pick more conservative upper version bounds for dependencies (#6862)

* enforce strict upper bounds for dependencies

going forward, we rely on dependabot to widen version ranges.

* update GHA actions (#22)

updated-dependencies:
- dependency-name: install-pinned/ruff
  dependency-type: direct:production
  dependency-group: github-actions
- dependency-name: apple-actions/import-codesign-certs
  dependency-type: direct:production
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* restrict pytest

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/dependabot.yml

@@ -13,3 +13,15 @@ updates:
     schedule:
       interval: "monthly"
     open-pull-requests-limit: 10
+    groups:
+      pytest:
+        patterns:
+        - "pytest*"
+        - "hypothesis"
+      pyinstaller:
+        patterns:
+        - "pyinstaller"
+      mypy:
+        patterns:
+        - "types-*"
+        - "mypy"

.github/workflows/autofix.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: install-pinned/ruff@50364bc42dfc4f7ed30b3a2c09a14c8c43a23bdf
+      - uses: install-pinned/ruff@f8793aa7caf0b3196d6ed1370aea45f3c06304a3
       - run: ruff --fix-only .
       - run: ruff format .
 

.github/workflows/main.yml

@@ -124,7 +124,7 @@ jobs:
       - if: startsWith(matrix.platform, 'macos') && github.repository == 'mitmproxy/mitmproxy'
             && (startsWith(github.ref, 'refs/heads/') || startsWith(github.ref, 'refs/tags/'))
         id: keychain
-        uses: apple-actions/import-codesign-certs@493007ed063995cf2d4fbca064704150548f8bb5
+        uses: apple-actions/import-codesign-certs@63fff01cd422d4b7b855d40ca1e9d34d2de9427d
         with:
           keychain: ${{ runner.temp }}/temp
           p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}

pyproject.toml

@@ -31,50 +31,58 @@ classifiers = [
 # https://packaging.python.org/en/latest/discussions/install-requires-vs-requirements/#install-requires
 # It is not considered best practice to use install_requires to pin dependencies to specific versions.
 dependencies = [
-    "aioquic>=1.0.0,<2.0.0",
-    "asgiref>=3.2.10,<3.9",
-    "Brotli>=1.0,<1.2",
-    "certifi>=2019.9.11",  # no semver here - this should always be on the last release!
-    "cryptography>=42.0,<42.1",
-    "flask>=3.0,<3.1",
-    "h11>=0.11,<0.15",
-    "h2>=4.1,<5",
-    "hyperframe>=6.0,<7",
-    "kaitaistruct>=0.10,<0.11",
-    "ldap3>=2.8,<2.10",
-    "mitmproxy_rs>=0.5.1,<0.6",
-    "msgpack>=1.0.0, <1.1.0",
-    "passlib>=1.6.5, <1.8",
-    "protobuf>=3.14,<6",
-    "pydivert>=2.0.3,<2.2; sys_platform == 'win32'",
-    "pyOpenSSL>=22.1,<24.2",
-    "pyparsing>=2.4.2,<3.2",
-    "pyperclip>=1.6.0,<1.9",
-    "ruamel.yaml>=0.16,<0.19",
-    "sortedcontainers>=2.3,<2.5",
-    "tornado>=6.2,<7",
-    "typing-extensions>=4.3,<5; python_version<'3.11'",
-    "urwid-mitmproxy>=2.1.1,<2.2",
-    "wsproto>=1.0,<1.3",
-    "publicsuffix2>=2.20190812,<3",
-    "zstandard>=0.15,<0.23",
+    "aioquic>=1.0.0,<=1.0.0",
+    "asgiref>=3.2.10,<=3.8.1",
+    "Brotli>=1.0,<=1.1.0",
+    "certifi>=2019.9.11",  # no upper bound here to get latest CA bundle
+    "cryptography>=42.0,<42.1",  # relaxed upper bound here to get security fixes
+    "flask>=3.0,<=3.0.3",
+    "h11>=0.11,<=0.14.0",
+    "h2>=4.1,<=4.1.0",
+    "hyperframe>=6.0,<=6.0.1",
+    "kaitaistruct>=0.10,<=0.10",
+    "ldap3>=2.8,<=2.9.1",
+    "mitmproxy_rs>=0.5.1,<0.6",  # relaxed upper bound here: we control this
+    "msgpack>=1.0.0,<=1.0.8",
+    "passlib>=1.6.5,<=1.7.4",
+    "protobuf>=3.14,<=5.26.1",
+    "pydivert>=2.0.3,<=2.1.0; sys_platform == 'win32'",
+    "pyOpenSSL>=22.1,<=24.1.0",
+    "pyparsing>=2.4.2,<=3.1.2",
+    "pyperclip>=1.6.0,<=1.8.2",
+    "ruamel.yaml>=0.16,<=0.18.6",
+    "sortedcontainers>=2.3,<=2.4.0",
+    "tornado>=6.2,<=6.4",
+    "typing-extensions>=4.3,<=4.11.0; python_version<'3.11'",
+    "urwid-mitmproxy>=2.1.1,<2.2",  # relaxed upper bound here: we control this
+    "wsproto>=1.0,<=1.2.0",
+    "publicsuffix2>=2.20190812,<=2.20191221",
+    "zstandard>=0.15,<=0.22.0",
 ]
 
 [project.optional-dependencies]
 dev = [
-    "click>=7.0,<8.2",
-    "hypothesis>=5.8,<7",
-    "pdoc>=4.0.0",
-    "pyinstaller==6.6.0",
-    "pytest-asyncio>=0.23.6,<0.24",
-    "pytest-cov>=5.0.0,<5.1",
-    "pytest-timeout>=2.3.1,<2.4",
-    "pytest-xdist>=3.5.0,<3.7",
-    "pytest>=8.1.1,<9,!=8.2.0,!=8.2.1",
-    "requests>=2.9.1,<3",
-    "tox>=3.5,<5",
-    "wheel>=0.36.2,<0.44",
-    "build>=0.10.0",
+    "click>=7.0,<=8.1.7",
+    "hypothesis>=5.8,<=6.102.4",
+    "pdoc>=4.0.0,<=14.5.0",
+    "pyinstaller>=6.6.0,<=6.6.0",
+    "pytest-asyncio>=0.23.6,<=0.23.7",
+    "pytest-cov>=5.0.0,<=5.0.0",
+    "pytest-timeout>=2.3.1,<=2.3.1",
+    "pytest-xdist>=3.5.0,<=3.6.1",
+    "pytest>=8.1.1,<=8.1.2",
+    "requests>=2.9.1,<=2.32.1",
+    "tox>=3.5,<=4.15.0",
+    "wheel>=0.36.2,<=0.43",
+    "build>=0.10.0,<=1.2.1",
+    "mypy>=1.6.1,<=1.10.0",
+    "ruff>=0.4.1,<=0.4.4",
+    "types-certifi>=2021.10.8.3,<=2021.10.8.3",
+    "types-Flask>=1.1.6,<=1.1.6",
+    "types-Werkzeug>=1.0.9,<=1.0.9",
+    "types-requests>=2.31.0.10,<=2.32.0.20240521",
+    "types-cryptography>=3.3.23.2,<=3.3.23.2",
+    "types-pyOpenSSL>=23.3.0.0,<=24.1.0.20240425",
 ]
 
 [project.urls]
@@ -290,8 +298,6 @@ commands =
 uv_resolution = lowest-direct
 
 [testenv:lint]
-deps =
-  ruff>=0.4.1,<0.5
 commands =
   ruff .
 
@@ -301,16 +307,6 @@ commands =
   python ./test/filename_matching.py
 
 [testenv:mypy]
-deps =
-  mypy==1.6.1
-  types-certifi==2021.10.8.3
-  types-Flask==1.1.6
-  types-Werkzeug==1.0.9
-  types-requests==2.31.0.10
-  types-cryptography==3.3.23.2
-  types-pyOpenSSL==23.3.0.0
-  -e .[dev]
-
 commands =
   mypy {posargs}