Consolidate dependencies into pyproject.toml #421
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the 📝 WalkthroughWalkthroughConsolidates dependency management into pyproject.toml (extras-based), removes legacy Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Suggested reviewers
Poem
Pre-merge checks and finishing touches✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR consolidates Python dependencies into pyproject.toml as the single source of truth, following modern Python packaging standards (PEP 518/621). This fixes an issue where pip install -e . was missing critical dependencies like requests, cryptography, and typing-extensions that were only listed in requirements.txt.
- Moved all 8 core dependencies from
requirements.txttopyproject.toml - Updated dev dependencies in
pyproject.tomlwith missing packages and version bumps - Simplified installation to use
pip install -e ".[dev]"for dev setup - Removed duplicate requirement files (
requirements.txtandrequirements-dev.txt) - Updated all documentation and build scripts to reflect the new installation method
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pyproject.toml | Added missing core dependencies (requests, cryptography, typing-extensions) and updated dev dependencies with proper versions |
| setup.py | Removed file-reading logic and hardcoded dependencies to match pyproject.toml for backward compatibility |
| requirements.txt | Removed file containing duplicate entries (had PyYAML listed 3 times with different casing/versions) |
| requirements-dev.txt | Removed file, dev dependencies now in pyproject.toml |
| Makefile | Simplified dev target to use pip install -e ".[dev]" instead of separate requirements files |
| CONTRIBUTING.md | Updated installation instructions to use pyproject.toml extras syntax |
| AGENTS.md | Updated setup commands to use new installation method |
| docs/guides/Developer-Guide.md | Updated dev setup to use pip install -e ".[dev]" |
| docs/guides/Getting-Started.md | Updated quick start to use pip install -e . |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/guides/Getting-Started.md (1)
6-6: Fix Python version inconsistency with pyproject.toml.The prerequisites state "Python 3.11+" but
pyproject.tomlspecifiesrequires-python = ">=3.10". This inconsistency could confuse users or prevent valid installations on Python 3.10.Suggested fix
-- Python 3.11+ +- Python 3.10+Alternatively, if Python 3.11 is truly the minimum, update
pyproject.tomlto match.
🧹 Nitpick comments (1)
setup.py (1)
8-19: Consider reducing duplication between setup.py and pyproject.toml.While the comment correctly notes that pyproject.toml is the source of truth, hardcoding the dependencies in setup.py creates a maintenance burden—any dependency update must be applied in both files, risking inconsistency.
Since modern setuptools (>=61.0, as specified in pyproject.toml) can read dependencies directly from pyproject.toml, consider either:
- Removing setup.py entirely (if only needed for backward compatibility with very old pip versions)
- Making setup.py dynamically read from pyproject.toml if truly needed
The current approach will require updating dependencies in two places every time.
Option: Read from pyproject.toml dynamically
If backward compatibility is truly needed, you could read from pyproject.toml:
+import tomli + +with open("pyproject.toml", "rb") as f: + pyproject = tomli.load(f) + requirements = pyproject["project"]["dependencies"] + -# Dependencies are now defined in pyproject.toml -# This is kept for backward compatibility but pyproject.toml is the source of truth -requirements = [ - "anthropic>=0.18.0", - "openai>=1.0.0", - "requests>=2.32.4", - "PyYAML==6.0.3", - "python-dotenv>=1.0.0", - "cryptography>=42.0.0", - "rich>=13.0.0", - "typing-extensions>=4.0.0", -]Note: This requires adding
tomlifor Python <3.11 or usingtomllibfor Python 3.11+.
📜 Review details
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (9)
AGENTS.mdCONTRIBUTING.mdMakefiledocs/guides/Developer-Guide.mddocs/guides/Getting-Started.mdpyproject.tomlrequirements-dev.txtrequirements.txtsetup.py
💤 Files with no reviewable changes (2)
- requirements.txt
- requirements-dev.txt
🧰 Additional context used
📓 Path-based instructions (2)
**/*.py
📄 CodeRabbit inference engine (AGENTS.md)
**/*.py: Follow PEP 8 style guide
Type hints required in Python code
Docstrings required for all public APIs
Files:
setup.py
{setup.py,setup.cfg,pyproject.toml,**/__init__.py}
📄 CodeRabbit inference engine (AGENTS.md)
Use Python 3.10 or higher as the minimum supported version
Files:
setup.pypyproject.toml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Agent
🔇 Additional comments (7)
pyproject.toml (1)
56-67: LGTM: Dev dependencies updated appropriately.The development dependencies have been updated with appropriate minimum versions. Using
>=for dev tools allows flexibility while ensuring minimum feature sets are available.docs/guides/Getting-Started.md (1)
15-16: LGTM: Installation command updated correctly.The change from
pip install -r requirements.txttopip install -e .aligns with the PR's goal of consolidating dependencies into pyproject.toml and is the correct modern approach.Makefile (1)
21-21: LGTM: Dev installation updated to use pyproject.toml extras.The change to
pip install -e ".[dev]"correctly uses the development extras defined in pyproject.toml, aligning with the PR's goal of consolidating dependency management.AGENTS.md (1)
40-40: LGTM: Setup instructions updated consistently.The change to
pip install -e ".[dev]"is consistent with the updates in other documentation files and aligns with the consolidated dependency management approach.CONTRIBUTING.md (2)
125-126: Installation command correctly updated for extras-based setup.Consistent with the Developer-Guide.md update and aligns with the PR consolidation objectives.
132-137: No issues found. All extras mentioned in the documentation are correctly defined inpyproject.toml:
- Core dependencies (
pip install -e .) installs base dependencies (no "core" extra needed)- [dev] extra exists and includes pytest, linting, and testing tools
- [all] extra exists and is correctly defined as
"cortex-linux[dev,security,docs]", combining all optional dependenciesThe documentation is accurate and requires no changes.
docs/guides/Developer-Guide.md (1)
14-14: Installation command correctly reflects extras-based dependency management.The
[dev]extra is properly defined inpyproject.tomlwith all development dependencies (pytest, black, ruff, mypy, pre-commit, isort, etc.). The update aligns with the PR objective to consolidate dependencies from separate requirements files intopyproject.toml.
| "requests>=2.32.4", | ||
| "PyYAML==6.0.3", | ||
| "python-dotenv>=1.0.0", | ||
| "cryptography>=42.0.0", | ||
| "rich>=13.0.0", | ||
| "typing-extensions>=4.0.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, let's read the pyproject.toml file to see the dependencies
cat -n pyproject.toml | sed -n '40,60p'Repository: cortexlinux/cortex
Length of output: 664
🌐 Web query:
requests 2.32.4 latest version 2026 security vulnerabilities
💡 Result:
Short answer: Requests 2.32.4 (released 10 Jun 2025) fixes a security bug (CVE‑2024‑47081) that could cause .netrc credentials to be leaked to a different host for specially crafted URLs. Versions prior to 2.32.4 are affected; upgrade to 2.32.4 or later, or set Session(trust_env=False) as a temporary mitigation. [1][2][3]
Sources:
- psf/requests release notes (2.32.4). [1]
- IBM security bulletin describing CVE‑2024‑47081 and mitigation. [2]
- Vulnerability advisory (summary/CVSS and affected versions). [3]
🌐 Web query:
PyYAML 6.0.3 latest version security vulnerabilities 2026
💡 Result:
Short answer: As of January 1, 2026, PyYAML 6.0.3 (released September 25, 2025) has no public CVEs affecting that release; known PyYAML CVEs (e.g., CVE-2017-18342, CVE-2019-20477, CVE-2020-14343/CVE-2020-1747) apply only to older versions. [1][2][3]
Details / sources:
- PyPI release info for 6.0.3 (uploaded Sep 25, 2025). [1]
- Security scanners / advisories report no known vulnerabilities in v6.0.3. [2][3]
- Historical CVEs (affect older versions and relate to unsafe use of yaml.load / full_load / FullLoader). [4]
If you want, I can:
- search for any vendor advisories or exploit writeups published since Jan 1, 2026, or
- run a deeper CVE / NVD search and return the primary CVE entries and dates. Which would you prefer?
Sources:
[1] PyPI: PyYAML release files and upload date.
[2] Snyk security page for PyYAML (no known issues for 6.0.3).
[3] SafetyDB / Safety CLI entry for PyYAML (notes 6.0.3 as latest non‑vulnerable).
[4] CVE advisory references for CVE-2019-20477 / CVE-2020-14343 (historical vulnerabilities).
🌐 Web query:
cryptography 42.0.0 latest version security vulnerabilities 2026
💡 Result:
Short answer: cryptography 42.0.0 (released 2024-01-22) is affected by a known OpenSSL-related vulnerability (CVE published Feb 11, 2025) in the OpenSSL shipped inside wheels; the project released patched wheels (44.0.1 updates wheels to OpenSSL 3.4.1 on 2025-02-11). Upgrade to a cryptography release that includes the OpenSSL fix (44.0.1 or later) or rebuild from source with an updated OpenSSL. [1][2][3]
Sources
- cryptography 42.0.0 changelog (release date). [1]
- CVE advisory noting vulnerable cryptography wheels (affects >=42.0.0 <44.0.1), publish date Feb 11, 2025. [2]
- cryptography 44.0.1 changelog (wheels rebuilt with updated OpenSSL 3.4.1 on 2025-02-11). [3]
🌐 Web query:
typing-extensions 4.0.0 latest version security vulnerabilities 2026
💡 Result:
Summary (as of Jan 1, 2026)
- Latest official typing_extensions release: 4.15.0 (uploaded Aug 25, 2025). [1][2]
- No published CVEs or security advisories for the official typing_extensions package (including version 4.0.0) were found in public vulnerability databases or the project's security page. Snyk and the repo security page report no known direct vulnerabilities for the package. [3][4]
- Note: there are separate reports of malicious/typosquat packages named like "typing-extensions" on some registries ( flagged by Snyk for malicious packages/impersonation), but those refer to malicious/impersonating packages, not the official python/typing_extensions project on PyPI/GitHub. Avoid non-official packages and install from the official PyPI project or the GitHub python/typing_extensions repo. [3][1]
Sources
- PyPI typing-extensions release (4.15.0 upload details). [1]
- GitHub releases for python/typing_extensions (4.15.0). [2]
- Snyk package/security scans (no direct vulnerabilities; separate malicious-impersonator report). [3]
- typing_extensions project security page / docs. [4]
If you want, I can:
- search specific vulnerability databases (NVD, Mitre) for additional confirmation, or
- scan a requirements file / environment to check whether you depend on any malicious/typosquat package.
Update cryptography dependency to >=44.0.1 to address OpenSSL vulnerability.
The cryptography >=42.0.0 constraint allows installation of versions vulnerable to a CVE affecting OpenSSL bundled in cryptography wheels (versions >=42.0.0 and <44.0.1, published Feb 11, 2025). Update the requirement to >=44.0.1 or later.
Other dependencies are current and secure:
- requests>=2.32.4 is appropriate (fixes CVE-2024-47081 in .netrc handling)
- PyYAML==6.0.3 is the latest release with no known vulnerabilities, though exact pinning prevents automatic security updates; consider using >=6.0.3 to allow patch upgrades
- typing-extensions>=4.0.0 is acceptable (latest is 4.15.0 with no CVEs)
🤖 Prompt for AI Agents
In pyproject.toml around lines 47 to 52 the cryptography dependency uses
"cryptography>=42.0.0", which permits versions affected by a recent
OpenSSL-related CVE; update the requirement to "cryptography>=44.0.1" (or later)
to exclude vulnerable releases, and optionally consider changing PyYAML from a
strict "==6.0.3" pin to a minimum ">=6.0.3" if you want automatic patch
upgrades.
✅ Addressed in commit eb6970f
|
Need to update the CI / CD. Currently task failing because of outdated file reference |
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (1)
setup.py (1)
8-19: Consider using dynamic dependencies to avoid duplication.Maintaining the same dependency list in both
setup.pyandpyproject.tomlcreates a risk of drift over time. Modern setuptools (>=61.0.0) supports reading dependencies dynamically frompyproject.toml:# In setup.py, use: setup( # ... other parameters ... ) # Dependencies are automatically read from pyproject.toml when not specifiedOr declare dependencies as dynamic in
pyproject.toml:[project] dynamic = ["dependencies"]This would maintain true backward compatibility while ensuring a single source of truth. However, if there are specific reasons to maintain the static list (e.g., supporting very old pip versions), the current approach is acceptable.
📜 Review details
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (9)
AGENTS.mdCONTRIBUTING.mdMakefiledocs/guides/Developer-Guide.mddocs/guides/Getting-Started.mdpyproject.tomlrequirements-dev.txtrequirements.txtsetup.py
💤 Files with no reviewable changes (2)
- requirements-dev.txt
- requirements.txt
🚧 Files skipped from review as they are similar to previous changes (6)
- Makefile
- CONTRIBUTING.md
- pyproject.toml
- AGENTS.md
- docs/guides/Getting-Started.md
- docs/guides/Developer-Guide.md
🧰 Additional context used
📓 Path-based instructions (2)
**/*.py
📄 CodeRabbit inference engine (AGENTS.md)
**/*.py: Follow PEP 8 style guide
Type hints required in Python code
Docstrings required for all public APIs
Files:
setup.py
{setup.py,setup.cfg,pyproject.toml,**/__init__.py}
📄 CodeRabbit inference engine (AGENTS.md)
Use Python 3.10 or higher as the minimum supported version
Files:
setup.py
🔇 Additional comments (1)
setup.py (1)
10-19: No changes required. The setup.py requirements list is consistent with pyproject.toml. Both files specify identical versions for all dependencies, includingcryptography>=44.0.1andPyYAML>=6.0.3, confirming the "single source of truth" objective is met.Likely an incorrect or invalid review comment.
CLA Verification PassedAll contributors have signed the CLA.
|
|
Anshgrover23
left a comment
Anshgrover23
left a comment
There was a problem hiding this comment.
@Suyashd999 CI checks failing.
|
Completed via #583 . |
3 participants
Fixes: #420
Problem
When running
pip install -e ., not all dependencies fromrequirements.txtwere being installed, causingModuleNotFoundErrorfor packages likerequests,cryptography, andtyping-extensions.Root cause: Modern pip/setuptools prioritizes
pyproject.tomloversetup.py. Thepyproject.tomlonly listed 5 core dependencies, whilerequirements.txtcontained 8 packages. This duplication created maintenance overhead and inconsistencies.Solution
Consolidate all dependencies into
pyproject.tomlas the single source of truth, following modern Python packaging standards (PEP 518/621).Changes
✅ Updated
pyproject.tomlrequests>=2.32.4,cryptography>=42.0.0,typing-extensions>=4.0.0PyYAMLto specific version==6.0.3(matching requirements.txt)[project.optional-dependencies.dev]with missing packages:pytest-asyncio>=0.23.0pytest-mock>=3.12.0black>=24.0.0,ruff>=0.8.0,isort>=5.13.0,pytest-timeout>=2.3.1✅ Updated
Makefilemake devto usepip install -e ".[dev]"instead of separate requirements files✅ Updated
setup.pyrequirements.txtpyproject.toml(for backward compatibility)✅ Removed duplicate files
requirements.txtrequirements-dev.txt✅ Updated documentation
CONTRIBUTING.md- Updated installation instructionsAGENTS.md- Updated setup commandsdocs/guides/Developer-Guide.md- Updated dev setupdocs/guides/Getting-Started.md- Updated quick startInstallation
Before:
pip install -e .
pip install -r requirements.txt
pip install -r requirements-dev.txtAfter:
Core dependencies only
pip install -e .
With dev tools
pip install -e ".[dev]"
Or use Makefile
make dev## Testing
pip install -e ".[dev]"installs all dependenciescortex democommand works withoutModuleNotFoundErrorBenefits
pyproject.tomlRelated
Fixes the issue where
pip install -e .was missing critical dependencies likerequests, causing runtime errors.Summary by CodeRabbit
Documentation
Chores
✏️ Tip: You can customize this high-level summary in your review settings.