chore(deps): refresh uv.lock transitive pins (2026-04-29)

[cmeans-claude-dev]

Summary

Routine uv lock --upgrade refresh — backstop for transitive dependency bumps that haven't yet been picked up by Dependabot's advisory- and cascade-driven flow.

• No pyproject.toml range changes.
• Test suite passed against the new lockfile (test gate before PR opened).
• This is the cron in .github/workflows/uv-lock-refresh.yml — see spec at docs/superpowers/specs/2026-04-29-uv-lock-refresh-cron-design.md.

Diff stat

 uv.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Test plan

• uv sync --frozen --extra dev && uv run pytest passes (test gate).
• CI green on PR head.
• No pyproject.toml lines changed (verify in Files tab).

🤖 Generated by uv-lock-refresh.yml

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[cmeans]

LGTM

[cmeans]

QA round 1 — PASS (no findings)

This is the first end-to-end exercise of the uv-lock-refresh.yml cron from PR #54 — effectively answers PR #54's test-plan checkbox 4 (post-merge workflow_dispatch/scheduled-trigger run). The workflow behaved correctly across all gates.

Diff inspection

• uv.lock: pathspec 1.1.0 → 1.1.1 (sdist + wheel hashes refreshed). Single transitive bump.
• CHANGELOG.md: one new bullet inserted as the FIRST entry under ## [Unreleased] → ### Changed, matching the workflow's Python insertion logic (insert_at = changed_idx + 2 after blank line). The hardcoded entry text matches the workflow's template verbatim.
• No other files touched — pyproject.toml not in diff, no spec/plan changes, no source/test code changes.

Cron behavior validation (live)

• Skip-gate correctly let the run through (no dependencies + python PR was open at trigger time).
• Diff-gate correctly flagged the uv.lock change (pathspec).
• Test gate ran and passed against the new lockfile (PR creation happened, which is the gate's success signal).
• CHANGELOG bullet inserted at the right KaC position (under existing ### Changed, ahead of older bullets, blank-line spacing preserved).
• Branch name + commit subject + PR title all use the dated suffix 2026-04-29 per spec.
• Labels applied: dependencies, python, Ready for QA ✓.
• Authored by cmeans-claude-dev[bot] via App-token push (so downstream CI fired) — required CI checks all reported PASS, confirming PR #54's reasoning about the App-token vs GITHUB_TOKEN distinction was correct.

Sourcing check (per feedback_verify_dependency_sourcing.md)

pathspec is a transitive dep of mypy (uv.lock:653-657 declares pathspec in mypy 1.20.2's deps block). Patch bump only (1.1.0 → 1.1.1). Author/maintainer is the long-standing cpburnz PyPI account — no sourcing concern.

Re-verification on c905d3a

• uv sync --frozen --extra dev → cleanly upgraded pathspec==1.1.0 → 1.1.1 (Prepared 1 package ... Uninstalled 1 package ... Installed 1 package). Lockfile is internally consistent. ✓
• uv run pytest --cov --cov-report=xml → 79/79 pass at 100% coverage (mypy is the affected dep — full suite passing is a strong signal that the bump is safe, since mypy's behavior touches the type-check gate)
• uv run ruff check src/ tests/ → All checks passed
• uv run ruff format --check src/ tests/ → 11 files already formatted
• uv run mypy src/pypi_winnow_downloads/ → Success: no issues found in 5 source files
• CI: 8 pass / 3 expected-skip (changelog, on-label, on-unlabel) / 1 pending QA Gate

Labels: Ready for QA → QA Active → Ready for QA Signoff. Awaiting maintainer QA Approved.

[cmeans]

Audit trail: applying Ready for QA Signoff — single transitive bump (pathspec 1.1.0→1.1.1, mypy's transitive), CHANGELOG bullet inserted at correct KaC position by the workflow, no pyproject.toml changes, all four verification commands clean against the new lockfile, CI fully green. This is also the live end-to-end validation of PR #54's cron — all gates fired correctly. Workflow: Ready for QA → QA Active → Ready for QA Signoff.