Use pyproject for Python runtime deps lock input

README.md

@@ -255,7 +255,7 @@ There is also an auto-formatting script that can be run: `./scripts/format.sh`
 To run Python code locally without building/installing the package, you must first install the dependencies:
 
 ```shell
-pip install -r py/requirements.txt
+pip install -r py/requirements_lock.txt
 ```
 
 Then, build the generated files and copy them into your local source tree:

py/BUILD.bazel

@@ -63,8 +63,11 @@ py_binary(
 compile_pip_requirements(
     # base name for generated targets, typically "requirements"
     name = "requirements",
+    srcs = [
+        "pyproject.toml",
+        "requirements.txt",
+    ],
     extra_args = ["--no-strip-extras"],
-    requirements_in = ":requirements.txt",
     requirements_txt = ":requirements_lock.txt",
     tags = [
         "skip-rbe",  # This test won't run on the RBE because of a lack of network connectivity

py/docs/.readthedocs.yaml

@@ -12,7 +12,7 @@ build:
   tools:
     python: "3.12"
   commands:
-    - pip install -r py/requirements.txt
+    - pip install -r py/requirements_lock.txt
     - cd py && python3 generate_api_module_listing.py && cd
     - PYTHONPATH=py sphinx-autogen -o $READTHEDOCS_OUTPUT/html py/docs/source/api.rst
     - PYTHONPATH=py sphinx-build -b html -d build/docs/doctrees py/docs/source $READTHEDOCS_OUTPUT/html

py/requirements.txt

@@ -1,8 +1,10 @@
+# Only Development dependencies (tooling, testing, docs, etc)
+# Runtime dependencies are in pyproject.toml
+# included in the Bazel lock through //py:requirements
 async-generator==1.10
 attrs==26.1.0
 backports.tarfile==1.2.0
 cachetools==7.1.1
-certifi==2026.4.22
 cffi==2.0.0
 chardet==7.4.3
 charset-normalizer==3.4.7
@@ -15,7 +17,7 @@ filelock==3.29.0
 filetype==1.2.0
 h11==0.16.0
 id==1.6.1
-idna==3.14
+idna==3.15
 importlib_metadata==9.0.0
 inflection==0.5.1
 iniconfig==2.3.0
@@ -28,7 +30,7 @@ keyring==25.7.0
 markdown-it-py==4.2.0
 mdurl==0.1.2
 more-itertools==11.0.2
-mypy==2.0.0
+mypy==2.1.0
 mypy_extensions==1.1.0
 nh3==0.3.5
 outcome==1.3.0.post0
@@ -43,9 +45,10 @@ pytest==9.0.3
 pytest-instafail==0.5.0
 pytest-mock==3.15.1
 pytest-trio==0.8.0
+python-discovery==1.3.1
 pywin32-ctypes==0.2.3
 readme_renderer==44.0
-requests==2.33.1
+requests==2.34.1
 requests-toolbelt==1.0.0
 rfc3986==2.0.0
 rich==15.0.0
@@ -55,16 +58,11 @@ sortedcontainers==2.4.0
 Sphinx==8.1.3
 sphinx-material==0.0.36
 tomli==2.4.1
-tox==4.53.1
-trio==0.33.0
+tox==4.54.0
 trio-typing==0.10.0
-trio-websocket==0.12.2
 twine==6.2.0
 types-certifi==2021.10.8.3
 types-PySocks==1.7.1.20260508
-typing_extensions==4.15.0
-urllib3[socks]==2.7.0
-virtualenv==21.3.1
-websocket-client==1.9.0
+virtualenv==21.3.3
 wsproto==1.3.2
 zipp==3.23.1

py/requirements_lock.txt

@@ -78,8 +78,8 @@ certifi==2026.4.22 \
     --hash=sha256:3cb2210c8f88ba2318d29b0388d1023c8492ff72ecdde4ebdaddbb13a31b1c4a \
     --hash=sha256:8d455352a37b71bf76a79caa83a3d6c25afee4a385d632127b6afb3963f1c580
     # via
-    #   -r py/requirements.txt
     #   requests
+    #   selenium (py/pyproject.toml)
 cffi==2.0.0 \
     --hash=sha256:00bdf7acc5f795150faa6957054fbbca2439db2f775ce831222b66f192f03beb \
     --hash=sha256:07b271772c100085dd28b74fa0cd81c8fb1a3ba18b21e03d7c27f3436a10606b \
@@ -447,9 +447,9 @@ id==1.6.1 \
     # via
     #   -r py/requirements.txt
     #   twine
-idna==3.14 \
-    --hash=sha256:466d810d7a2cc1022bea9b037c39728d51ae7dad40d480fc9b7d7ecf98ba8ee3 \
-    --hash=sha256:e677eaf072e290f7b725f9acf0b3a2bd55f9fd6f7c70abe5f0e34823d0accf69
+idna==3.15 \
+    --hash=sha256:048adeaf8c2d788c40fee287673ccaa74c24ffd8dcf09ffa555a2fbb59f10ac8 \
+    --hash=sha256:ca962446ea538f7092a95e057da437618e886f4d349216d2b1e294abfdb65fdc
     # via
     #   -r py/requirements.txt
     #   requests
@@ -498,7 +498,6 @@ jeepney==0.9.0 \
     --hash=sha256:cf0e9e845622b81e4a28df94c40345400256ec608d0e55bb8a3feaa9163f5732
     # via
     #   -r py/requirements.txt
-    #   keyring
     #   secretstorage
 jinja2==3.1.6 \
     --hash=sha256:0137fb05990d35f1275a587e9aee6d56da821fc83491a0fb838183be43f66d6d \
@@ -850,51 +849,51 @@ more-itertools==11.0.2 \
     #   -r py/requirements.txt
     #   jaraco-classes
     #   jaraco-functools
-mypy==2.0.0 \
-    --hash=sha256:0165968759c99ab79dc1a9f8aaec18e93a1bedcf7c13edd70e68dd3d5faf17cb \
-    --hash=sha256:106650bce72114f43019bf72197296f51c2cd47adfa9d073ea2976c247a404c5 \
-    --hash=sha256:191675c3c7dc2a5c7722a035a6909c277f14046c5e4e02aa5fbf65f8524f08ad \
-    --hash=sha256:1a9e3900ac5c40f1fe813506c7739da6e6f0eab2729067ebd94bfb0bbba53532 \
-    --hash=sha256:1f6dcd8f39971f41edab2728c877c4ac8b50ad3c387ff2770423b79a05d23910 \
-    --hash=sha256:20e3470a165dbc249bdfbe8d1c5172727ef22688cffc279f8c3aa264ab9d4d9a \
-    --hash=sha256:224ba142eee8b4d65d4db657cb1fc22abec30b135ded6ab297302ba1f62e505d \
-    --hash=sha256:29ea6da86c8c5e9addd48fa6e624f467341b3814f54ded871b28980468686dea \
-    --hash=sha256:2e879ad8a03908ff74d15e8a9b42bf049918e6798d52c011011f1873d0b5877e \
-    --hash=sha256:301f1a8ccc7d79b542ee218b28bb49443a83e194eb3d10da63ff1649e5aa5d34 \
-    --hash=sha256:33f668a37a650df60f7b825c1ac61e6baadd4ac3c89519e929badde58d28edf5 \
-    --hash=sha256:33f9cf4825469b2bc73c53ba55f6d9a9b4cdb60f9e6e228745581520f29b8771 \
-    --hash=sha256:37bd246590a018e5a11703b7b09c39d47ede3df5ba3fa863c5b8590b465beb01 \
-    --hash=sha256:440165501295e523bf1e5d3e411b62b367b901c65610938e75f0e56ba0462461 \
-    --hash=sha256:4ff370b43d7def05bbcd2f5267f0bcda72dd6a552ef2ea9375b02d6fe06da270 \
-    --hash=sha256:65c5c15bcbd18d6fe927cc55c459597a3517d69cc3123f067be3b020010e115e \
-    --hash=sha256:65d6f22d643bccaeb182d41d2a9f0990a05a871673c4ae3f97d4931eca0d2294 \
-    --hash=sha256:660790551c988e69d8bf7a35c8b4149edeb22f4a339165702be843532e9dcdb5 \
-    --hash=sha256:73aee2da33a2237e66cbe84a94780e53599847e86bb3aa7b93e405e8cd9905f2 \
-    --hash=sha256:77926029dfcb7e1a3ecb0acb2ddbb24ca36be03f7d623e1759ad5376be8f6c01 \
-    --hash=sha256:7a15bf92cd8781f8e72f69ffa7e30d1f434402d065ee1ecd5223ef2ef100f914 \
-    --hash=sha256:8578f857b519993d065e5805290b71467ebfae772407a5f57e823755e4fdb850 \
-    --hash=sha256:8a92b2be3146b4fa1f062af7eb05574cbf3e6eb8e1f14704af1075423144e4e5 \
-    --hash=sha256:904baa0124ebbccf0c7ba94f722cf9186ee30478f5e5b11432ffc8929248ee55 \
-    --hash=sha256:9cde2d0989f912fc850890f727d0d76495e7a6c5bdd9912a1efdb64952b4398d \
-    --hash=sha256:9ef5f581b61240d1cc629b12f8df6565ed6ffac0d82ed745eef7833222ab50b9 \
-    --hash=sha256:a04e980b9275c76159da66c6e1723c7798306f9802b31bdaf9358d0c84030ce8 \
-    --hash=sha256:b021614cb08d44785b025982163ec3c39c94bff766ead071fa9e82b4ef6f62cd \
-    --hash=sha256:bbcbc4d5917ca6ce12de70e051de7f533e3bf92d548b41a38a2232a6fe356525 \
-    --hash=sha256:c17b7222e9fdfd352e61fb3131da117e55cc465f701ff232f1bd97a02bbad91f \
-    --hash=sha256:c3d26c4321a3b06fc9f04c741e0733af693f82d823f8e64e47b2e63b7f19fa84 \
-    --hash=sha256:c734b7eb89a4cc4ec347f8187ffa730e2b59693407bc93dcb878183037f80a17 \
-    --hash=sha256:c918c64e8ce36557851b0347f84eb12f1965d3a06813c36df253eb0c0afd1d82 \
-    --hash=sha256:cc0a61adea1a5ffc2d47a4dc4bb180d8103f477fc2a90a1cdcbb168c2cc6caff \
-    --hash=sha256:cce87e92214fac8bf8feb8a680d0c1b6fb748d50e9b57fbb13e4b1d83a3ed19b \
-    --hash=sha256:cd9e60388944d0f1432a2419ab938a78d5658df1d143a7172cfe1a197276cf49 \
-    --hash=sha256:cdf05693c231a14fe37dbfce192a3a1372c26a833af4a80f550547742952e719 \
-    --hash=sha256:d1a068acd7c9fb77e9f8923f1556f2f49d6d7895821121b8d97fa5642b9c52f5 \
-    --hash=sha256:dbc6ba6d40572ae49268531565793a8f07eac7fc65ad76d482c9b4c8765b6043 \
-    --hash=sha256:e19e9cb69b66a4141009d24898259914fa2b71d026de0b46edf9fafdbf4fd46e \
-    --hash=sha256:e8e8709ce1b1046b8aad77a506dd01491157102dd727128c0b374b5025c7d769 \
-    --hash=sha256:ef9d96da1ddffbc21f27d3939319b6846d12393baa17c4d2f3e81e040e73ce2c \
-    --hash=sha256:f95e3890666c3be41af7a7179f4872341c08e90c161ba8e7a08a21f9be92c131 \
-    --hash=sha256:fdf4ef489d44ce350bac3fd699907834e551d4c934e9cc862ef201215ab1558d
+mypy==2.1.0 \
+    --hash=sha256:022c771234936ceac541ebaf836fe9e2abeb3f5e09aff21588fe543ff006fe21 \
+    --hash=sha256:0b1a5260c95aa443083f9ed3592662941951bca3d4ca224a5dc517c38b7cf666 \
+    --hash=sha256:11a6beb180257a805961aea9ec591bbd0bd17f1e18d35b8456d57aee5bedfedc \
+    --hash=sha256:1a293c534adb55271fef24a26da04b855540a8c13cc07bc5917b9fd2c394f2ca \
+    --hash=sha256:20509760fd791c51579d573153407d226385ec1f8bcce55d730b354f3336bc22 \
+    --hash=sha256:244358bf1c0da7722230bce60683d52e8e9fd030554926f15b747a84efb5b3af \
+    --hash=sha256:35aac3bb114e03888f535d5eb51b8bafbb3266586b599da1940f9b1be3ec5bd5 \
+    --hash=sha256:3712c20deed54e814eaaa825603bada8ea1c390670a397c95b98405347acc563 \
+    --hash=sha256:47cebf61abde7c088a4e27718a8b13a81655686b2e9c251f5c0915a802248166 \
+    --hash=sha256:498207db725cec88829a6a5c2fc771205fd043719ef98bc49aba8fb9fc4e6d57 \
+    --hash=sha256:49890d4f76ac9e06ec117f9e09f3174da70a620a0c300953d8595c926e80947f \
+    --hash=sha256:4ec7c57657493c7a75534df2751c8ae2cda383c16ecc55d2106c54476b1b16f6 \
+    --hash=sha256:4f910fe825376a7b66ef7ca8c98e5a149e8cd64c19ae71d84047a74ee060d4e6 \
+    --hash=sha256:5431d42af987ebd92ba2f71d45c85ed41d8e6ca9f5fd209a69f68f707d2469e5 \
+    --hash=sha256:5fdf2941a07434af755837d9880f7d7d25f1dacb1af9dcd4b9b66f2220a3024e \
+    --hash=sha256:6753d0c1fdd6b1a23b9e4f283ce80b2153b724adcb2653b20b85a8a28ac6436b \
+    --hash=sha256:7354c5a7f69d9345c3d6e69921d57088eea3ddeeb6b20d34c1b3855b02c36ec2 \
+    --hash=sha256:7406f4d048e71e576f5356d317e5b0a9e666dfd966bd99f9d14ca06e1a341538 \
+    --hash=sha256:761be68e023ef5d94678772396a8af1220030f80837a3afd8d0aef3b419666f4 \
+    --hash=sha256:767fe8c66dc3e01e19e1737d4c38ebefead16125e1b8e58ad421903b376f5c65 \
+    --hash=sha256:7d5e5cad0efeba72b93cd17490cc0d69c5ac9ca132994fe3fb0314808aeeb83e \
+    --hash=sha256:81e76ad12c2d804512e9b13240d1588316531bfba07558286078bfbce9613633 \
+    --hash=sha256:82208da9e09414d520e912d3e462d454854bed0810b71540bb016dcbca7308fd \
+    --hash=sha256:8de55a8c861f2a49331f807be98d90caeceeef520bde13d43a160207f8af613e \
+    --hash=sha256:8ef78c1d306bbf9a8a12f526c44902c9c28dffd6c52c52bf6a72641ce18d3849 \
+    --hash=sha256:98ebb6589bb3b6d0c6f0c459d53ca55b8091fbc13d277c4041c885392e8195e8 \
+    --hash=sha256:a663814603a5c563fb87a4f96fb473eeb30d1f5a4885afcf44f9db000a366289 \
+    --hash=sha256:a683016b16fe2f572dc04c72be7ee0504ac1605a265d0200f5cea695fb788f41 \
+    --hash=sha256:aea7f7a8a55b459c34275fc468ada6ca7c173a5e43a68f5dbe588a563d8a06b8 \
+    --hash=sha256:b33b6cd332695bba180d55e717a79d3038e479a2c49cc5eb3d53603409b9a5d7 \
+    --hash=sha256:b84802e7b5a6daf1f5e15bc9fcd7ddae77be13981ffab037f1c67bb84d67d135 \
+    --hash=sha256:bf03e12003084a67395184d3eb8cbd6a489dc3655b5664b28c210a9e2403ab0b \
+    --hash=sha256:c209a90853081ff01d01ee895cafe10f7db1474e0d95beaeef0f6c1db9119bbd \
+    --hash=sha256:c90345fc182dc363b891350457ec69c35140858538f38b4540845afcc32b1aef \
+    --hash=sha256:c989640253f0d76843e9c6c1bbf4bd48c5e85ada61bde4beb37cb3eca035685e \
+    --hash=sha256:d57a90ae5e872138a425ec328edbc9b235d1934c4377881a33ec05b341acc9a8 \
+    --hash=sha256:d8161b6ff4392410023224f0969d17db93e1e154bc3e4ba62598e720723ae211 \
+    --hash=sha256:e0210d626fc8b31ccc90233754c7bc90e1f43205e85d96387f7db1285b55c398 \
+    --hash=sha256:e195b817c13f02352a9c124301f9f30f078405444679b6753c1b96b6eed37285 \
+    --hash=sha256:e583edc957cfb0deb142079162ae826f58449b116c1d442f2d91c69d9fced081 \
+    --hash=sha256:e79ebc1b904b84f0310dff7469655a9c36c7a68bddb37bdd42b67a332df61d08 \
+    --hash=sha256:ecfe70d43775ab99562ab128ce49854a362044c9f894961f68f898c23cb7429d \
+    --hash=sha256:fcaa0e479066e31f7cceb6a3bea39cb22b2ff51a6b2f24f193d19179ba17c389 \
+    --hash=sha256:ff715050c127d724fd260a2e666e7747fdd83511c0c47d449d98238970aef780
     # via -r py/requirements.txt
 mypy-extensions==1.1.0 \
     --hash=sha256:1be4cccdb0f2482337c4743e60421de3a356cd97508abadd57d47403e94f5505 \
@@ -1020,10 +1019,11 @@ pytest-trio==0.8.0 \
     --hash=sha256:8363db6336a79e6c53375a2123a41ddbeccc4aa93f93788651641789a56fb52e \
     --hash=sha256:e6a7e7351ae3e8ec3f4564d30ee77d1ec66e1df611226e5618dbb32f9545c841
     # via -r py/requirements.txt
-python-discovery==1.3.0 \
-    --hash=sha256:441d9ced3dfce36e113beb35ca302c71c7ef06f3c0f9c227a0b9bb3bd49b9e9f \
-    --hash=sha256:d098f1e86be5d45fe4d14bf1029294aabbd332f4321179dec85e76cddce834b0
+python-discovery==1.3.1 \
+    --hash=sha256:62f6db28064c9613e7ca76cb3f00c38c839a07c31c00dfe7ed0986493d2150a6 \
+    --hash=sha256:ed188687ebb3b82c01a17cd5ac62fc94d9f6487a7f1a0f9dfe89753fec91039c
     # via
+    #   -r py/requirements.txt
     #   tox
     #   virtualenv
 python-slugify[unidecode]==8.0.4 \
@@ -1040,9 +1040,9 @@ readme-renderer==44.0 \
     # via
     #   -r py/requirements.txt
     #   twine
-requests==2.33.1 \
-    --hash=sha256:18817f8c57c6263968bc123d237e3b8b08ac046f5456bd1e307ee8f4250d3517 \
-    --hash=sha256:4e6d1ef462f3626a1f0a0a9c42dd93c63bad33f9f1c1937509b8c5c8718ab56a
+requests==2.34.1 \
+    --hash=sha256:0fc5669f2b69704449fe1552360bd2a73a54512dfd03e65529157f1513322beb \
+    --hash=sha256:bf38a3ff993960d3dd819c08862c40b3c703306eb7c744fcd9f4ddbb95b548f0
     # via
     #   -r py/requirements.txt
     #   requests-toolbelt
@@ -1069,9 +1069,7 @@ rich==15.0.0 \
 secretstorage==3.5.0 \
     --hash=sha256:0ce65888c0725fcb2c5bc0fdb8e5438eece02c523557ea40ce0703c266248137 \
     --hash=sha256:f04b8e4689cbce351744d5537bf6b1329c6fc68f91fa666f60a380edddcd11be
-    # via
-    #   -r py/requirements.txt
-    #   keyring
+    # via -r py/requirements.txt
 sniffio==1.3.1 \
     --hash=sha256:2f6da418d1f1e0fddd844478f41680e794e6051915791a034ff65e5f100525a2 \
     --hash=sha256:f4324edc670a0f49750a81b895f35c3adb843cca46f0530f79fc1babb23789dc
@@ -1189,16 +1187,16 @@ tomli-w==1.2.0 \
     --hash=sha256:188306098d013b691fcadc011abd66727d3c414c571bb01b1a174ba8c983cf90 \
     --hash=sha256:2dd14fac5a47c27be9cd4c976af5a12d87fb1f0b4512f81d69cce3b35ae25021
     # via tox
-tox==4.53.1 \
-    --hash=sha256:4a9948607e976a337c22d64a1b4fafd486125e82f00ab6ce32fa6cacc23f48b1 \
-    --hash=sha256:7be9805ed4a34242510c7acc9a7e3a01a35942e08f31f8bd69067c3a37130afc
+tox==4.54.0 \
+    --hash=sha256:21e36fd8256590379620848d0b03b52f4d541b65b749de1a17c3e616978dad58 \
+    --hash=sha256:a2d7c1177242ae9c3d9e404039e9f945ce16a3e5dfc66972c643e27d7e764f4b
     # via -r py/requirements.txt
 trio==0.33.0 \
     --hash=sha256:3bd5d87f781d9b0192d592aef28691f8951d6c2e41b7e1da4c25cde6c180ae9b \
     --hash=sha256:a29b92b73f09d4b48ed249acd91073281a7f1063f09caba5dc70465b5c7aa970
     # via
-    #   -r py/requirements.txt
     #   pytest-trio
+    #   selenium (py/pyproject.toml)
     #   trio-typing
     #   trio-websocket
 trio-typing==0.10.0 \
@@ -1208,7 +1206,7 @@ trio-typing==0.10.0 \
 trio-websocket==0.12.2 \
     --hash=sha256:22c72c436f3d1e264d0910a3951934798dcc5b00ae56fc4ee079d46c7cf20fae \
     --hash=sha256:df605665f1db533f4a386c94525870851096a223adcb97f72a07e8b4beba45b6
-    # via -r py/requirements.txt
+    # via selenium (py/pyproject.toml)
 twine==6.2.0 \
     --hash=sha256:418ebf08ccda9a8caaebe414433b0ba5e25eb5e4a927667122fbe8f829f985d8 \
     --hash=sha256:e5ed0d2fd70c9959770dce51c8f39c8945c574e18173a7b81802dab51b4b75cf
@@ -1225,11 +1223,11 @@ typing-extensions==4.15.0 \
     --hash=sha256:0cea48d173cc12fa28ecabc3b837ea3cf6f38c6d1136f85cbaaf598984861466 \
     --hash=sha256:f0fa19c6845758ab08074a0cfa8b7aecb71c999ca73d62883bc25cc018c4e548
     # via
-    #   -r py/requirements.txt
     #   beautifulsoup4
     #   cryptography
     #   exceptiongroup
     #   mypy
+    #   selenium (py/pyproject.toml)
     #   tox
     #   trio-typing
     #   virtualenv
@@ -1241,20 +1239,20 @@ urllib3[socks]==2.7.0 \
     --hash=sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c \
     --hash=sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897
     # via
-    #   -r py/requirements.txt
     #   id
     #   requests
+    #   selenium (py/pyproject.toml)
     #   twine
-virtualenv==21.3.1 \
-    --hash=sha256:c2305bc1fddeec40699b8370d13f8d431b0701f00ce895061ce493aeded4426b \
-    --hash=sha256:d1a71cf58f2f9228fff23a1f6ec15d39785c6b32e03658d104974247145edd35
+virtualenv==21.3.3 \
+    --hash=sha256:7d5987d8369e098e41406efb780a3d4ca79280097293899e351a6407ee153ab3 \
+    --hash=sha256:f5bda277e553b1c2b3c1a8debfc30496e1288cc93ce6b7b71b3280047e317328
     # via
     #   -r py/requirements.txt
     #   tox
 websocket-client==1.9.0 \
     --hash=sha256:9e813624b6eb619999a97dc7958469217c3176312b3a16a4bd1bc7e08a46ec98 \
     --hash=sha256:af248a825037ef591efbf6ed20cc5faa03d3b47b9e5a2230a529eeee1c1fc3ef
-    # via -r py/requirements.txt
+    # via selenium (py/pyproject.toml)
 wsproto==1.3.2 \
     --hash=sha256:61eea322cdf56e8cc904bd3ad7573359a242ba65688716b0710a5eb12beab584 \
     --hash=sha256:b86885dcf294e15204919950f666e06ffc6c7c114ca900b060d6e16293528294

py/tox.ini

@@ -15,7 +15,7 @@ commands =
 [testenv:docs]
 skip_install = true
 deps =
-    -r {toxinidir}/requirements.txt
+    -r {toxinidir}/requirements_lock.txt
 commands =
     # generate `docs/source/api.rst` with module listing
     {envpython} ./generate_api_module_listing.py
@@ -30,7 +30,7 @@ setenv =
 [testenv:typecheck]
 skip_install = true
 deps =
-    -r {toxinidir}/requirements.txt
+    -r {toxinidir}/requirements_lock.txt
 commands =
     mypy --install-types selenium {posargs}
 

scripts/update_py_deps.py

@@ -6,7 +6,8 @@
 import tempfile
 from pathlib import Path
 
-# Updates py/requirements.txt with latest compatible versions using pip
+# Updates pinned repo tooling dependencies in py/requirements.txt using pip.
+# Published runtime dependency constraints are managed in py/pyproject.toml.
 # Run with: bazel run //scripts:update_py_deps
 
 
@@ -17,7 +18,7 @@ def main():
     if not requirements_file.exists():
         raise FileNotFoundError(f"{requirements_file} not found")
 
-    print(f"Checking {requirements_file}")
+    print(f"Checking repo tooling requirements in {requirements_file}")
 
     # Parse current requirements preserving original format
     current_lines = requirements_file.read_text().strip().split("\n")
@@ -26,7 +27,7 @@ def main():
         line = line.strip()
         if line and not line.startswith("#") and "==" in line:
             name_with_extras, version = line.split("==", 1)
-            # Normalize: remove extras for pip queries
+            # Normalize by removing extras for pip queries.
             name_normalized = name_with_extras.split("[")[0].lower()
             packages.append((line, name_with_extras, name_normalized))
 
@@ -50,7 +51,7 @@ def main():
             capture_output=True,
         )
 
-        # Install packages (with extras) to let pip resolve versions
+        # Install packages with extras to let pip resolve versions.
         install_names = [p[1] for p in packages]  # name_with_extras
         print(f"Installing {len(install_names)} packages...")
         result = subprocess.run(
@@ -85,7 +86,7 @@ def main():
                 updated_lines.append(orig_line)
 
         if not updates:
-            print("\nAll packages are up to date!")
+            print("\nAll repo tooling requirements are up to date!")
             return
 
         # Rebuild file preserving non-package lines