chore(deps): bump the boto group across 1 directory with 5 updates#8793
chore(deps): bump the boto group across 1 directory with 5 updates#8793Vandita2020 merged 1 commit intodevelopfrom
Conversation
Bumps the boto group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [boto3[crt]](https://github.com/boto/boto3) | `1.42.64` | `1.42.67` | | [boto3-stubs[apigateway,cloudformation,ecr,iam,kinesis,lambda,s3,schemas,secretsmanager,signer,sqs,stepfunctions,sts,xray]](https://github.com/youtype/mypy_boto3_builder) | `1.42.64` | `1.42.67` | | [botocore[crt]](https://github.com/boto/botocore) | `1.42.64` | `1.42.67` | | [mypy-boto3-ecr](https://github.com/youtype/mypy_boto3_builder) | `1.42.57` | `1.42.67` | | [mypy-boto3-s3](https://github.com/youtype/mypy_boto3_builder) | `1.42.37` | `1.42.67` | Updates `boto3[crt]` from 1.42.64 to 1.42.67 - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.42.64...1.42.67) Updates `boto3-stubs[apigateway,cloudformation,ecr,iam,kinesis,lambda,s3,schemas,secretsmanager,signer,sqs,stepfunctions,sts,xray]` from 1.42.64 to 1.42.67 - [Release notes](https://github.com/youtype/mypy_boto3_builder/releases) - [Commits](https://github.com/youtype/mypy_boto3_builder/commits) Updates `botocore[crt]` from 1.42.64 to 1.42.67 - [Commits](boto/botocore@1.42.64...1.42.67) Updates `mypy-boto3-ecr` from 1.42.57 to 1.42.67 - [Release notes](https://github.com/youtype/mypy_boto3_builder/releases) - [Commits](https://github.com/youtype/mypy_boto3_builder/commits) Updates `mypy-boto3-s3` from 1.42.37 to 1.42.67 - [Release notes](https://github.com/youtype/mypy_boto3_builder/releases) - [Commits](https://github.com/youtype/mypy_boto3_builder/commits) --- updated-dependencies: - dependency-name: boto3[crt] dependency-version: 1.42.67 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: boto - dependency-name: boto3-stubs[apigateway,cloudformation,ecr,iam,kinesis,lambda,s3,schemas,secretsmanager,signer,sqs,stepfunctions,sts,xray] dependency-version: 1.42.67 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: boto - dependency-name: botocore[crt] dependency-version: 1.42.67 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: boto - dependency-name: mypy-boto3-ecr dependency-version: 1.42.67 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: boto - dependency-name: mypy-boto3-s3 dependency-version: 1.42.67 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: boto ... Signed-off-by: dependabot[bot] <support@github.com>
licjun
left a comment
There was a problem hiding this comment.
Dependency Bump Review: boto group 1.42.64 → 1.42.67
Summary
Standard Dependabot PR bumping the boto group (boto3, botocore, boto3-stubs, and select mypy-boto3 type stubs) from 1.42.64 to 1.42.67. Changes are limited to version pins and hash updates across 4 files.
Files Reviewed
pyproject.toml — boto3[crt] pin updated from 1.42.64 to 1.42.67. ✅ Correct.
requirements/reproducible-{linux,mac,win}.txt — All three platform lockfiles updated consistently for:
boto3[crt]1.42.64 → 1.42.67 ✅botocore[crt]1.42.64 → 1.42.67 ✅boto3-stubs[...]1.42.64 → 1.42.67 ✅mypy-boto3-ecr1.42.57 → 1.42.67 ✅mypy-boto3-s31.42.37 → 1.42.67 ✅
Consistency Checks
- Cross-platform consistency: All three reproducible requirement files (linux, mac, win) have identical boto-related versions. ✅
- boto3/botocore version alignment: Both pinned to 1.42.67, which is correct since boto3 and botocore must be at matching versions. ✅
- pyproject.toml vs lockfiles:
pyproject.tomlpinsboto3[crt]==1.42.67, lockfiles resolve to the same version. ✅ - Hash integrity: Each package has two hashes (sdist + wheel), consistent with the expected distribution format. ✅
Observations
- Partial mypy-boto3 stubs update: Only
mypy-boto3-ecrandmypy-boto3-s3were bumped to 1.42.67. Other stubs remain at older versions (e.g.,mypy-boto3-iamat 1.42.64,mypy-boto3-lambdaat 1.42.37,mypy-boto3-apigatewayat 1.42.3). This is expected behavior — Dependabot only bumps packages that have new releases in the boto group, and theboto3-stubsconstraint inpyproject.tomluses>=1.41.0(not pinned), so older compatible stubs are fine. - No source code changes: This is a pure dependency version bump with no application code modifications, so no functional regression risk from the code side.
Verdict
Changes look correct and consistent. This is a straightforward minor version bump. Recommend merging after CI passes.
licjun
left a comment
There was a problem hiding this comment.
Automated Review: Boto dependency bump 1.42.64 → 1.42.67
This is a standard Dependabot PR bumping the boto group (boto3, botocore, boto3-stubs, mypy-boto3-ecr, mypy-boto3-s3) from 1.42.64 to 1.42.67. I've reviewed the changes and everything looks correct.
✅ Checks Passed
-
Version consistency across files: The
pyproject.tomlpin (boto3[crt]==1.42.67) matches the version in all three reproducible lock files (linux, mac, win). -
boto3/botocore version alignment:
boto3==1.42.67andbotocore==1.42.67are updated in lockstep, which is required since boto3 pins its botocore dependency to the same patch version. -
Hash consistency across platforms: All SHA-256 hashes for each package are identical across
requirements/reproducible-linux.txt,requirements/reproducible-mac.txt, andrequirements/reproducible-win.txt. This is expected since these are pure Python wheels/sdists. -
Lock file completeness: All 5 packages listed in the PR description are updated in each of the 3 lock files (15 changes per file matches the diff stats of +15/-15).
-
Type stub updates:
mypy-boto3-ecr(1.42.57 → 1.42.67) andmypy-boto3-s3(1.42.37 → 1.42.67) are brought up to date with the new boto3 version.
ℹ️ Observations (non-blocking)
-
Several other
mypy-boto3-*sub-packages remain at older versions (e.g.,mypy-boto3-cloudformation==1.42.3,mypy-boto3-lambda==1.42.37,mypy-boto3-schemas==1.42.3). This is fine — Dependabot only updates packages that have new releases, and these type stubs are independently versioned. They'll get picked up in future PRs when new versions are published. -
The
botocore1.42.67 release includes an OAuth2 error handling fix for SSO OIDC (boto/botocore#3642) and theboto31.42.66 release adds aTypeErrorfor bare@requires_crtusage (boto/boto3#4734). Neither should introduce breaking changes for SAM CLI.
LGTM — this is a clean, mechanical dependency bump with no issues.
licjun
left a comment
There was a problem hiding this comment.
Automated Code Review
This is a standard Dependabot grouped dependency bump for the boto family, upgrading from 1.42.64 to 1.42.67. Here are my findings:
Summary of Changes
Files changed (4):
pyproject.toml— bumpsboto3[crt]from1.42.64→1.42.67requirements/reproducible-linux.txt— updates pinned versions and hashesrequirements/reproducible-mac.txt— updates pinned versions and hashesrequirements/reproducible-win.txt— updates pinned versions and hashes
Packages updated (5):
| Package | From | To |
|---|---|---|
boto3[crt] |
1.42.64 | 1.42.67 |
boto3-stubs[...] |
1.42.64 | 1.42.67 |
botocore[crt] |
1.42.64 | 1.42.67 |
mypy-boto3-ecr |
1.42.57 | 1.42.67 |
mypy-boto3-s3 |
1.42.37 | 1.42.67 |
✅ Correctness
-
Version consistency across lockfiles: The
boto3,boto3-stubs, andbotocoreversions are consistently bumped to1.42.67across all three platform-specific reproducible requirements files (linux, mac, win) andpyproject.toml. Hashes are identical across all three lockfiles for the same packages, which is expected since these are pure Python wheels. -
Hash integrity: Each updated package entry includes exactly 2 hashes (sdist + wheel), consistent with the pattern used by the other pinned dependencies in these files.
-
pyproject.toml↔ lockfile alignment:pyproject.tomlpinsboto3[crt]==1.42.67, and all three lockfiles reflect the same version. No mismatch.
⚠️ Observation — Version Skew in mypy-boto3-* Type Stubs
While boto3, botocore, and boto3-stubs are all aligned at 1.42.67, several other mypy-boto3-* stubs remain at older versions:
mypy-boto3-iam==1.42.64(not updated)mypy-boto3-lambda==1.42.37(not updated)mypy-boto3-cloudformation==1.42.3(not updated)mypy-boto3-schemas==1.42.3(not updated)
This is not necessarily a bug — these stubs only get new releases when the corresponding service API changes — but it's worth noting that mypy-boto3-ecr jumped from 1.42.57 → 1.42.67 and mypy-boto3-s3 jumped from 1.42.37 → 1.42.67, suggesting ECR and S3 had API changes in this version range. If any code in aws-sam-cli uses newly added ECR or S3 API fields/methods, the updated stubs will be needed for type checking to pass.
✅ No Issues Found
- No source code changes — this is purely a dependency version bump.
- No new dependencies introduced.
- No dependency removals.
- The patch version bump (64 → 67) is low-risk.
- All three platform lockfiles are updated consistently.
Looks good. Recommend confirming CI passes (especially type checking with the new mypy-boto3-ecr and mypy-boto3-s3 stubs) before merging.
licjun
left a comment
There was a problem hiding this comment.
Automated Review: Boto dependency bump 1.42.64 → 1.42.67
This is a standard Dependabot PR bumping the boto group (boto3, botocore, boto3-stubs, mypy-boto3-ecr, mypy-boto3-s3) from 1.42.64 to 1.42.67. Here's my analysis:
✅ Correctness
pyproject.toml(line 38): The primaryboto3[crt]pin is correctly updated from==1.42.64to==1.42.67. This is the source of truth that drives the lockfiles.- Lockfile consistency: All three reproducible requirements files (
reproducible-linux.txt,reproducible-mac.txt,reproducible-win.txt) are updated identically with matching versions and hashes forboto3,botocore,boto3-stubs,mypy-boto3-ecr, andmypy-boto3-s3. The hashes are consistent across all three platform lockfiles, which is expected for pure Python packages. - Version alignment:
boto3==1.42.67andbotocore==1.42.67are correctly kept in sync (boto3 always requires the matching botocore version).
⚠️ Minor Observation (Non-blocking)
- Stale sibling stubs not updated: Several
mypy-boto3-*sub-packages remain at older versions (e.g.,mypy-boto3-iam==1.42.64,mypy-boto3-lambda==1.42.37,mypy-boto3-cloudformation==1.42.3). This is expected behavior — Dependabot only updates packages that have new releases in the group, and these stubs are independently versioned. They should still be compatible, but it's worth noting the version spread across the type stubs.
✅ Security & Supply Chain
- SHA-256 hashes are present for all updated packages across all three platform lockfiles, maintaining supply chain integrity.
- The bump is a patch-level update (64 → 67), which is low risk.
✅ CI Status
- All CI checks (PR Workflow, CodeQL, integration tests on Ubuntu/Windows across Python 3.10/3.11) are passing.
Summary
Clean, mechanical dependency bump. Versions are consistent across pyproject.toml and all three platform lockfiles. Hashes are present. CI is green. LGTM.
licjun
left a comment
There was a problem hiding this comment.
Dependency Bump Review: boto group 1.42.64 → 1.42.67
This is a standard Dependabot PR bumping 5 packages in the boto group. I've reviewed the changes across all 4 files.
Changes Summary
| Package | From | To |
|---|---|---|
boto3[crt] |
1.42.64 | 1.42.67 |
boto3-stubs[...] |
1.42.64 | 1.42.67 |
botocore[crt] |
1.42.64 | 1.42.67 |
mypy-boto3-ecr |
1.42.57 | 1.42.67 |
mypy-boto3-s3 |
1.42.37 | 1.42.67 |
Verification Results
✅ pyproject.toml: boto3[crt] pinned version correctly updated from ==1.42.64 to ==1.42.67 (line 38).
✅ Hash consistency: All three platform lock files (reproducible-linux.txt, reproducible-mac.txt, reproducible-win.txt) contain identical hashes for every updated package. No discrepancies.
✅ No stale version references: No added lines in the diff still reference the old versions (1.42.64, 1.42.57, or 1.42.37).
✅ boto3/botocore version alignment: Both boto3[crt] and botocore[crt] are bumped to 1.42.67 together, which is correct — these must always be version-aligned.
✅ Patch-level bump only: 1.42.64 → 1.42.67 is a patch increment (3 micro versions). The upstream changelogs show routine service model updates, endpoint updates, and an OAuth2 error handling fix in botocore. Low risk.
Observation (non-blocking)
The mypy-boto3-* sub-packages have a range of pinned versions across the lock file (e.g., mypy-boto3-apigateway==1.42.3, mypy-boto3-kinesis==1.42.41, mypy-boto3-lambda==1.42.37, mypy-boto3-iam==1.42.64). Only mypy-boto3-ecr and mypy-boto3-s3 were bumped in this PR. This is expected behavior — Dependabot only updates packages that have new releases, and these type stub packages are published independently per service. No action needed.
LGTM. Straightforward dependency version bump with correct hashes and consistent changes across all platform lock files.
licjun
left a comment
There was a problem hiding this comment.
Dependency Bump Review: boto group 1.42.64 → 1.42.67
This is a standard Dependabot grouped dependency bump for the boto family. I've reviewed all 4 changed files.
Changes Summary
| Package | From | To |
|---|---|---|
boto3[crt] |
1.42.64 | 1.42.67 |
botocore[crt] |
1.42.64 | 1.42.67 |
boto3-stubs[...] |
1.42.64 | 1.42.67 |
mypy-boto3-ecr |
1.42.57 | 1.42.67 |
mypy-boto3-s3 |
1.42.37 | 1.42.67 |
Review Findings
✅ Correctness:
pyproject.toml(line 38):boto3[crt]pinned version correctly updated from==1.42.64to==1.42.67.- All three reproducible lockfiles (
reproducible-linux.txt,reproducible-mac.txt,reproducible-win.txt) are updated consistently with matching hashes across all platforms. boto3andbotocoreversions are aligned at 1.42.67, which is required since boto3 pins its botocore dependency.
✅ Hash integrity:
- All updated packages include two hashes each (sdist + wheel), consistent with the existing pattern in the lockfiles.
- Several
mypy-boto3-*stubs remain at older versions and were NOT updated in this PR:mypy-boto3-cloudformation==1.42.3mypy-boto3-iam==1.42.64mypy-boto3-kinesis==1.42.3mypy-boto3-lambda==1.42.37mypy-boto3-schemas==1.42.3mypy-boto3-secretsmanager==1.42.3mypy-boto3-signer==1.42.3mypy-boto3-sqs==1.42.3mypy-boto3-stepfunctions==1.42.3mypy-boto3-sts==1.42.3mypy-boto3-xray==1.42.3
- This is expected behavior — Dependabot only bumps stubs that have new releases. These stubs likely had no new version published between their current pin and 1.42.67. This is not a blocking issue since the type stubs are backward-compatible with newer boto3 versions, but it's worth noting for awareness.
✅ No source code changes: Only dependency version pins and lockfile hashes are modified. No functional code is affected.
✅ Scope: The bump is a patch-level update (1.42.64 → 1.42.67), which is low risk. Notable upstream changes include an OAuth2 error handling fix in botocore and a @requires_crt TypeError fix in boto3.
LGTM — straightforward dependency bump with consistent changes across all platform lockfiles.
licjun
left a comment
There was a problem hiding this comment.
Review: Boto dependency bump 1.42.64 → 1.42.67
Standard Dependabot grouped bump of 5 boto packages. All changes are version pins and hash updates across 4 files — no source code modifications.
Files Reviewed
pyproject.toml(line 38):boto3[crt]pin updated==1.42.64→==1.42.67. Correct.requirements/reproducible-{linux,mac,win}.txt: All three platform lockfiles updated consistently forboto3[crt],botocore[crt],boto3-stubs,mypy-boto3-ecr, andmypy-boto3-s3. Each file shows +15/-15 changes, matching the 5 packages × 3 lines (version + 2 hashes) pattern.
Verification
- Version alignment:
boto3==1.42.67andbotocore==1.42.67are in lockstep — required since boto3 pins its botocore dependency to the same version. ✅ - pyproject.toml ↔ lockfile consistency:
pyproject.tomlpinsboto3[crt]==1.42.67, all three lockfiles resolve to the same. Theboto3-stubsconstraint inpyproject.tomluses>=1.41.0(flexible), so the lockfile pin to1.42.67is within range. ✅ - Cross-platform hash consistency: Hashes for all 5 updated packages are identical across linux/mac/win lockfiles. Expected for pure Python packages. ✅
- Hash count: Each package has exactly 2 hashes (sdist + wheel), consistent with the existing pattern. ✅
- No stale references: No added lines reference the old versions (1.42.64, 1.42.57, 1.42.37). ✅
Observation (non-blocking)
Several mypy-boto3-* stubs remain at older versions (e.g., mypy-boto3-cloudformation==1.42.3, mypy-boto3-lambda==1.42.37). This is expected — Dependabot only bumps packages with new releases, and these stubs are independently versioned per service. No compatibility concern since type stubs are backward-compatible with newer boto3 versions.
Clean dependency bump. LGTM.
licjun
left a comment
There was a problem hiding this comment.
Automated Code Review
This is a Dependabot PR bumping the boto dependency group from 1.42.64 to 1.42.67 across 4 files. Here are my findings:
Summary of Changes
Files changed: 4 (1 source-of-truth + 3 lockfiles)
pyproject.toml— primary version bump forboto3[crt](1.42.64 → 1.42.67)requirements/reproducible-linux.txt— lockfile updaterequirements/reproducible-mac.txt— lockfile updaterequirements/reproducible-win.txt— lockfile update
Packages updated (5):
| Package | From | To |
|---|---|---|
boto3[crt] |
1.42.64 | 1.42.67 |
boto3-stubs[...] |
1.42.64 | 1.42.67 |
botocore[crt] |
1.42.64 | 1.42.67 |
mypy-boto3-ecr |
1.42.57 | 1.42.67 |
mypy-boto3-s3 |
1.42.37 | 1.42.67 |
✅ Correctness
-
Version consistency across lockfiles: All three platform-specific reproducible requirements files (
linux,mac,win) have identical version bumps and hash values forboto3,boto3-stubs,botocore,mypy-boto3-ecr, andmypy-boto3-s3. This is correct — these are pure Python packages (wheels/sdists), so hashes should be the same across platforms. -
pyproject.tomlmatches lockfiles: The primary dependencyboto3[crt]==1.42.67inpyproject.toml(line 38) matches the pinned version in all three lockfiles. -
Hash integrity: Each updated package has exactly 2 hashes (sdist + wheel), consistent with the pattern used by the other pinned dependencies in these files.
⚠️ Observation — Version Skew in Type Stubs
Several mypy-boto3-* sub-packages were not updated and remain at older versions:
mypy-boto3-iam==1.42.64mypy-boto3-lambda==1.42.37mypy-boto3-cloudformation==1.42.3mypy-boto3-schemas==1.42.3mypy-boto3-kinesis,mypy-boto3-secretsmanager,mypy-boto3-signer,mypy-boto3-sqs,mypy-boto3-stepfunctions,mypy-boto3-sts,mypy-boto3-xray(various older versions)
This is expected behavior — Dependabot only bumps packages that have new releases, and these type stub packages are published independently. The skew is harmless since type stubs are only used for static analysis, not at runtime. However, it's worth noting that over time the type stubs may drift from the actual boto3 API surface.
✅ No Issues Found
- No source code changes — purely dependency version bumps
- No new dependencies introduced
- No dependency removals
- Lockfile format is preserved correctly
- The patch version bump (64 → 67) is low-risk
Looks good. Standard Dependabot boto group bump with consistent changes across all platform lockfiles.
Bumps the boto group with 5 updates in the / directory:
1.42.641.42.671.42.641.42.671.42.641.42.671.42.571.42.671.42.371.42.67Updates
boto3[crt]from 1.42.64 to 1.42.67Commits
b1ff6b0Merge branch 'release-1.42.67'3a20a6aBumping version to 1.42.676724c7eAdd changelog entries from botocored233684Merge branch 'release-1.42.66'7d89871Merge branch 'release-1.42.66' into develop4f44a49Bumping version to 1.42.66afd18f7Add changelog entries from botocore4dd05c0Add TypeError for bare@requires_crt usage and regression tests (#4734)bbb6100Update documentation.yml (#4725)b7b0a0fMerge branch 'release-1.42.65'Updates
boto3-stubs[apigateway,cloudformation,ecr,iam,kinesis,lambda,s3,schemas,secretsmanager,signer,sqs,stepfunctions,sts,xray]from 1.42.64 to 1.42.67Release notes
Sourced from boto3-stubs[apigateway,cloudformation,ecr,iam,kinesis,lambda,s3,schemas,secretsmanager,signer,sqs,stepfunctions,sts,xray]'s releases.
Commits
Updates
botocore[crt]from 1.42.64 to 1.42.67Commits
946ffefMerge branch 'release-1.42.67'8adef35Bumping version to 1.42.67ac82811Update endpoints modeld3ee64dUpdate to latest models51c39d7Handle Oauth2 errors for SSO OIDC service (#3642)537c33eMerge branch 'release-1.42.66'0e9fa7eMerge branch 'release-1.42.66' into developc640bbbBumping version to 1.42.668e7a97fUpdate endpoints model8eba3d8Update to latest modelsUpdates
mypy-boto3-ecrfrom 1.42.57 to 1.42.67Release notes
Sourced from mypy-boto3-ecr's releases.
Commits
Updates
mypy-boto3-s3from 1.42.37 to 1.42.67Release notes
Sourced from mypy-boto3-s3's releases.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions