Conversation
dependabot
bot
added
dependencies
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward Dependabot lock-file bump with no source code changes.
Extended reasoning...
Overview
This PR modifies only uv.lock, bumping pygments from 2.19.2 to 2.20.0 and updating two related entries: the keboola-mcp-server version field (1.49.0 → 1.49.2, a lock-file artifact of the regeneration) and taskgroup dependency markers (adding python_full_version < 3.13 conditions, consistent with upstream resolution changes). No application source code is touched.
Security risks
No security risks. Pygments 2.20.0 is a minor release containing bug fixes (including catastrophic backtracking fixes in several lexers and HTML formatter hardening against CSS injection) — these are strictly improvements. The hashes in the lock file match the published PyPI artifacts.
Level of scrutiny
Minimal scrutiny required. Dependabot-generated lock file updates for a well-known syntax-highlighting library carry very low risk. The change is mechanical and the Dependabot compatibility score link is included.
Other factors
No bugs were reported by the bug hunting system. No prior reviews on this PR. The PR is fresh (created same day) with no outstanding reviewer comments.
dependabot
bot
changed the title
dependabot
bot
force-pushed
the
dependabot/uv/pygments-2.20.0
branch
from
fd0c176 to
d32cd7b
Compare
dependabot
bot
changed the title
dependabot
bot
force-pushed
the
dependabot/uv/pygments-2.20.0
branch
from
d32cd7b to
196fb17
Compare
| name = "pygments" | ||
| version = "2.19.2" | ||
| version = "2.20.0" |
There was a problem hiding this comment.
🟡 This PR is missing a required version bump in pyproject.toml. Per CLAUDE.md: 'Every PR must bump pyproject.toml version before merging.' Since a dependency upgrade is classified as a chore/patch change, pyproject.toml should be updated from 1.51.0 to 1.51.1 and uv.lock re-synced to include it.
Extended reasoning...
What the bug is: CLAUDE.md explicitly states: "Every PR must bump pyproject.toml version before merging." This PR only modifies uv.lock (bumping pygments from 2.19.2 to 2.20.0) but does not update the project version in pyproject.toml.
The specific code path: The only file changed in this PR is uv.lock (lines 1915-1916), where the pygments version hash and URL are updated from 2.19.2 to 2.20.0. The pyproject.toml file is untouched and still contains version 1.51.0 (set by the previous PR AI-2889).
Why existing code doesn't prevent it: This is an automated dependency PR (likely from Dependabot), which only updates the lock file. The automated process has no awareness of the project's custom versioning policy defined in CLAUDE.md. There is no CI check enforcing this rule, so the omission goes undetected.
What the impact would be: The project version in pyproject.toml will be stale and inconsistent with the actual state of the codebase after this change. Any tooling, changelogs, or release processes that depend on pyproject.toml version to track when changes were made will not reflect this dependency update.
How to fix it: Before merging, update pyproject.toml to bump the version from 1.51.0 to 1.51.1 (a patch bump per the CLAUDE.md versioning rules for chores/dependency updates), then run uv sync or equivalent to ensure uv.lock is re-synced and includes the new project version metadata.
Step-by-step proof:
- CLAUDE.md states: "Every PR must bump pyproject.toml version before merging."
- CLAUDE.md classifies dependency updates as "chores" which are Patch bumps (1.x.y → 1.x.y+1).
- Before this PR, the previous PR (AI-2889, commit e72c3c4) set
pyproject.tomlversion to1.51.0. - This PR's diff shows only
uv.lockis modified — no changes topyproject.toml. - Therefore, the project version remains
1.51.0after this dependency upgrade, in direct violation of the stated policy. The required bump would be1.51.0→1.51.1.
…sts 2.33.0 Consolidates 4 Dependabot PRs (#452 #447 #443 #440) into one: - fastmcp 2.14.5 → 3.2.0 (breaking: get_tools() removed → _list_tools()) - cryptography ~= 46.0 (patch 46.0.6) - pygments 2.19.2 → 2.20.0 (indirect) - requests 2.32.5 → 2.33.0 (indirect) fastmcp 3.x migration: - Replace get_tools() (dict) with _list_tools() (list) in cli.py, generate_tool_docs.py, tests - Filter FastMCPDeprecationWarning for serializer in test_json_logging - Regenerate TOOLS.md (fastmcp 3.x adds "additionalProperties": false to all tool schemas) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
dependabot
bot
changed the title
dependabot
bot
force-pushed
the
dependabot/uv/pygments-2.20.0
branch
2 times, most recently
from
4d3d1ed to
bb2e6a5
Compare
dependabot
bot
changed the title
dependabot
bot
force-pushed
the
dependabot/uv/pygments-2.20.0
branch
3 times, most recently
from
ebd208d to
0793659
Compare
Bumps [pygments](https://github.com/pygments/pygments) from 2.19.2 to 2.20.0. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](pygments/pygments@2.19.2...2.20.0) --- updated-dependencies: - dependency-name: pygments dependency-version: 2.20.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/uv/pygments-2.20.0
branch
from
0793659 to
a750df1
Compare
Bumps pygments from 2.19.2 to 2.20.0.
Release notes
Sourced from pygments's releases.
Changelog
Sourced from pygments's changelog.
Commits
708197dFix underline length.1d4538aPrepare 2.20 release.2ceaee4Update CHANGES.e3a3c54Fix Haskell lexer: handle escape sequences in character literals (#3069)d7c3453Merge pull request #3071 from pygments/harden-html-formatter0f97e7cHarden the HTML formatter against CSS.9f981b2Update CHANGES.1d88915Update CHANGES.c3d93adFix ASN.1 lexer: recognize minus sign and fix range operator (#3060)4f06bcffix bad behaving backtracking regex in CommonLispLexer