chore(deps): bump google-cloud-kms from 2.24.2 to 3.14.0#6023
chore(deps): bump google-cloud-kms from 2.24.2 to 3.14.0#6023dependabot[bot] wants to merge 1 commit into
Conversation
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency bump review: google-cloud-kms 2.24.2 → 3.14.0, production dependency (requirements.in), major version bump.
- Breaking changes: the only breaking change across 2.x→3.x is pagination added to
ListKeyHandlesin the Autokey service. - Not applicable here — this project only uses
KeyManagementServiceClient.crypto_key_path()and.decrypt()(contentcuration/contentcuration/utils/secretmanagement.py); no Autokey usage found repo-wide. - Security fixes: none noted in the changelog.
- Peer-dependency changes: 3.14.0 raises the
grpc-google-iam-v1floor to>=0.14.0. - That floor breaks
google-cloud-logging==2.7.1's pin (grpc-google-iam-v1<0.13,>=0.12.3). - So
uvresolvedgoogle-cloud-loggingback to 2.6.0 (see inline comment). - That forces
google-cloud-appengine-loggingdown from 1.8.0 to 0.2.0. - Not blocking: no breaking changes between logging 2.6.0 and 2.7.1.
google.cloud.loggingisn't imported directly here — only pulled in transitively viagoogle-cloud-error-reporting, whose own pin is unchanged.- CI status: passing (14/14 checks).
No code changes required.
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Ran a dependency-update review pipeline over the version bump:
- Classified the bump by semver (patch / minor / major) and dependency type (production vs. development)
- Extracted the changelog and release notes across the version range
- Assessed compatibility with this project's usage and whether any code changes are required
- Treated CI as the primary safety net
- Scaled the review depth to the update's risk
- Chose the verdict from semver risk, changelog findings, and CI status
| google-cloud-kms==3.14.0 | ||
| # via -r requirements.in | ||
| google-cloud-logging==2.7.1 | ||
| google-cloud-logging==2.6.0 |
There was a problem hiding this comment.
✅ Resolved — addressed in the current code.
suggestion: see review summary.
Bumps [google-cloud-kms](https://github.com/googleapis/google-cloud-python) from 2.24.2 to 3.14.0. - [Release notes](https://github.com/googleapis/google-cloud-python/releases) - [Changelog](https://github.com/googleapis/google-cloud-python/blob/main/packages/google-cloud-documentai/CHANGELOG.md) - [Commits](googleapis/google-cloud-python@google-cloud-kms-v2.24.2...google-cloud-kms-v3.14.0) --- updated-dependencies: - dependency-name: google-cloud-kms dependency-version: 3.14.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
2d09dd0 to
95804ec
Compare
|
The dependency madness doesn't seem worthwhile here - will wait until we can do an upgrade that upgrades all packages rather than downgrading. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
rtibblesbot
left a comment
There was a problem hiding this comment.
google-cloud-kms 2.24.2 → 3.14.0 (major bump, production dependency). This PR is closed, so no action is needed — recording final status for the record.
CI passing, but the maintainer closed this PR because the bump forces uv to raise the grpc-google-iam-v1 floor (0.12.4 → 0.14.4), which cascades into downgrading google-cloud-appengine-logging (1.8.0 → 0.2.0) and google-cloud-logging (2.7.1 → 2.6.0) — a net-negative dependency graph that isn't worth the kms upgrade. Waiting on an upstream resolution that raises rather than downgrades those transitive logging packages.
Prior-finding status
ACKNOWLEDGED — requirements.txt:110 — google-cloud-appengine-logging/google-cloud-logging downgrade via grpc-google-iam-v1 floor bump
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Ran a dependency-update review pipeline over the version bump:
- Classified the bump by semver (patch / minor / major) and dependency type (production vs. development)
- Extracted the changelog and release notes across the version range
- Assessed compatibility with this project's usage and whether any code changes are required
- Treated CI as the primary safety net
- Scaled the review depth to the update's risk
- Chose the verdict from semver risk, changelog findings, and CI status
Bumps google-cloud-kms from 2.24.2 to 3.14.0.
Release notes
Sourced from google-cloud-kms's releases.
Changelog
Sourced from google-cloud-kms's changelog.
... (truncated)
Commits
a5ad18cchore: release main (#17482)f6937b3chore(main): release google-cloud-bigtable 2.39.0 (#17497)172302bci(bigquery-storage): fixcore_deps_from_sourceandprerelease_depsby in...e726878fix(bigframes): world-readable temp zip in create_cloud_function (#17522)2f893b1fix: bump@angular/common,@angular/forms,@angular/platform-browserand@ang...f23063ffix: bump langsmith from 0.8.0 to 0.8.18 in /packages/bigframes (#17518)6fc45e3fix: bump undici and@angular/buildin /packages/bigframes/bigframes/display/...36b5b7efix: bump msgpack from 1.1.1 to 1.2.1 in /packages/bigframes (#17520)11de939tests: add Python 3.15 pre-release testing (#17517)0258405fix(bigquery): close GAPIC storage transport and auth sessions to prevent soc...