Skip to content

Dependency audit#615

Merged
vergauwenthomas merged 7 commits intomasterfrom
deps_audit
Feb 25, 2026
Merged

Dependency audit#615
vergauwenthomas merged 7 commits intomasterfrom
deps_audit

Conversation

@vergauwenthomas
Copy link
Owner

@vergauwenthomas vergauwenthomas commented Feb 25, 2026
edited
Loading

This pull request focuses on improving dependency management, versioning, and compatibility for the project. The main changes include updates to dependency constraints in pyproject.toml, the addition of a new GitHub Actions workflow for dependency auditing, and enhancements to CI checks to enforce version bumps and compatibility.

Dependency and compatibility updates:

  • Updated dependency version constraints in pyproject.toml to specify upper bounds for core dependencies such as cartopy, earthengine-api, geemap, geopandas, matplotlib, numpy, pandas, pint, shapely, xarray, pyarrow, netcdf4, and added pytz, improving reproducibility and avoiding future incompatibilities. Also tightened the sphinx version range for documentation builds. [1] [2]
  • Updated project metadata in pyproject.toml to bump the version to 1.0.2, set the license to MIT, and specify license files.
  • Updated the internal version in src/metobs_toolkit/settings_collection/version.py to 1.0.2 to match the new release.

CI/CD improvements:

  • Added a new GitHub Actions workflow .github/workflows/dependency-audit.yml to perform dependency compatibility checks and vulnerability audits across multiple Python versions, and to run import smoke tests for geemap.foliumap and metobs_toolkit.
  • Enhanced the main workflow to include a step that ensures the project version in pyproject.toml differs from the version on the master branch, enforcing version bumps for non-master changes.

Other minor improvements:

  • Minor formatting and setup changes in the main workflow, such as whitespace adjustments and clarifying the Poetry installation step.

Copilot AI review requested due to automatic review settings February 25, 2026 10:11
Copilot AI reviewed Feb 25, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds automated dependency compatibility/vulnerability auditing in CI and tightens dependency version ranges to reduce breakage from upstream releases.

Changes:

  • Constrained several runtime dependency versions in pyproject.toml (added upper bounds).
  • Restricted sphinx to <9 for documentation builds.
  • Added a new GitHub Actions workflow to run poetry check, pip check, pip-audit, and an import smoke test across Python 3.10–3.13.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
pyproject.toml Adds upper bounds to key dependencies and constrains Sphinx for more predictable installs/builds.
.github/workflows/dependency-audit.yml Introduces a CI job matrix to validate dependency consistency and run vulnerability scans.

@vergauwenthomas vergauwenthomas added RUN TESTS The main testing workflow is runned if this label is added to a PR technical An issue related to the code, the functionality to the end-user will not be affected labels Feb 25, 2026
@vergauwenthomas vergauwenthomas merged commit 2e5e420 into master Feb 25, 2026
40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

RUN TESTS The main testing workflow is runned if this label is added to a PR technical An issue related to the code, the functionality to the end-user will not be affected

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vergauwenthomas