Skip to content

chore(deps-dev): update cyclonedx-bom requirement from <5.0.0,>=4.0.0 to >=4.0.0,<8.0.0#1148

Merged
jenstroeger merged 4 commits intomainfrom
dependabot/pip/main/cyclonedx-bom-gte-4.0.0-and-lt-8.0.0
Apr 24, 2026
Merged

chore(deps-dev): update cyclonedx-bom requirement from <5.0.0,>=4.0.0 to >=4.0.0,<8.0.0#1148
jenstroeger merged 4 commits intomainfrom
dependabot/pip/main/cyclonedx-bom-gte-4.0.0-and-lt-8.0.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 20, 2026

Updates the requirements on cyclonedx-bom to permit the latest version.

Release notes

Sourced from cyclonedx-bom's releases.

v7.3.0 (2026-03-30)

Features

  • Add -S flag to skip *.pth evaluation during environment analysis (#1032, 55c15d7)

What's Changed

Full Changelog: CycloneDX/cyclonedx-python@v7.2.2...v7.3.0

Changelog

Sourced from cyclonedx-bom's changelog.

v7.3.0 (2026-03-30)

Features

  • Add -S flag to skip *.pth evaluation during environment analysis (#1032, 55c15d7)

v7.2.2 (2026-02-19)

Documentation

v7.2.1 (2025-10-29)

Documentation

v7.2.0 (2025-10-16)

Documentation

  • Add Changelog to project urls (5f38d75)

Features

v7.1.0 (2025-09-02)

Documentation

Features

  • Support runtime-dependency cyclonedx-python-lib v11 (#938, 7818754)

... (truncated)

Commits
  • e0d92e7 chore(release): 7.3.0
  • 55c15d7 feat: add -S flag to skip *.pth evaluation during environment analysis (#1032)
  • ecf8768 chore(deps-dev): Update uv requirement from 0.10.9 to 0.10.10 (#1026)
  • 00d862f chore(deps-dev): Update uv requirement from 0.10.7 to 0.10.9 (#1025)
  • fd51a5f chore(deps-dev): Update uv requirement from 0.10.2 to 0.10.7 (#1023)
  • 2ecae2b chore(release): 7.2.2
  • 9b06708 chore(deps-dev): Update uv requirement from 0.10.0 to 0.10.2 (#1019)
  • a6b7659 chore(deps-dev): Update uv requirement from 0.9.28 to 0.10.0 (#1018)
  • a2a9108 chore(deps): Update packaging requirement from ^22 || ^23 || ^24 || ^25 to ^2...
  • f35e9f2 chore(deps-dev): Update uv requirement from 0.9.13 to 0.9.28 (#1017)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 20, 2026
@dependabot dependabot Bot requested a review from jenstroeger as a code owner April 20, 2026 09:32
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 20, 2026
@dependabot dependabot Bot requested a review from behnazh as a code owner April 20, 2026 09:32
@dependabot dependabot Bot added the python Pull requests that update Python code label Apr 20, 2026
@dependabot dependabot Bot mentioned this pull request Apr 20, 2026
Closed
@jenstroeger
Copy link
Copy Markdown
Owner

jenstroeger commented Apr 20, 2026

@behnazh see also the failures in PR #1137, eg. this run.

@jenstroeger
Copy link
Copy Markdown
Owner

jenstroeger commented Apr 23, 2026
edited
Loading

@behnazh I think this rule in the Makefile

python-package-template/Makefile

Lines 107 to 110 in de34fc8

# Generate a Software Bill of Materials (SBOM).
.PHONY: sbom
sbom: requirements
cyclonedx-py requirements --output-format json --outfile dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-sbom.json
should change to

sbom: requirements
       python -m cyclonedx_py requirements --spec-version 1.7 --output-reproducible --output-format json --output-file dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-sbom.json

Alternatively, we could build the SBOM directly from the venv (docs) without depending on the requirements.txt file.

@behnazh
Copy link
Copy Markdown
Collaborator

behnazh commented Apr 23, 2026

@behnazh I think this rule in the Makefile

python-package-template/Makefile

Lines 107 to 110 in de34fc8

# Generate a Software Bill of Materials (SBOM).
.PHONY: sbom
sbom: requirements
cyclonedx-py requirements --output-format json --outfile dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-sbom.json

should change to

sbom: requirements
       python -m cyclonedx_py requirements --spec-version 1.7 --output-reproducible --output-format json --output-file dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-sbom.json

Alternatively, we could build the SBOM directly from the venv (docs) without depending on the requirements.txt file.

I think we should keep using the already computed requirements.txt because if cyclonedx itself is on the venv, it might add itself and cause issues.

For the --spec-version 1.7 option, I would let the tool pick the default spec to avoid potentially breaking SBOM consumers. Or at least we should understand if there could be such implications.

dependabot Bot and others added 4 commits April 24, 2026 06:57
@dependabot @jenstroeger
chore(deps-dev): update cyclonedx-bom requirement
dbbac61 
Updates the requirements on [cyclonedx-bom](https://github.com/CycloneDX/cyclonedx-python) to permit the latest version.
- [Release notes](https://github.com/CycloneDX/cyclonedx-python/releases)
- [Changelog](https://github.com/CycloneDX/cyclonedx-python/blob/main/CHANGELOG.md)
- [Commits](CycloneDX/cyclonedx-python@v4.0.0...v7.3.0)

---
updated-dependencies:
- dependency-name: cyclonedx-bom
  dependency-version: 7.3.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@jenstroeger
chore: fix regression
39dbab4
@jenstroeger
chore: don't pin SBOM version
81152b1
@jenstroeger
chore(deps): avoid crummy mypy version
adbe674
@jenstroeger jenstroeger force-pushed the dependabot/pip/main/cyclonedx-bom-gte-4.0.0-and-lt-8.0.0 branch from eedff9d to adbe674 Compare April 23, 2026 20:57
@jenstroeger
Copy link
Copy Markdown
Owner

jenstroeger commented Apr 23, 2026

Looks like the latest mypy is a bit buggy (see here) so we pin it like we did in PR #1152.

@jenstroeger jenstroeger merged commit e95237a into main Apr 24, 2026
17 checks passed
@jenstroeger jenstroeger deleted the dependabot/pip/main/cyclonedx-bom-gte-4.0.0-and-lt-8.0.0 branch April 24, 2026 01:43
@jenstroeger jenstroeger mentioned this pull request Apr 24, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@behnazh behnazh behnazh approved these changes

@jenstroeger jenstroeger Awaiting requested review from jenstroeger jenstroeger is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jenstroeger @behnazh