LCORE-1140: Update dependencies

[tisnik]

Description

LCORE-1140: Update dependencies

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-1140

Summary by CodeRabbit

• Chores
  • Updated dependencies to newer patch and minor versions across supported architectures. Specific updates: aiohttp (3.13.3), certifi (2026.1.4), filelock (3.20.2), and pillow (12.1.0). Changes applied to all architecture-specific requirement files.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The pull request updates four package dependencies across two platform-specific requirements files: aiohttp (3.13.2 → 3.13.3), certifi (2025.11.12 → 2026.1.4), filelock (3.20.1 → 3.20.2), and pillow (12.0.0 → 12.1.0), with corresponding hash recalculations for package integrity verification.

Changes

Cohort / File(s)	Summary
Platform-specific requirements updates requirements.aarch64.txt, requirements.x86_64.txt	Updated four dependencies with new versions and hashes: aiohttp 3.13.2→3.13.3, certifi 2025.11.12→2026.1.4, filelock 3.20.1→3.20.2, pillow 12.0.0→12.1.0. Pillow update includes extensive hash block replacement.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• LCORE-1026: Updated deps #917: Also updates the filelock dependency version and hashes in the same requirements files.

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: updating dependencies across aiohttp, certifi, filelock, and pillow packages.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 76dcbb3 and 240c4a6.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• requirements.aarch64.txt
• requirements.x86_64.txt

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: build-pr
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: E2E: server mode / azure
• GitHub Check: E2E: server mode / ci
• GitHub Check: E2E: library mode / azure
• GitHub Check: E2E: library mode / vertexai
• GitHub Check: E2E: library mode / ci
• GitHub Check: E2E: server mode / vertexai

🔇 Additional comments (5)

requirements.x86_64.txt (1)

13-133: Dependency bumps look consistent; please rely on CI and release‑note checks for these post‑cutoff versions

The version and hash updates for:

• aiohttp==3.13.3
• certifi==2026.1.4
• filelock==3.20.2
• pillow==12.1.0

all look mechanically generated and structurally correct (line continuations, comments, and hash formatting are intact). No obvious lockfile corruption or manual editing mistakes.

Since all four versions are newer than my knowledge cutoff, please make sure:

• CI runs the full HTTP / TLS / filesystem‑locking / image‑processing test surface.
• You’ve skimmed the upstream changelogs for any breaking or deprecation notes relevant to your usage.
• The corresponding aarch64 / generic lockfiles and containers are built and healthy, to avoid cross‑platform skew.

Also applies to: 251-253, 745-747, 2104-2195

requirements.aarch64.txt (4)

13-133: aiohttp 3.13.3 bump looks mechanical; confirm runtime compatibility

The version bump and hash block look like a clean uv recompile. From a packaging perspective this is fine; just ensure:

• pyproject.toml and requirements.x86_64.txt are in sync with 3.13.3.
• Existing aiohttp usage (especially low‑level client/server APIs and HTTP/2 behavior) passes your regression suite under this new patch version.

---

251-253: certifi pin updated to 2026.1.4; verify this is the intended CA bundle

The new certifi version and hashes look consistent with an automated lockfile refresh. Since this affects TLS trust roots globally, confirm:

• This version matches what you expect from upstream tooling/security guidance.
• Downstream HTTP/TLS clients still behave as expected in your target environments.

---

745-747: filelock 3.20.2 upgrade appears safe; watch for locking semantics changes

Minor bump with regenerated hashes only. Please:

• Confirm the same version is used on all platforms (aarch64/x86_64).
• Run any workflows that rely heavily on filelock (e.g., shared cache/model downloads) to ensure no regressions in lock behavior or performance.

---

2104-2195: pillow 12.1.0 + hashes look consistent; check image/codec paths in tests

Large hash set is expected for many‑wheel packages like Pillow; the block looks syntactically correct and generated. Given Pillow’s binary/codec surface area, please:

• Confirm requirements.x86_64.txt pins the same version.
• Run image‑heavy tests (PNG/JPEG/WebP, resizing, RGBA conversions, etc.) on aarch64 to catch any ABI or behavior changes from 12.0.0 → 12.1.0.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}