Skip to content

NPA-6797: Dependabot upgrades#135

Open
ehallam wants to merge 6 commits into
mainfrom
task/NPA-6797/resolve-dependabot-issues-19-05-2026
Open

NPA-6797: Dependabot upgrades#135
ehallam wants to merge 6 commits into
mainfrom
task/NPA-6797/resolve-dependabot-issues-19-05-2026

Conversation

@ehallam
Copy link
Copy Markdown
Contributor

@ehallam ehallam commented May 19, 2026

Pull Request

🧾 Ticket Link

https://nhsd-jira.digital.nhs.uk/browse/NPA-6797

📄 Description/Summary of Changes

  • Handles all the open dependabot upgrades

🧪 Developer Testing Carried Out

📋 PR Principles

  • Keep PRs Small and Focused: Ensure the PR addresses a single task or feature to make it easier to review.
  • Multiple PRs for one Ticket: When splitting work into multiple PRs, clearly describe what this PR addresses and outline the remaining work to complete the ticket.
  • Ensure Tests Are Included: Add or update unit, integration, or end-to-end tests to cover the changes made.
  • Follow Coding Standards: Ensure the code adheres to the team's coding guidelines and best practices.
  • Resolve Comments Promptly: If you raise a comment, ensure you follow up and resolve it before approving the PR to maintain clarity and ensure comments are addressed.
  • Foster Learning: PR reviews are an opportunity to share knowledge, provide constructive feedback, and encourage a collaborative environment.

🏷️ Naming Conventions Reminder

Please ensure the following naming conventions are followed:

  • PR title follows the format: NPA-XXXX: <short-description>
  • Branch name follows the convention: <type>/NPA-XXXX/<short-description>
  • Commit messages follow the template: NPA-XXXX: <short-description>

Copilot AI review requested due to automatic review settings May 19, 2026 12:41
@ehallam ehallam temporarily deployed to internal-dev-sandbox May 19, 2026 12:44 — with GitHub Actions Inactive
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Python dependencies and GitHub Actions to address outstanding Dependabot alerts, keeping the service’s runtime/tooling current and security-scanned.

Changes:

  • Bump Python deps: requests to 2.33.0, gunicorn to 25.3.0 (and refresh uv.lock accordingly).
  • Upgrade CodeQL GitHub Action to v4.35.3.
  • Upgrade astral-sh/setup-uv GitHub Action to v8.0.0 across composite actions.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
uv.lock Regenerated lockfile reflecting upgraded requests/gunicorn.
pyproject.toml Updates dependency group pins/ranges and uv overrides for requests.
.github/workflows/codeql-analysis.yml Upgrades CodeQL action SHA/tag.
.github/actions/setup-python-dependencies/action.yaml Upgrades setup-uv and continues using version-file for uv selection.
.github/actions/run-unit-tests/action.yaml Upgrades setup-uv used by unit test composite action.
.github/actions/ruff-format/action.yaml Upgrades setup-uv used by ruff format composite action.
.github/actions/ruff-checks/action.yaml Upgrades setup-uv used by ruff checks composite action.
.github/actions/check-uv-lock/action.yaml Upgrades setup-uv used by uv lock check composite action.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/actions/run-unit-tests/action.yaml
steps:
- name: Install the latest version of uv
uses: astral-sh/setup-uv@6ee6290f1cbc4156c0bdd66691b2c144ef8df19a # v7.4.0
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
Comment thread .github/actions/ruff-checks/action.yaml
steps:
- name: Install the latest version of uv
uses: astral-sh/setup-uv@6ee6290f1cbc4156c0bdd66691b2c144ef8df19a # v7.4.0
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
Comment thread .github/actions/ruff-format/action.yaml
steps:
- name: Install the latest version of uv
uses: astral-sh/setup-uv@6ee6290f1cbc4156c0bdd66691b2c144ef8df19a # v7.4.0
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
Comment thread .github/actions/check-uv-lock/action.yaml
@@ -5,7 +5,7 @@ runs:
using: "composite"
steps:
- name: Install the latest version of uv
@ehallam ehallam temporarily deployed to internal-dev-sandbox May 19, 2026 12:51 — with GitHub Actions Inactive
@ehallam ehallam temporarily deployed to internal-dev-sandbox May 19, 2026 13:54 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ehallam