chore(deps): bump joserfc from 1.6.4 to 1.6.8 in /python/agents/short-movie-agents#2174
Conversation
Bumps [joserfc](https://github.com/authlib/joserfc) from 1.6.4 to 1.6.8. - [Release notes](https://github.com/authlib/joserfc/releases) - [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst) - [Commits](authlib/joserfc@1.6.4...1.6.8) --- updated-dependencies: - dependency-name: joserfc dependency-version: 1.6.8 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
📋 Maintainability Review Summary
This PR updates the financial advisor agent to use uv for package management, adds linting configurations, and sets up module-level environment defaults.
🔍 Findings
🟡 Medium - Import-time side-effects & environment manipulation
File: python/agents/financial-advisor/financial_advisor/__init__.py (line 21)
Running credential resolution (google.auth.default()) and mutating environment variables (os.environ) at import-time can raise unexpected errors (e.g., DefaultCredentialsError) when the package is imported for static analysis, unit testing, or CLI commands that do not require GCP credentials. Also, hardcoded defaults like 'global' and 'True' act as magic strings.
Suggested Improvement:
Consider encapsulating environment initialization in a configuration helper function or lazy property rather than executing them at import-time.
# Suggested refactoring for lazy initialization:
def initialize_env():
import google.auth
_, project_id = google.auth.default()
os.environ.setdefault("GOOGLE_CLOUD_PROJECT", project_id)
os.environ.setdefault("GOOGLE_CLOUD_LOCATION", "global")
os.environ.setdefault("GOOGLE_GENAI_USE_VERTEXAI", "True")
Bumps joserfc from 1.6.4 to 1.6.8.
Release notes
Sourced from joserfc's releases.
Changelog
Sourced from joserfc's changelog.
Commits
ea1d9e3chore: release 1.6.886d0091Reject empty oct key material and empty HMAC keys at sign/verify entry1e5b94dchore: release 1.6.775d9f95fix(typing): use cast for type hints6d24037Merge pull request #98 from jonathangreen/algorithms-accept-collection102a7a7fix(typing): accept any Collection for algorithms, not just list8b869e8chore: release 1.6.600d599bchore: update actions9186561Merge pull request #97 from authlib/fix-b644d4ea2efix(jws): validate payload size for b64=falseDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.