chore: update lockfiles, fix lint errors

[JanPokorny]

Summary

Linked Issues

Documentation

• No Docs Needed:

If this PR adds new feature or changes existing. Make sure documentation is adjusted accordingly. If the docs is not needed, please explain why.

[gemini-code-assist]

Summary of Changes

Hello @JanPokorny, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request systematically updates the project's Python dependencies to newer versions, ensuring the use of the latest features, bug fixes, and security patches. A significant refactoring effort was undertaken in the agentstack-cli to modernize file system interactions by adopting asynchronous path handling. Additionally, linting configurations were adjusted to prevent false positives related to these asynchronous changes.

Highlights

• Dependency Updates: Numerous Python packages across various project components have been updated to their latest versions, including core libraries like fastapi, openai, cryptography, litellm, and cachetools.
• New Dependencies Introduced: Several new dependencies have been added to the lockfiles, such as opentelemetry-instrumentation-httpx, opentelemetry-instrumentation-openai, markdown-it-py, mdurl, pygments, and typer (replacing typer-slim in some contexts), enhancing functionality or improving tooling.
• Asynchronous Path Handling Refactor: The agentstack-cli module has been refactored to utilize anyio.Path for asynchronous file system operations, replacing synchronous pathlib calls and improving performance for I/O-bound tasks.
• Linting Rule Adjustments: Specific linting rules (ASYNC250 and ASYNC212) have been added to the ignore list in pyproject.toml files for agentstack-sdk-py and agentstack-server to accommodate necessary code patterns.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• agents/canvas/uv.lock
  • Updated package versions for beeai-framework, cachetools, cryptography, fastapi, litellm, openai, proto-plus, pyjwt, rich, starlette, tenacity, tqdm, typer, wcwidth, and asgiref.
  • Added opentelemetry-instrumentation-httpx and opentelemetry-instrumentation-openai.
• agents/chat/uv.lock
  • Updated package versions for cachetools, cryptography, fastapi, litellm, openai, proto-plus, pyjwt, rich, starlette, tenacity, tqdm, typer, wcwidth, and asgiref.
  • Added opentelemetry-instrumentation-httpx and opentelemetry-instrumentation-openai.
• agents/form/uv.lock
  • Updated package versions for beeai-framework, cachetools, cryptography, fastapi, litellm, openai, proto-plus, pyjwt, rich, starlette, tenacity, tqdm, typer, wcwidth, and asgiref.
  • Added opentelemetry-instrumentation-httpx and opentelemetry-instrumentation-openai.
• agents/rag/uv.lock
  • Updated package versions for beeai-framework, cachetools, cryptography, fastapi, langchain-core, langsmith, litellm, openai, proto-plus, pyjwt, rich, starlette, tenacity, tqdm, typer, wcwidth, and asgiref.
  • Added opentelemetry-instrumentation-httpx and opentelemetry-instrumentation-openai.
• apps/agentstack-cli/src/agentstack_cli/commands/agent.py
  • Replaced pathlib.Path with anyio.Path for asynchronous file operations.
  • Converted synchronous file system calls (mkdir, resolve, write_bytes, write_text) to their asynchronous equivalents (await mkdir, await resolve, await write_bytes, await write_text).
• apps/agentstack-cli/src/agentstack_cli/commands/platform/init.py
  • Removed pathlib import.
  • Added anyio import.
  • Updated type hint for values_file to anyio.Path.
• apps/agentstack-cli/src/agentstack_cli/commands/platform/base_driver.py
  • Removed pathlib import.
  • Changed _get_export_import_paths method to be asynchronous.
  • Updated path manipulation from pathlib.PurePosixPath(guest_path).parent to os.path.dirname(guest_path).
• apps/agentstack-cli/src/agentstack_cli/commands/platform/lima_driver.py
  • Removed pathlib import.
  • Changed _get_export_import_paths method to be asynchronous and use anyio.Path.
• apps/agentstack-cli/src/agentstack_cli/commands/platform/wsl_driver.py
  • Removed pathlib import.
  • Updated path handling in create_vm and _get_export_import_paths to use anyio.Path and asynchronous methods.
• apps/agentstack-cli/uv.lock
  • Updated package versions for asgiref, authlib, cachetools, cryptography, faker, fastapi, jiter, openai, proto-plus, pyjwt, rich, starlette, tenacity, tqdm, typer, and wcwidth.
• apps/agentstack-sdk-py/pyproject.toml
  • Added ASYNC250 to the lint.ignore list.
• apps/agentstack-server/pyproject.toml
  • Added ASYNC212 to the lint.ignore list.
• examples/agent-integration/forms/initial-form-rendering/uv.lock
  • Updated package versions for asgiref, authlib, cachetools, cryptography, fastapi, proto-plus, starlette, tenacity, tqdm, typer, and wcwidth.
• examples/agent-integration/multi-turn/advanced-history/uv.lock
  • Updated package versions for cachetools, cryptography, fastapi, litellm, openai, proto-plus, rich, starlette, tenacity, tqdm, typer, and wcwidth.
  • Added markdown-it-py and mdurl.
• examples/agent-integration/multi-turn/basic-history/uv.lock
  • Updated package versions for cachetools, cryptography, fastapi, litellm, openai, proto-plus, rich, starlette, tenacity, tqdm, typer, and wcwidth.
  • Added markdown-it-py and mdurl.
• examples/deploy-agents/building-agents/implement-your-agent-logic/uv.lock
  • Updated package versions for cachetools, cryptography, fastapi, litellm, openai, proto-plus, rich, starlette, tenacity, tqdm, typer, and wcwidth.
  • Added markdown-it-py and mdurl.

Activity

• The pull request was created by JanPokorny with the title 'chore: update lockfiles, fix lint errors'.
• The pull request description includes a summary section, a linked issues section (currently empty), and a documentation checklist indicating no documentation is needed for this change.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates dependencies across multiple uv.lock files and refactors file handling in the agentstack-cli to use anyio.Path for asynchronous operations. A security audit identified three vulnerabilities: a critical High-severity Path Traversal in agent.py due to a Time-of-Check to Time-of-Use (TOCTOU) race condition, a Medium-severity Arbitrary File Read in base_driver.py, and Insecure Temporary File Creation in lima_driver.py. Additionally, the anyio.Path refactoring introduced critical bugs where synchronous methods are used with async objects or coroutines are not awaited. Specific comments detail these issues and provide remediation advice.

[gemini-code-assist]

This change from pathlib.Path to anyio.Path introduces a bug on the next line. anyio.Path.is_file() is a coroutine and must be awaited. The check if not values_file_path.is_file(): will not work as intended and will raise a RuntimeWarning. It should be if not await values_file_path.is_file():.

[gemini-code-assist]

configparser.read_file expects an iterable of lines, but await f.read() returns a single string. This will cause configparser to iterate over characters of the string, which is incorrect. You should use config.read_string() instead.

Additionally, the config.write(f) on line 93 will fail because config.write is synchronous and f is an async file object. The whole block needs to be refactored to handle configparser's synchronous nature.

Suggested change

	config.read_file(await f.read())
	config.read_string(await f.read())