Skip to content

License-binary drift on release/v1.2 #6372

Description

@xuang7

Task Summary

License-binary drift detected on release/v1.2 (run 29206730792, dispatched 2026-07-12). Must be resolved before cutting RC3. Two distinct categories:

1. JVM — amber/LICENSE-binary-java (1 entry, one-time stale fix)

Package LICENSE-binary Bundled
org.bouncycastle.bcprov-jdk18on 1.82 1.84

This is a leftover from #6316 (fix(deps, v1.2): upgrade bouncycastle to fix CVE-2025-14813): the dependencyOverrides pin was bumped to 1.84 but the amber/LICENSE-binary-java line was not updated. The version is pinned, so this does not drift again once fixed.

2. Python — amber/LICENSE-binary-python (10 entries, transitive drift)

Package LICENSE-binary Bundled
aiohappyeyeballs 2.6.2 2.7.1
charset-normalizer 3.4.7 3.4.9
filelock 3.29.4 3.29.7
greenlet 3.5.2 3.5.3
huggingface-hub 1.20.1 1.23.0
regex 2026.5.9 2026.7.10
scramp 1.4.9 1.4.12
tqdm 4.68.3 4.68.4
typer 0.25.1 0.26.8
tzdata 2026.2 2026.3

These are transitive packages pulled fresh from PyPI at check time (version ranges, not pinned), so the set keeps drifting. The refresh must land immediately before the RC3 tag; a gap of a few days will reintroduce drift.

How to resolve: update the two per-module LICENSE-binary files to match the bundled versions above, then re-run license-binary-checker.yml on release/v1.2 to confirm green.

Task Type

  • Refactor / Cleanup
  • DevOps / Deployment / CI
  • Testing / QA
  • Documentation
  • Performance
  • Other

Metadata

Metadata

Assignees

No one assigned

    Labels

    cichanges related to CI

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions