Skip to content

Update dependencies #3874

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
arkid15r merged 3 commits into from
Feb 9, 2026
Merged

Update dependencies #3874

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cdb49f3
Update dependencies
arkid15r Feb 9, 2026
92c9215
Bump django-ninja version
arkid15r Feb 9, 2026
a2b82b6
Merge branch 'main' into ark/update-dependencies-2026-02-09
arkid15r Feb 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,6 @@ repos:
exclude: pnpm-lock.yaml

- repo: https://github.com/tox-dev/pyproject-fmt
rev: v2.12.1
rev: v2.14.2
hooks:
- id: pyproject-fmt
260 changes: 137 additions & 123 deletions backend/poetry.lock
View file
Open in desktop

Large diffs are not rendered by default.

125 changes: 58 additions & 67 deletions backend/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,67 +8,59 @@ version = "0.0.0"
description = "Your gateway to OWASP"
authors = [ "Arkadii Yakovets <arkadii.yakovets@owasp.org>" ]
readme = "README.md"

packages = [ { include = "apps" } ]

[tool.poetry.dependencies]
algoliasearch = "^4.13.2"
algoliasearch-django = "^4.0.0"
django = "^6.0"
django-configurations = "^2.5.1"
django-cors-headers = "^4.7.0"
django-ninja = "^1.4.3"
django-redis = "^6.0.0"
django-rq = "^3.1"
django-storages = { extras = [ "s3" ], version = "^1.14.4" }
emoji = "^2.14.1"
geopy = "^2.4.1"
gunicorn = "^25.0.0"
humanize = "^4.11.0"
jinja2 = "^3.1.6"
langchain = "^0.3.26"
langchain-community = "^0.3.26"
langgraph = "^1.0.1"
lxml = "^6.0.0"
markdown = "^3.7"
openai = "^2.0.1"
owasp-schema = "^0.1.46"
pgvector = "^0.4.1"
psycopg2-binary = "^2.9.9"
pydantic = "^2.11.1"
pydantic-core = "^2.33.0"
pygithub = "^2.5.0"
python = "^3.13"
python-dateutil = "^2.9.0.post0"
pyyaml = "^6.0.2"
reportlab = "^4.4.2"
requests = "^2.32.5"
sentry-sdk = { extras = [ "django" ], version = "^2.20.0" }
slack-bolt = "^1.22.0"
slack-sdk = "^3.37.0"
strawberry-graphql = { extras = [ "django" ], version = "^0.291.0" }
strawberry-graphql-django = "^0.75.0"
thefuzz = "^0.22.1"
pyparsing = "^3.2.3"

[tool.poetry.group.test.dependencies]
pytest = "^9.0.1"
pytest-cov = "^7.0"
pytest-django = "^4.5"
pytest-mock = "^3.0"
pytest-xdist = "^3.0"
python-dotenv = "^1.0.1"

[tool.poetry.group.video.dependencies]
elevenlabs = "^2.27.0"
ffmpeg-python = "^0.2.0"
pillow = "^12.1.0"
pypdfium2 = "^5.2.0"
weasyprint = "^68.0"
dependencies.algoliasearch = "^4.13.2"
dependencies.algoliasearch-django = "^4.0.0"
dependencies.django = "^6.0"
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Django 6.0 release date 2025 2026

💡 Result:

Django 6.0 was officially released on December 3, 2025. [1][2]

(For context: 6.0.1 shipped January 6, 2026 [3] and 6.0.2 shipped February 3, 2026 [4][5].)

Sources: [1] [2] [3] [4] [5]

🏁 Script executed:

# Read the full pyproject.toml to see actual dependencies
cat -n backend/pyproject.toml

Repository: OWASP/Nest

Length of output: 8446

🌐 Web query:

django-ninja 1.4.3 Django 6.0 compatibility

💡 Result:

django-ninja==1.4.3 is not marked as compatible with Django 6.0. On PyPI, its classifiers list Django support only up to Django 5.1 (no Django :: 6.0 classifier) and it was released Jun 4, 2025. [1]

If you need Django 6.0, use a newer django-ninja release: the current PyPI project metadata includes a Django :: 6.0 classifier (e.g., the 1.5.x line). [2]

Also note Django 6.0 requires Python 3.12+. [3]

Sources
[1] PyPI – django-ninja 1.4.3: (pypi.org)
[2] PyPI – django-ninja (latest): (pypi.org)
[3] Django 6.0 release notes (Python compatibility): (docs.djangoproject.com)

Citations:

🌐 Web query:

strawberry-graphql-django 0.75.0 Django 6.0 support

💡 Result:

strawberry-graphql-django 0.75.0 (released Jan 27, 2026) explicitly declares Django 6.0 support via its PyPI framework classifiers (Framework :: Django :: 6.0). It also requires Python >= 3.10. [1]

Sources:
[1] PyPI project page for strawberry-graphql-django 0.75.0 (classifiers + release date) (pypi.org)

Citations:

🌐 Web query:

django-configurations 2.5.1 Django 6.0 compatibility

💡 Result:

django-configurations 2.5.1 does not claim Django 6.0 compatibility. Its PyPI classifiers list support for Django 3.2, 4.1, 4.2, and 5.0 (and Python >=3.8,<4.0)—no Django 6.0 classifier is present. [1]

Since Django 6.0 requires Python 3.12+ and includes breaking/deprecation-driven changes, you should assume django-configurations 2.5.1 is “unverified/unsupported on Django 6.0” unless you run its test suite (or your project’s tests) against Django 6.0 and it passes. [2]

Sources: [1] [2]

Upgrade django-ninja and django-configurations for Django 6.0 compatibility.

django-ninja==1.4.3 does not support Django 6.0 (only Django ≤5.1). Upgrade to version 1.5.x or later.

django-configurations==2.5.1 lacks Django 6.0 support declarations on PyPI (classifiers only cover up to Django 5.0). Verify compatibility by running the test suite against Django 6.0, or upgrade to a version that explicitly supports Django 6.0.

All other listed dependencies (django-redis, django-rq, django-storages, strawberry-graphql-django, sentry-sdk) are compatible with Django 6.0.

🤖 Prompt for AI Agents 
In `@backend/pyproject.toml` at line 14, The pyproject.toml lists
django-ninja==1.4.3 and django-configurations==2.5.1 which are not declared
compatible with Django 6.0; update the dependency entries (the django-ninja and
django-configurations lines in pyproject.toml) to versions that support Django
6.0 (e.g., bump django-ninja to 1.5.x or later and choose a
django-configurations release that declares Django 6 compatibility), then run
the test suite against Django 6.0 to verify compatibility and adjust versions if
tests fail.

dependencies.django-configurations = "^2.5.1"
dependencies.django-cors-headers = "^4.7.0"
dependencies.django-ninja = "^1.5.3"
dependencies.django-redis = "^6.0.0"
dependencies.django-rq = "^3.1"
dependencies.django-storages = { extras = [ "s3" ], version = "^1.14.4" }
dependencies.emoji = "^2.14.1"
dependencies.geopy = "^2.4.1"
dependencies.gunicorn = "^25.0.0"
dependencies.humanize = "^4.11.0"
dependencies.jinja2 = "^3.1.6"
dependencies.langchain = "^0.3.26"
dependencies.langchain-community = "^0.3.26"
dependencies.langgraph = "^1.0.1"
dependencies.lxml = "^6.0.0"
dependencies.markdown = "^3.7"
dependencies.openai = "^2.0.1"
dependencies.owasp-schema = "^0.1.46"
dependencies.pgvector = "^0.4.1"
dependencies.psycopg2-binary = "^2.9.9"
dependencies.pydantic = "^2.11.1"
dependencies.pydantic-core = "^2.33.0"
dependencies.pygithub = "^2.5.0"
dependencies.python = "^3.13"
dependencies.python-dateutil = "^2.9.0.post0"
dependencies.pyyaml = "^6.0.2"
dependencies.reportlab = "^4.4.2"
dependencies.requests = "^2.32.5"
dependencies.sentry-sdk = { extras = [ "django" ], version = "^2.20.0" }
dependencies.slack-bolt = "^1.22.0"
dependencies.slack-sdk = "^3.37.0"
dependencies.strawberry-graphql = { extras = [ "django" ], version = "^0.291.0" }
dependencies.strawberry-graphql-django = "^0.75.0"
dependencies.thefuzz = "^0.22.1"
dependencies.pyparsing = "^3.2.3"
group.test.dependencies.pytest = "^9.0.1"
group.test.dependencies.pytest-cov = "^7.0"
group.test.dependencies.pytest-django = "^4.5"
group.test.dependencies.pytest-mock = "^3.0"
group.test.dependencies.pytest-xdist = "^3.0"
group.test.dependencies.python-dotenv = "^1.0.1"
group.video.dependencies.elevenlabs = "^2.27.0"
group.video.dependencies.ffmpeg-python = "^0.2.0"
group.video.dependencies.pillow = "^12.1.0"
group.video.dependencies.pypdfium2 = "^5.2.0"
group.video.dependencies.weasyprint = "^68.0"

[tool.ruff]
target-version = "py313"

line-length = 99
lint.select = [ "ALL" ]
lint.extend-select = [ "I" ]
Expand Down Expand Up @@ -125,16 +117,15 @@ lint.per-file-ignores."**/tests/**/*.py" = [
"S101", # https://docs.astral.sh/ruff/rules/assert/
"SLF001", # https://docs.astral.sh/ruff/rules/private-member-access/
]

lint.per-file-ignores."apps/api/rest/**/*.py" = [
"ARG001", # https://docs.astral.sh/ruff/rules/unused-function-argument/
"B008", # https://docs.astral.sh/ruff/rules/function-call-in-default-argument/
]

[tool.pytest.ini_options]
DJANGO_CONFIGURATION = "Test"
DJANGO_SETTINGS_MODULE = "settings.test"
addopts = [
[tool.pytest]
ini_options.DJANGO_CONFIGURATION = "Test"
ini_options.DJANGO_SETTINGS_MODULE = "settings.test"
ini_options.addopts = [
"--cov-config=pyproject.toml",
"--cov-fail-under=80",
"--cov-precision=2",
Expand All @@ -147,16 +138,16 @@ addopts = [
"--no-cov-on-fail",
"--numprocesses=auto",
]
filterwarnings = [
ini_options.filterwarnings = [
"ignore::DeprecationWarning:pytest_cov",
"ignore::DeprecationWarning:xdist",
"ignore::pydantic.warnings.PydanticDeprecatedSince20",
]
log_level = "INFO"
ini_options.log_level = "INFO"

[tool.coverage.run]
branch = true
omit = [
[tool.coverage]
run.branch = true
run.omit = [
"__init__.py",
"**/admin.py",
"**/apps.py",
Expand Down
2 changes: 1 addition & 1 deletion cspell/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"devDependencies": {
"@cspell/dict-aws": "^4.0.17",
"@cspell/dict-data-science": "^2.0.13",
"@cspell/dict-en_us": "^4.4.28",
"@cspell/dict-en_us": "^4.4.29",
"@cspell/dict-fullstack": "^3.2.8",
"@cspell/dict-golang": "^6.0.26",
"@cspell/dict-k8s": "^1.0.12",
Expand Down
20 changes: 10 additions & 10 deletions cspell/pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion docker/backend/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ USER owasp

COPY --chmod=444 --chown=root:root poetry.lock pyproject.toml ./
RUN --mount=type=cache,target=${POETRY_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \
poetry install --no-root --without test --without video
poetry install --no-root --verbose --without test --without video

COPY apps apps
COPY entrypoint.sh manage.py wsgi.py ./
Expand Down
2 changes: 1 addition & 1 deletion docker/backend/Dockerfile.local
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ WORKDIR /home/owasp

COPY --chmod=444 --chown=root:root poetry.lock pyproject.toml ./
RUN --mount=type=cache,target=${POETRY_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \
poetry install --no-root --without test --without video
poetry install --no-root --verbose --without test --without video

FROM python:3.13.11-alpine3.23

Expand Down
2 changes: 1 addition & 1 deletion docker/backend/Dockerfile.test
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ USER owasp

COPY --chmod=444 --chown=root:root poetry.lock pyproject.toml ./
RUN --mount=type=cache,target=${POETRY_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \
poetry install --no-root
poetry install --no-root --verbose

COPY .env.example .env.example
COPY apps apps
Expand Down
2 changes: 1 addition & 1 deletion docker/backend/Dockerfile.video
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ RUN --mount=type=cache,target=${PIP_CACHE_DIR} \

COPY --chmod=444 --chown=root:root poetry.lock pyproject.toml ./
RUN --mount=type=cache,target=${POETRY_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \
poetry install --no-root --without test && \
poetry install --no-root --verbose --without test && \
python -m pip uninstall -y poetry

RUN --mount=type=cache,target=${APK_CACHE_DIR} \
Expand Down
2 changes: 1 addition & 1 deletion docker/docs/Dockerfile.local
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ USER owasp

COPY --chmod=444 --chown=root:root docs/poetry.lock docs/pyproject.toml mkdocs.yaml ./
RUN --mount=type=cache,target=${POETRY_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \
poetry install --no-root && \
poetry install --no-root --verbose && \
rm -rf docs/poetry.lock docs/pyproject.toml

FROM python:3.13.11-alpine3.23
Expand Down
2 changes: 1 addition & 1 deletion docker/frontend/Dockerfile.e2e.test
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM mcr.microsoft.com/playwright:v1.58.1-jammy
FROM mcr.microsoft.com/playwright:v1.58.2-jammy

ENV FORCE_COLOR=1 \
NPM_CACHE="/app/.npm" \
Expand Down
6 changes: 3 additions & 3 deletions docs/poetry.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 6 additions & 8 deletions docs/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,9 @@ version = "0.1.0"
description = "OWASP Nest Documentation"
authors = [ "Arkadii Yakovets <arkadii.yakovets@owasp.org>" ]
license = "MIT"

[tool.poetry.dependencies]
mkdocs = "^1.6.1"
mkdocs-material = "^9.6.19"
mkdocs-minify-plugin = "^0.8.0"
mkdocstrings = "^1.0.0"
pymdown-extensions = "^10.20.0"
python = "^3.13"
dependencies.mkdocs = "^1.6.1"
dependencies.mkdocs-material = "^9.6.19"
dependencies.mkdocs-minify-plugin = "^0.8.0"
dependencies.mkdocstrings = "^1.0.0"
dependencies.pymdown-extensions = "^10.20.0"
dependencies.python = "^3.13"
Comment on lines +11 to +16
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

find . -name "pyproject.toml" -path "*/docs/*" | head -20

Repository: OWASP/Nest

Length of output: 75

🌐 Web query:

Poetry 2.x pyproject.toml dependencies format dotted keys

💡 Result:

In Poetry 2.x you have two good options when a dependency name contains a dot (e.g. zope.interface), because in TOML an unquoted a.b key is a dotted key (it creates nested tables) rather than a literal key name. Use a quoted key if you’re in a TOML table, or switch to PEP 621 string dependencies.

Option A (recommended in Poetry 2.x): PEP 621 strings (no TOML key issues)

[project]
dependencies = [
  "zope.interface>=6,<7",
]

Poetry 2.x supports specifying main dependencies in project.dependencies as PEP 508 strings. [1]

Option B (legacy / still supported): quote the key under tool.poetry.dependencies

[tool.poetry.dependencies]
"zope.interface" = "^6.0"

TOML allows quoted keys (so the dot is part of the key name), whereas bare keys can’t contain dots. [2] Real-world Poetry projects use this quoting pattern for dotted package names. [3]

Sources:
[1] Poetry docs – Dependency specification (project.dependencies vs tool.poetry.dependencies) (python-poetry.org)
[2] TOML spec – keys, quoted keys, and dotted keys (toml.io)
[3] Example pyproject.toml showing "zope.interface" in [tool.poetry.dependencies] (sources.debian.org)

Citations:

🏁 Script executed:

cat -n ./docs/pyproject.toml | head -30

Repository: OWASP/Nest

Length of output: 666

🌐 Web query:

Poetry 2.0 tool.poetry dependencies dotted key format support

💡 Result:

Poetry 2.x doesn’t implement any special “dotted-key dependency syntax” of its own; it just reads whatever your TOML parser produces.

  • If by “dotted key format” you mean TOML dotted keys like tool.poetry.dependencies.requests = "^2.31": that’s standard TOML dotted-key notation (it creates nested tables) and can represent the same data structure Poetry expects. (toml.io)
  • However, standard TOML forbids mixing a [tool.poetry.dependencies] table header with dotted keys that (re)define that same table path, which makes such files error-prone across TOML parsers/tools. (toml.io)
  • In Poetry 2.x, the recommended modern/standard place for dependencies is [project].dependencies (PEP 508 strings); [tool.poetry.dependencies] remains Poetry’s extended table format. (deepwiki.com)

So: there’s no Poetry-2.0-specific “support switch”—it’s mainly a TOML validity/compatibility question. For best compatibility, stick to [tool.poetry.dependencies] entries (table form) or move to [project].dependencies rather than relying on dotted-key assignments. (deepwiki.com)

Citations:

🏁 Script executed:

wc -l ./docs/pyproject.toml && cat ./docs/pyproject.toml

Repository: OWASP/Nest

Length of output: 579

Use [tool.poetry.dependencies] section header instead of dotted-key format.

The dotted-key syntax (dependencies.mkdocs = "^1.6.1") under [tool.poetry] is valid TOML but not the recommended Poetry 2.x format. Per Poetry documentation, use the standard section header format:

[tool.poetry.dependencies]
mkdocs = "^1.6.1"
mkdocs-material = "^9.6.19"
mkdocs-minify-plugin = "^0.8.0"
mkdocstrings = "^1.0.0"
pymdown-extensions = "^10.20.0"
python = "^3.13"

Dotted-key assignments for this purpose are error-prone across TOML parsers and deviate from Poetry's standard conventions.

🤖 Prompt for AI Agents 
In `@docs/pyproject.toml` around lines 11 - 16, The TOML uses dotted-key
assignments like dependencies.mkdocs and dependencies.python under
[tool.poetry]; replace those dotted-key lines by adding a
[tool.poetry.dependencies] section header and move the keys (mkdocs,
mkdocs-material, mkdocs-minify-plugin, mkdocstrings, pymdown-extensions, python)
as regular keys under that section (e.g., mkdocs = "...") to conform to Poetry
2.x standard and avoid dotted-key usage.

8 changes: 4 additions & 4 deletions frontend/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@
"dayjs": "^1.11.19",
"dompurify": "^3.3.1",
"eslint-plugin-import": "^2.32.0",
"framer-motion": "^12.33.0",
"framer-motion": "^12.34.0",
"graphql": "^16.12.0",
"ics": "^3.8.1",
"isomorphic-dompurify": "^2.36.0",
Expand All @@ -56,7 +56,7 @@
"next": "^16.1.6",
"next-auth": "^4.24.13",
"next-themes": "^0.4.6",
"posthog-js": "^1.342.1",
"posthog-js": "^1.343.2",
"react": "^19.2.4",
"react-apexcharts": "^1.9.0",
"react-dom": "^19.2.4",
Expand Down Expand Up @@ -87,7 +87,7 @@
"@types/leaflet": "^1.9.21",
"@types/leaflet.markercluster": "^1.5.6",
"@types/markdown-it": "^14.1.2",
"@types/node": "^25.2.1",
"@types/node": "^25.2.2",
"@types/react": "^19.2.13",
"@types/react-dom": "^19.2.3",
"@typescript-eslint/eslint-plugin": "^8.54.0",
Expand All @@ -96,7 +96,7 @@
"eslint-config-next": "^16.1.6",
"eslint-config-prettier": "^10.1.8",
"eslint-import-resolver-alias": "^1.1.2",
"eslint-plugin-jest": "^29.12.2",
"eslint-plugin-jest": "^29.13.0",
"eslint-plugin-jsx-a11y": "^6.10.2",
"eslint-plugin-prettier": "^5.5.5",
"eslint-plugin-react": "^7.37.5",
Expand Down
Loading