chore: Added upper version bounds to dependencies in "pyproject.toml"

George Weale · copybara-github · commit a74d3344bc19 · 2025-08-13T12:03:47.000-07:00
This change keeps dependencies to their major versions, but for the pre 1.0.0 releases pinned to minor releases as they could have breaking changes.

PyYAML: Version 7.0 is in development and could have breaking changes

absolufy-imports: The package is archived and no longer maintained.

anyio: Follows SemVer, so version 5.0 could have breaking changes.

authlib: Follows a SemVer-like pattern, so version 2.0 could have breaking changes.

click: A mature library, version 9.0 is the expected boundary for breaking changes.

fastapi: As a pre-1.0 library, the next minor release could have breaking changes.

google-api-python-client: Although in maintenance, version 3.0 could still have breaking changes.

google-cloud-aiplatform: Follows SemVer, so breaking changes are expected in version 2.0.

google-cloud-secret-manager: A stable Google library, version 3.0 could lead to breaking changes.

google-cloud-speech: A stable Google library, version 3.0 could lead to breaking changes.

google-cloud-storage: A stable Google library.

google-genai: As an official Google SDK, version 2.0 is the expected boundary for breaking changes.

graphviz: As a pre-1.0 library, the next minor release could have breaking changes.

mcp: As an SDK, version 2.0 is the boundary for potential breaking changes.

opentelemetry-api: Follows SemVer; version 2.0 could have breaking changes.

opentelemetry-exporter-gcp-trace: It's tied to the v1 OpenTelemetry API, so version 2.0 would likely be a breaking change.

opentelemetry-sdk: It's coupled to the v1 API, so version 2.0 would likely be a breaking change.

pydantic: This stops upgrades to the incompatible version 3.0 after its major 2.0 rewrite.

python-dateutil: Follows to SemVer, making version 3.0 the boundary for potential breaking changes.

python-dotenv: Locks to stable version 1.0 major release.

requests: As a more mature library, version 3.0 is boundary for breaking changes.

sqlalchemy: This locks the dependency to the stable version 2.0 API after its major rewrite.

starlette: As a pre-1.0 library, the next minor release could have breaking changes.

tenacity: This is a mature library, version 9.0 is boundary for breaking changes.

typing-extensions: Major versions are tied to large typing changes in Python itself.

tzlocal: The library has a history of introducing breaking API changes between major versions.

uvicorn: As a pre-1.0 library, the next minor release could have breaking changes.

watchdog: As a stable library, version 7.0 could have breaking changes.

websockets: Follows SemVer, so version 16.0 is the boundary for breaking changes.
PiperOrigin-RevId: 794677571
diff --git a/pyproject.toml b/pyproject.toml
@@ -25,36 +25,36 @@ classifiers = [ # List of https://pypi.org/classifiers/
 ]
 dependencies = [
   # go/keep-sorted start
-  "PyYAML>=6.0.2",                                  # For APIHubToolset.
-  "absolufy-imports>=0.3.1",                        # For Agent Engine deployment.
-  "anyio>=4.9.0;python_version>='3.10'",            # For MCP Session Manager
-  "authlib>=1.5.1",                                 # For RestAPI Tool
-  "click>=8.1.8",                                   # For CLI tools
-  "fastapi>=0.115.0",                               # FastAPI framework
-  "google-api-python-client>=2.157.0",              # Google API client discovery
-  "google-cloud-aiplatform[agent_engines]>=1.95.1", # For VertexAI integrations, e.g. example store.
-  "google-cloud-secret-manager>=2.22.0",            # Fetching secrets in RestAPI Tool
-  "google-cloud-spanner>=3.56.0",                   # For Spanner database
-  "google-cloud-speech>=2.30.0",                    # For Audio Transcription
+  "PyYAML>=6.0.2, <7.0.0",                          # For APIHubToolset.
+  "absolufy-imports>=0.3.1, <1.0.0",                # For Agent Engine deployment.
+  "anyio>=4.9.0, <5.0.0;python_version>='3.10'",    # For MCP Session Manager
+  "authlib>=1.5.1, <2.0.0",                         # For RestAPI Tool
+  "click>=8.1.8, <9.0.0",                           # For CLI tools
+  "fastapi>=0.115.0, <1.0.0",                       # FastAPI framework
+  "google-api-python-client>=2.157.0, <3.0.0",      # Google API client discovery
+  "google-cloud-aiplatform[agent_engines]>=1.95.1, <2.0.0", # For VertexAI integrations, e.g. example store.
+  "google-cloud-secret-manager>=2.22.0, <3.0.0",    # Fetching secrets in RestAPI Tool
+  "google-cloud-spanner>=3.56.0, <4.0.0",           # For Spanner database
+  "google-cloud-speech>=2.30.0, <3.0.0",            # For Audio Transcription
   "google-cloud-storage>=2.18.0, <3.0.0",           # For GCS Artifact service
-  "google-genai>=1.21.1",                           # Google GenAI SDK
-  "graphviz>=0.20.2",                               # Graphviz for graph rendering
-  "mcp>=1.8.0;python_version>='3.10'",              # For MCP Toolset
-  "opentelemetry-api>=1.31.0",                      # OpenTelemetry
-  "opentelemetry-exporter-gcp-trace>=1.9.0",
-  "opentelemetry-sdk>=1.31.0",
+  "google-genai>=1.21.1, <2.0.0",                   # Google GenAI SDK
+  "graphviz>=0.20.2, <1.0.0",                       # Graphviz for graph rendering
+  "mcp>=1.8.0, <2.0.0;python_version>='3.10'",      # For MCP Toolset
+  "opentelemetry-api>=1.31.0, <2.0.0",              # OpenTelemetry
+  "opentelemetry-exporter-gcp-trace>=1.9.0, <2.0.0",
+  "opentelemetry-sdk>=1.31.0, <2.0.0",
   "pydantic>=2.0, <3.0.0",                          # For data validation/models
-  "python-dateutil>=2.9.0.post0",                   # For Vertext AI Session Service
-  "python-dotenv>=1.0.0",                           # To manage environment variables
-  "requests>=2.32.4",
-  "sqlalchemy>=2.0",                                # SQL database ORM
-  "starlette>=0.46.2",                              # For FastAPI CLI
-  "tenacity>=8.0.0",                                # For Retry management
+  "python-dateutil>=2.9.0.post0, <3.0.0",           # For Vertext AI Session Service
+  "python-dotenv>=1.0.0, <2.0.0",                   # To manage environment variables
+  "requests>=2.32.4, <3.0.0",
+  "sqlalchemy>=2.0, <3.0.0",                        # SQL database ORM
+  "starlette>=0.46.2, <1.0.0",                      # For FastAPI CLI
+  "tenacity>=8.0.0, <9.0.0",                        # For Retry management
   "typing-extensions>=4.5, <5",
-  "tzlocal>=5.3",                                   # Time zone utilities
-  "uvicorn>=0.34.0",                                # ASGI server for FastAPI
-  "watchdog>=6.0.0",                                # For file change detection and hot reload
-  "websockets>=15.0.1",                             # For BaseLlmFlow
+  "tzlocal>=5.3, <6.0",                             # Time zone utilities
+  "uvicorn>=0.34.0, <1.0.0",                        # ASGI server for FastAPI
+  "watchdog>=6.0.0, <7.0.0",                        # For file change detection and hot reload
+  "websockets>=15.0.1, <16.0.0",                    # For BaseLlmFlow
   # go/keep-sorted end
 ]
 dynamic = ["version"]
