dependencies to maintain better control over the dependency graph and avoid version conflicts when bundling ML/LLM tooling packages.

Applied to files:

• requirements.x86_64.txt
• requirements.aarch64.txt

📚 Learning: 2025-08-18T10:58:14.951Z

Learnt from: matysek
Repo: lightspeed-core/lightspeed-stack PR: 292
File: pyproject.toml:47-47
Timestamp: 2025-08-18T10:58:14.951Z
Learning: psycopg2-binary is required by some llama-stack providers in the lightspeed-stack project, so it cannot be replaced with psycopg v3 or moved to optional dependencies without breaking llama-stack functionality.

Applied to files:

• requirements.x86_64.txt
• requirements.aarch64.txt

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: build-pr
• GitHub Check: E2E: server mode / ci
• GitHub Check: E2E: library mode / ci
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request

🔇 Additional comments (25)

requirements.aarch64.txt (20)

3-6: New direct dependency a2a-sdk: confirm it’s intended (and has aarch64 wheels)
This adds a new top-level package; please confirm it’s required for the llslibdev/runtime surface and that install succeeds for --python-platform aarch64-unknown-linux-gnu --python-version 3.12 (wheels present, no source builds).

---

150-153: aiosqlite provenance change: ensure this is purely regenerated output
Looks fine, but since this file is auto-generated, please ensure these # via edits come from the generator (not manual tweaks), so future compiles don’t churn.

---

162-172: anyio bump: verify http stack compatibility (httpx/openai/llama-stack-client)
Given how central anyio is, please sanity-check runtime tests around streaming/async cancellation/timeouts (especially with httpx, openai, sse-starlette).

---

230-233: asyncpg provenance update looks OK
No functional concern—just ensure it matches regenerated dependency provenance.

---

252-256: cachetools provenance update looks OK
No concerns; verify it’s generator-driven.

---

672-681: filelock bump: verify no behavioral regressions in concurrent download/cache paths
This can subtly affect HF cache / dataset downloads; quick smoke test on aarch64 is worth it.

---

829-845: New Google dependency chain via a2a-sdk: validate footprint + auth behavior
google-api-core/google-auth/proto-plus/protobuf increases surface area; please confirm this is expected and doesn’t introduce unwanted runtime auth discovery/network calls in your deployment environment.

---

896-961: grpcio major bump: verify aarch64 wheel/ABI compatibility
This is the riskiest bump here (native extension). Please confirm:

• aarch64 wheel availability for Python 3.12,
• compatibility with your base image’s glibc,
• and that OTLP exporter / any grpc clients still work end-to-end.

---

996-1007: httpx is now pulled by a2a-sdk: confirm no version constraint conflicts
Please ensure a2a-sdk doesn’t impose httpx constraints that fight openai/llama-stack(-client) expectations.

---

1007-1013: httpx-sse now pulled by a2a-sdk: confirm SSE usage is compatible
If both mcp and a2a-sdk consume SSE, validate expected reconnection/timeout semantics in your integration tests.

---

1160-1168: jsonschema bump: confirm downstream compatibility (mcp/litellm/llama-stack)
Schema validation changes can be subtle; please run the relevant contract/schema tests (especially for any tool calling mcp).

---

1180-1184: litellm bump: confirm provider behavior didn’t change
Given how often litellm changes provider defaults/params, please re-run any provider smoke tests (OpenAI + any other configured backends).

---

1695-1702: openai bump: confirm API surface compatibility with your usage
Please validate any usage of streaming, tool-calling, or retries (and any wrappers in llama-stack) against openai==2.15.0.

---

1827-1831: peft bump: confirm it remains compatible with your pinned torch/transformers
PEFT↔Transformers↔Torch version skew can break at runtime; please run one minimal fine-tune/load adapter path in CI for aarch64.

---

2121-2142: proto-plus / protobuf bumps: verify no runtime descriptor/import issues
protobuf major-version shifts can break generated protos / runtime reflection. Please validate OTLP exporter + any Google API usage paths.

---

2351-2363: pydantic provenance now includes a2a-sdk: confirm dependency expectations
No issue, but please confirm a2a-sdk works with pydantic==2.12.5 (no hidden upper bounds / extras mismatch).

---

2600-2611: pyyaml provenance update: ensure this is regenerated output
Looks fine; verify the provenance change is stable across regen to avoid future churn.

---

2741-2749: requests provenance now includes google-api-core: watch for dependency constraint drift
Please ensure the combined requests/urllib3 constraints remain consistent across k8s client + Google libs.

---

2953-3018: scipy bump: verify aarch64 wheel availability + runtime smoke test
Another high-risk native dependency. Please confirm wheels exist for Python 3.12 aarch64 and run a minimal import + one numeric routine in CI to catch missing OpenBLAS/Fortran/GLIBC issues early.

---

3278-3286: typing-extensions provenance includes grpcio: confirm no pin conflicts
Not a problem by itself—just ensure grpcio doesn’t indirectly force an incompatible typing-extensions range with your other deps.

requirements.x86_64.txt (5)

1180-1182: API/behavior churn risk: litellm==1.80.13, openai==2.15.0, jsonschema==4.26.0 — ensure integration tests cover the affected surfaces.
Even if compilation succeeds, these frequently introduce behavior changes (error types, request/response models, schema validation semantics).

Also applies to: 1695-1697, 1160-1162

---

162-164: Low-risk bumps look fine (anyio==4.12.1, filelock==3.20.3) — just keep them in sync across arch lockfiles.

Also applies to: 672-674

---

151-153: Provenance (# via ...) updates only — OK.
These look like uv’s recalculated dependency graph annotations rather than semantic changes.

Also applies to: 230-232, 255-255, 843-843, 1000-1012, 2743-2743, 3285-3285

---

896-957: Run CI tests with Python 3.12 to validate the grpcio and protobuf versions work in your environment.

Both grpcio==1.76.0 and protobuf==6.33.3 are compatible with Python 3.12 and show no documented breaking changes in their official release notes. While testing is always prudent for major dependency updates, there's no evidence these specific versions are "high-risk" or prone to runtime incompatibilities.

Likely an incorrect or invalid review comment.

---

3-6: a2a-sdk is not a new dependency—it is already declared in pyproject.toml with constraint >=0.3.4,<0.4.0.

The pin a2a-sdk==0.3.22 is compliant with this constraint and represents a routine lockfile update. The package is legitimate (PyPI, published Dec 16, 2025), actively used in the codebase (tests and src), and synchronized across both x86_64 and aarch64 lockfiles. Google API transitives (google-api-core, google-auth) and httpx are expected dependencies of a2a-sdk.

No new supply-chain risk or verification is warranted—this is an existing dependency being pinned at a valid version.

Likely an incorrect or invalid review comment.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}