chore: update constraints-dev.txt (2025-11-10)

[courtneypacheco]

This PR updates the constraints-dev.txt file using tox -e constraints.

Summary by CodeRabbit

• Chores
  • Updated development dependencies to their latest versions. Major updates include PyTorch (2.5.1 → 2.6.0), transformers (4.53.1 → 4.57.1), FastAPI (0.115.14 → 0.121.1), Ray (2.40.0 → 2.51.1), and numerous other packages. Added new development tools and reorganized ecosystem components for improved compatibility.

[sourcery-ai]

Reviewer's Guide

Regenerated the development constraints file by running tox -e constraints, updating pinned versions for all development dependencies.

File-Level Changes

Change	Details	Files
Regenerate constraints-dev.txt with updated dependency pins	Executed tox -e constraints to refresh all dev dependency versions	constraints-dev.txt

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @courtneypacheco - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[coderabbitai]

Walkthrough

A comprehensive update to constraints-dev.txt upgrading dozens of Python package dependencies to newer versions. Notable changes include major version bumps in PyTorch, NumPy, Pydantic, and FastAPI, ecosystem reorganization in langchain and OpenTelemetry packages, and introduction of new dependencies like instructor and docstring-parser.

Changes

Cohort / File(s)	Summary
ML & Scientific Stack constraints-dev.txt	PyTorch ecosystem (torch 2.5.1→2.6.0, torchaudio 2.5.1→2.6.0, torchvision 0.20.1→0.21.0); NumPy 1.26.4→2.2.6; transformers 4.53.1→4.57.1; vLLM 0.7.3→0.8.5.post1; triton 3.1.0→3.2.0; llvmlite 0.43.0→0.44.0
Web & API Frameworks constraints-dev.txt	FastAPI 0.115.14→0.121.1; uvicorn 0.35.0→0.38.0; Typer 0.16.0→0.20.0; aiohttp 3.12.13→3.13.2; httpx references extended; httpcore retained
Data & Serialization constraints-dev.txt	PyArrow 20.0.0→22.0.0; pandas 2.3.0→2.3.3; pandas-stubs 2.3.0.250703→2.3.2.250926; msgpack 1.1.1→1.1.2; ormsgpack updated; orjson 3.10.18→3.11.4
Configuration & Type Validation constraints-dev.txt	Pydantic 2.11.7→2.12.4; pydantic-core 2.33.2→2.41.5; pydantic-settings 2.10.1→2.11.0; attrs 25.3.0→25.4.0
Observability & Monitoring constraints-dev.txt	OpenTelemetry packages added/updated (api, exporter-otlp, proto, sdk, semantic-conventions); prometheus-client 0.22.1→0.23.1
LLM-specific & ML Tools constraints-dev.txt	instructor 1.13.0 added; gguf 0.10.0→0.17.1; lm-format-enforcer 0.10.11→0.10.12; lm-eval 0.4.9→0.4.9.1; mistral-common 1.6.3→1.8.5; openai 1.93.0→2.7.1
LangChain Ecosystem Reorganization constraints-dev.txt	Substantial realignment of langchain and related packages; migration to new/alternative components
Development & Build Tools constraints-dev.txt	mypy 1.16.1→1.18.2; coverage 7.9.2→7.11.3; pre-commit 4.2.0→4.4.0; astroid 3.3.10→4.0.2; deprecated 1.3.1 added; docstring-parser 0.17.0 added
Infrastructure & Utilities constraints-dev.txt	certifi 2025.6.15→2025.10.5; charset-normalizer 3.4.2→3.4.4; idna 3.10→3.11; urllib3 retained; requests 2.32.4→2.32.5; dnspython 2.7.0→2.8.0; cupy-cuda12x 13.4.1→13.6.0; protobuf 6.31.1→4.25.8 (downgrade); nvidia-cuda-related packages updated
Tokenization & Encoding constraints-dev.txt	tiktoken 0.9.0→0.12.0; tokenizers 0.21.2→0.22.1; regex 2024.11.6→2025.11.3
Documentation & Formatting constraints-dev.txt	markdown-it-py 3.0.0→4.0.0; markupsafe 3.0.2→3.0.3; rich 14.0.0→14.2.0
Miscellaneous constraints-dev.txt	accelerate 1.8.1→1.11.0; cloudpickle 3.1.1→3.1.2; lxml 6.0.0→6.0.2; cachetools 6.1.0→6.2.1; blake3 1.0.5→1.0.8; compressed-tensors 0.9.1→0.9.3; immutabledict 4.2.1→4.2.2; importlib-metadata version update; iniconfig 2.1.0→2.3.0; packaging 24.2→25.0; platformdirs 4.3.8→4.5.0; pyzmq 27.0.0→27.1.0; ray 2.40.0→2.51.1; pyyaml 6.0.2→6.0.3; greenlet 3.2.3→3.2.4; gitpython 3.1.44→3.1.45; hf-xet 1.1.5→1.2.0; evaluate 0.4.4→0.4.6; email-validator 2.2.0→2.3.0; anyio 4.9.0→4.11.0; fastapi-cli 0.0.7→0.0.14; fastapi-cloud-cli 0.3.1 added; grpcio 1.76.0 added; pillow 11.3.0→12.0.0; typing-extensions 4.14.1→4.15.0; yarl 1.20.1→1.22.0; zstandard 0.23.0→0.25.0; watchfiles 1.1.0→1.1.1; multidict 6.6.3→6.7.0; airportsdata 20250706→20250909

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–35 minutes

Areas requiring extra attention:

• Major version upgrades: NumPy 1.26.4→2.2.6, markdown-it-py 3.0.0→4.0.0, and PyTorch 2.5.1→2.6.0 may have breaking API changes requiring compatibility verification
• Protobuf downgrade: protobuf 6.31.1→4.25.8 is unusual and warrants investigation for compatibility with other ecosystem packages
• LangChain ecosystem reorganization: Verify that the restructuring of langchain and related packages doesn't break integration points
• New dependencies: instructor, docstring-parser, grpcio, and fastapi-cloud-cli require justification for inclusion
• OpenTelemetry additions: Confirm that the introduced observability infrastructure aligns with deployment targets and doesn't introduce unintended telemetry

Poem

🐰 Nibbled through constraints with glee,
Each dependency a carrot to see,
NumPy to two, PyTorch takes flight,
LangChain rewired, observability bright,
Hopped through the chaos, now organized tight! 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: updating constraints-dev.txt. It is concise, clear, and specific about what was changed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update-constraints

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dede688 and 78821cb.

📒 Files selected for processing (1)

• constraints-dev.txt (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Sourcery review
• GitHub Check: ruff
• GitHub Check: mypy
• GitHub Check: pylint
• GitHub Check: test: 3.11 on ubuntu-latest
• GitHub Check: test: 3.11 on macos-latest

🔇 Additional comments (6)

constraints-dev.txt (6)

41-43: fastapi-cloud-cli is a transitive dependency from fastapi-cli—no action needed.

The script confirms all three verification points:

1. Transitive dependency: fastapi-cloud-cli==0.3.1 is introduced via fastapi-cli, not added directly
2. Usage: No direct usage in Python code (expected for a CLI tool dependency)
3. Scoping: Correctly placed in constraints-dev.txt for development tools

The dependency is properly configured and poses no concerns.

---

163-163: I need to verify the protobuf version information to determine if the review comment's claim about a downgrade from 6.31.1 is accurate.

Based on the web search results, protobuf 6.31.1 is a valid release (May 28, 2025), and the version pinned in constraints-dev.txt (4.25.8) is indeed older. However, this isn't necessarily a downgrade in the traditional sense—protobuf uses independent major version schemes per language.

The key issue is that Python 4.x.x gencode should work against 5.x.x runtime but warn of upcoming breakage against 6.x.x runtime, meaning 4.x and 6.x are not in a forward-compatible relationship. The constraints file clearly shows protobuf==4.25.8 # via googleapis-common-protos, opentelemetry-proto, ray, vllm, indicating this version is pinned due to transitive dependencies from those packages.

The review comment is asking the right questions—this appears to be a constraint resolution rather than a typical upgrade. Without access to the PR diff history or detailed dependency specifications, I cannot definitively confirm whether the AI summary's claim of "6.31.1 previously" is accurate. The current evidence shows the constraint is legitimate (driven by downstream packages), but the previous version claim needs verification.

---

37-37: I need to verify the source of docstring-parser in the constraints file:

These are expected transitive dependencies from ragas; no action required.

Ragas 0.3.2 includes instructor as a direct core dependency, and instructor's required dependencies include docstring-parser. Both packages are transitive inclusions from ragas, not new direct application requirements. The search found no direct imports of either package in the codebase, confirming they're indirect runtime dependencies. Their presence in constraints-dev.txt is correct since ragas is specified there.

---

169-169: Pydantic ecosystem versions are compatible and dependency resolution is successful.

All three Pydantic ecosystem packages pass compatibility checks:

• pydantic-core 2.41.5 is compatible with pydantic 2.12.x (which expects >= 2.40.x)
• pydantic-settings 2.11.0 is compatible with Pydantic 2.12.0 with no breaking-compat notes between them

The presence of constraints-dev.txt confirms pip's dependency resolver successfully resolved all 14+ downstream packages (FastAPI, langchain, instructor, OpenAI, etc.) with these specific versions. No conflicts detected.

---

30-30: OpenTelemetry packages are necessary transitive dependencies from vllm.

The OpenTelemetry ecosystem additions (lines 30, 51, 53, 135–143) are not unnecessary bloat. The constraints-dev.txt file shows that opentelemetry-exporter-otlp==1.26.0 and opentelemetry-api==1.26.0 are pulled in via vllm, which is a core dependency in the requirements files. vllm includes built-in OpenTelemetry support for observability and tracing of LLM inference operations. The absence of direct imports in the codebase is expected—vllm uses these packages internally for instrumentation. The transitive dependencies like deprecated, googleapis-common-protos, and grpcio all trace back to OpenTelemetry packages required by vllm's OTLP exporters. These packages are necessary for vllm's observability capabilities and should be retained.

---

119-119: NumPy 2.x compatibility verified across all dependencies.

All key packages in constraints-dev.txt are confirmed compatible with NumPy 2.2.6:

• SciPy 1.16.3 requires numpy >=1.25.2, <2.6.0
• Numba 0.61.2 explicitly adds/extends NumPy 2.2 support
• pandas 2.3.3 gained NumPy 2.x compatibility starting in pandas 2.2.2
• scikit-learn 1.7.2 has a minimum NumPy requirement of >=1.22
• PyTorch 2.6.0 supports numpy >=1.24,<3
• accelerate 1.11.0 declares a dependency on numpy<3.0.0,>=1.17

Code inspection confirmed no deprecated NumPy patterns (dtype aliases, version-specific code) in the codebase. The constraint file versions appear intentionally curated for NumPy 2.x compatibility.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}