fix(deps): pin bcrypt<5 to fix passlib incompatibility#14
Merged
Conversation
passlib 1.7.x cannot read bcrypt 5.x version metadata, causing every example that does `from passlib.context import CryptContext` to fail with "(trapped) error reading bcrypt version" (exit 1) at import time. This was introduced silently when Dependabot PR #12 bumped bcrypt from <5 to <6 (workflow excludes Dependabot from CI, so the bump landed on main without surfacing the regression). The next non- Dependabot CI run on main (PR #13 — modules/ refactor) caught it. Fix: - pyproject.toml: pin bcrypt<5 in both [project.dependencies] and the [project.optional-dependencies.all] extras - .github/dependabot.yml: add ignore rule for bcrypt >=5.0 until passlib publishes a compatible release, so this regression cannot silently land again Restores 12_fastapi_complete/authentication_jwt and 12_fastapi_complete/oauth2 X1 to pass in CI (16/16 modules clean expected).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
passlib 1.7.x cannot parse bcrypt 5.x version metadata — every example doing
from passlib.context import CryptContextfails at import with(trapped) error reading bcrypt version(exit 1). This breaks X1 (examples execute) for12_fastapi_complete/authentication_jwtand12_fastapi_complete/oauth2.Root cause
Dependabot PR #12 bumped
bcrypt<5→bcrypt<6. The validate-all-modules workflow excludes Dependabot PRs from running, so the regression landed on main silently. PR #13 (modules/ refactor) was the first non-Dependabot push to trigger CI on main, surfacing the bug.Fix
pyproject.toml: revert pin tobcrypt<5(both[project.dependencies]and[project.optional-dependencies.all]).github/dependabot.yml: addignorerule forbcrypt >=5.0so this cannot silently land again until passlib publishes a compatible releaseTest plan
pip install -e ".[all]"resolves with bcrypt 4.xvalidate-all-modulesreturns to 16/16 modules passed (previously 15/16)