Skip to content

mobile: isolate black formatter into mobile-specific pip_parse, update to 26.3.1#44240

Draft
Copilot wants to merge 3 commits intomainfrom
copilot/remove-black-from-requirements
Draft

mobile: isolate black formatter into mobile-specific pip_parse, update to 26.3.1#44240
Copilot wants to merge 3 commits intomainfrom
copilot/remove-black-from-requirements

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 2, 2026
edited
Loading

PR #43605 accidentally added black to tools/base/requirements.in — the shared base_pip3 pip_parse used across the entire repo — even though black is only used by Envoy Mobile for Python formatting. This bloated the shared lockfile with black and its transitive deps. Additionally, black 25.12.0 has a known vulnerability (arbitrary file writes via unsanitized cache file names; patched in 26.3.1).

Changes

  • tools/base/requirements.in — remove black
  • tools/base/requirements.txt — remove black==25.12.0 and its exclusively-black transitive deps (click, mypy-extensions, pytokens); strip # black from via comments on pathspec, platformdirs, and packaging (which have other dependents)
  • mobile/tools/requirements.in (new) — single entry: black
  • mobile/tools/requirements.txt (new) — locked lockfile with black==26.3.1 (patched) and all transitive deps with hashes; pathspec updated to 1.0.4 to satisfy black 26.3.1's raised floor of >=1.0.0
  • bazel/python_dependencies.bzl — add mobile_pip3 pip_parse pointing at @envoy//mobile/tools:requirements.txt
  • bazel/dependency_imports.bzl — load and call pip_mobile_dependencies() from @mobile_pip3
  • mobile/tools/BUILD — update black target: @base_pip3//black@mobile_pip3//black
Original prompt

Problem

PR #43605 ("mobile: re-add Python APIs") accidentally added black as a direct dependency in tools/base/requirements.in — the main/shared Python requirements file used by the base_pip3 pip_parse. This bloats the shared lockfile with black and all its transitive deps, even though black is only used by Envoy Mobile for formatting Python code in mobile/tools/check_format.sh.

Where black is used

  1. mobile/tools/BUILD — defines a py_console_script_binary target named black pulling from @base_pip3//black
  2. mobile/tools/check_format.sh — builds //tools:black and runs it on library/python, test/python, examples/python
  3. mobile/pyproject.toml — has [tool.black] config

Required Changes (Option A — mobile-specific pip_parse)

  1. Remove black from tools/base/requirements.in (line 8) — delete the black line.

  2. Regenerate tools/base/requirements.txt — remove the black package entry and all its hashes from the lockfile, and remove # black from the # via comments for transitive deps like pathspec, platformdirs, click, mypy-extensions, and packaging. If any of those transitive deps are ONLY pulled in by black (i.e., no other package requires them), remove those entries entirely. If they have other dependents, just remove the # black line from their # via comments.

  3. Create mobile/tools/requirements.in containing just:

    black

  4. Create mobile/tools/requirements.txt — a pip-compile lockfile for black and its transitive dependencies with hashes (--require-hashes compatible). You can extract the relevant entries (black, click, mypy-extensions, pathspec, platformdirs, and their hashes) from the current tools/base/requirements.txt since they were just added there.

  5. Add a new pip_parse in bazel/python_dependencies.bzl inside the envoy_python_dependencies() function:

    pip_parse(
    name = "mobile_pip3",
    python_interpreter_target = "@python3_12_host//:python",
    requirements_lock = "@envoy//mobile/tools:requirements.txt",
    extra_pip_args = ["--require-hashes"],
)

  6. Load and install the new mobile_pip3 deps in bazel/dependency_imports.bzl:

    • Add a load: load("@mobile_pip3//:requirements.bzl", pip_mobile_dependencies = "install_deps")
    • Call pip_mobile_dependencies() in the envoy_dependency_imports() function alongside the existing pip_dependencies(), pip_dev_dependencies(), etc.

  7. Update mobile/tools/BUILD to reference @mobile_pip3//black instead of @base_pip3//black:

    py_console_script_binary(
    name = "black",
    pkg = "@mobile_pip3//black",
)

Important Notes

  • The tools/base/requirements.txt lockfile uses --require-hashes, so the new mobile/tools/requirements.txt must also include hashes for all packages.
  • Make sure to check which transitive deps in tools/base/requirements.txt list black in their # via comments — if black is the only dependent, remove those entries entirely from the base lockfile. Key ones to check: click, mypy-extensions, pathspec, platformdirs, packaging (packaging has many other dependents so just remove the # black via line).
  • The pathspec package is also used # via yamllint so it should NOT be removed from base, just have # black removed from its via comments.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: recently black was added as a python dep for mobile - it wasnt supposed to be in the main deps - can you look what happened, confirm where its used, and figure out resolution

Assistant:

Let me research this issue by looking at how black was added as a dependency and where it's referenced.

Assistant: The commit search is matching on a contributor named "ravenblackx" rather than being useful. Let me look more specifically at where black is used and check the git history on the relevant files.

Assistant: Now let me check if there's a separate mobile-specific requirements file where black should live instead, and look at git history for when black was added to tools/base/requirements.in:

Assistant: Here's what I found:

What happened

PR #43605 ("mobile: re-add Python APIs") by @danzh2010, merged on 2026-03-03, added black as a direct dependency in tools/base/requirements.in (line 8). This is the main/shared Python requirements file used by the base_pip3 pip_parse — it feeds all Bazel Python tooling across the entire repository, not just mobile.

Where black is actually used

black is only used by Envoy Mobile for formatting Python code:

  1. mobile/tools/BUILD — defines a py_console_script_binary target named black that pulls from @base_pip3//black
  2. mobile/tools/check_format.sh — builds `//tools:black...

This pull request was created from Copilot chat.

@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only bot commented Apr 2, 2026

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #44240 was opened by Copilot.

see: more, trace.

Copilot AI changed the title [WIP] Remove black as a direct dependency from shared requirements mobile: isolate black formatter into mobile-specific pip_parse, update to 26.3.1 Apr 2, 2026
Copilot finished work on behalf of phlax April 2, 2026 16:36
Copilot AI requested a review from phlax April 2, 2026 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@phlax phlax Awaiting requested review from phlax

@RyanTheOptimist RyanTheOptimist Awaiting requested review from RyanTheOptimist RyanTheOptimist will be requested when the pull request is marked ready for review RyanTheOptimist is a code owner

@abeyad abeyad Awaiting requested review from abeyad abeyad will be requested when the pull request is marked ready for review abeyad is a code owner

@danzh2010 danzh2010 Awaiting requested review from danzh2010 danzh2010 will be requested when the pull request is marked ready for review danzh2010 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@phlax phlax

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@phlax