build(deps): bump boto3-stubs from 1.43.19 to 1.43.30

[dependabot]

Bumps boto3-stubs from 1.43.19 to 1.43.30.

Release notes

Sourced from boto3-stubs's releases.

8.8.0 - Python 3.8 runtime is back

Changed

• [services] install_requires section is calculated based on dependencies in use, so typing-extensions version is set properly
• [all] Replaced typing imports with collections.abc with a fallback to typing for Python <3.9
• [all] Added aliases for builtins.list, builtins.set, builtins.dict, and builtins.type, so Python 3.8 runtime should work as expected again (reported by @​YHallouard in #340 and @​Omri-Ben-Yair in #336)
• [all] Unions use the same type annotations as the rest of the structures due to proper fallbacks

Fixed

• [services] Universal input/output shapes were not replaced properly in service subresources
• [docs] Simplified doc links rendering for services
• [services] Cleaned up unnecessary imports in client.pyi
• [builder] Import records with fallback are always rendered

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Dev-only stub version bump with no runtime or business-logic changes.

Overview
Bumps the optional dev dependency boto3-stubs from 1.43.19 to 1.43.30: pyproject.toml now requires >=1.43.30, and poetry.lock is refreshed for that package (including the pinned boto3 extra at 1.43.30 and a new sagemakerjobruntime stub extra in the lockfile).

There are no application code changes—only typing stubs used with mypy for AWS/boto3 (e.g. the Data Layer S3 plugin).

^{Reviewed by Cursor Bugbot for commit fe47317. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​boto3-stubs@​1.43.19 ⏵ 1.43.30

View full report

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing the dependency update for supply-chain risk: checking lockfile changes, upstream package metadata, and how the repo uses boto3-stubs.
Verdict: benign

This is a routine patch bump of a well-known dev-only typing stub package from the established youtype/mypy_boto3_builder project. No malware indicators were found.

Top evidence

• Package identity is legitimate. boto3-stubs 1.43.30 is published on PyPI by Vlad Emelianov (vlad.emelianov.nz@gmail.com), the maintainer of mypy-boto3-builder. The description matches the lockfile: type annotations for boto3 1.43.30.
• Lockfile integrity checks out. poetry.lock SHA256 hashes for both the wheel and sdist match PyPI exactly (f9c35131…, 5c53e524…). No checksum anomalies.
• Scope is minimal and expected. The PR only updates pyproject.toml (>=1.43.30) and poetry.lock. No .github/workflows/, vendor/, or application code changes. boto3-stubs[essential] is an optional dev dependency used for mypy typing (e.g. mypy_boto3_s3 under TYPE_CHECKING in chia/data_layer/s3_plugin_service.py); it is stubs-only and not runtime code.
• No obfuscation or GlassWorm signals. Scanner reported 0 unicode, confusable, and IOC findings. Stub packages contain .pyi annotations, not executable payloads — no eval/exec, install scripts, or suspicious network/fs behavior expected or observed.
• Version jump is normal. 1.43.19 → 1.43.30 is an incremental boto3 API sync, not a suspicious semver skip. Release notes describe typing/import fixes (Python 3.8 fallback, collections.abc imports), which fit this package.

Scanner findings — false positives (disagree with malware interpretation)

Finding	Why it is not concerning
ghost_version_or_missing_tag for 1.43.30	Scanner used resolution_strategy: unresolved and could not map PyPI version to a git tag in the builder repo. boto3-stubs versions are auto-published PyPI releases tracking boto3, not builder-repo tags. Version 1.43.30 exists on PyPI with valid artifacts.
maintainer_drift (npm-maintainers)	Heuristic is npm-oriented and not applicable to this Python package. Publisher is unchanged (Vlad Emelianov).

Action: Safe to merge from a supply-chain perspective. The scanner warn status reflects heuristic limits on unresolved upstream refs, not evidence of compromise.

Compatibility Analysis

Investigating how boto3-stubs is declared and used, and what changed in the upstream bump.

Compatibility & adoption analysis: boto3-stubs 1.43.19 → 1.43.30

1) Where it’s used

Location	Role
pyproject.toml	Optional dev dep: boto3-stubs[essential] (via [project.optional-dependencies] dev)
poetry.lock	Resolves boto3-stubs 1.43.30 + transitive mypy-boto3-s3 (and other “essential” service stubs)
chia/data_layer/s3_plugin_service.py	Only application code touching stubs: TYPE_CHECKING import of S3ServiceResource; runtime uses boto3 directly

Runtime boto3 is a separate main dependency (boto3 = ">=1.43.8"). Stubs are not installed in production unless dev extras are used. CI runs mypy over chia/ (including s3_plugin_service.py; it is not in mypy-exclusions.txt).

2) Intersection with release-note changes

Relevant to this repo (low):

• Subresource shape fix — touches S3 resource typing (Bucket, ObjectSummary, objects.all()), which is exactly what s3_plugin_service.py uses. Effect is type-checking only; may tighten or fix annotations, unlikely to break runtime.

Not relevant:

• Python 3.8 runtime fixes — Chia requires >=3.10; stubs package also declares python-versions = ">=3.9".
• client.pyi cleanup, doc links, builder import rendering — no consumer impact.
• typing-extensions / collections.abc changes — internal stub packaging; Chia is on 3.10+.

Note: Dependabot release notes cite builder 8.8.0, but the lockfile package description says generated with mypy-boto3-builder 8.12.0. The 1.43.19→1.43.30 bump is mainly regenerated AWS API annotations aligned to boto3 1.43.30, not a single named breaking change.

3) Risks / unknowns

Risk	Severity
Runtime/production impact	None — dev-only typing stubs
New mypy errors in s3_plugin_service.py	Low — possible if S3 stub shapes changed; CI mypy job is the gate
Version skew (boto3-stubs 1.43.30 vs mypy-boto3-s3 1.43.14 vs runtime boto3 >=1.43.8)	Expected for this ecosystem; within declared ranges
No unit tests for S3 plugin / boto3 typing	Unknown coverage gap; typing validated only by mypy
Malware scan heuristics (ghost_version, maintainer_drift)	False positives for routine PyPI patch bumps

4) Recommendation: merge

Routine dev-dependency patch bump with no runtime coupling. The only meaningful touchpoint is S3 resource typing in one file, and CI mypy should catch regressions.

Pre-merge check: confirm the PR’s mypy CI job passes. If it fails, expect trivial annotation fixes in s3_plugin_service.py, not a reason to hold the bump.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 0
• Resolution strategy: unresolved
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved refs: from=n/a to=n/a
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 2

Top findings

• boto3-stubs:0 ghost_version_or_missing_tag :: 1.43.30
• boto3-stubs:0 maintainer_drift :: 1.43.19->1.43.30

[coveralls-official]

Coverage Report for CI Build 28054801305

Coverage increased (+0.007%) to 91.588%

Details

• Coverage increased (+0.007%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 6 coverage regressions across 3 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

6 previously-covered lines in 3 files lost coverage.

File	Lines Losing Coverage	Coverage
chia/simulator/setup_services.py	3	96.3%
chia/full_node/full_node.py	2	88.24%
chia/_tests/simulation/test_simulation.py	1	96.5%

---

Coverage Stats

Relevant Lines:	123400
Covered Lines:	113197
Line Coverage:	91.73%
Relevant Branches:	12136
Covered Branches:	10938
Branch Coverage:	90.13%
Branches in Coverage %:	Yes
Coverage Strength:	1.83 hits per line

---

💛 - Coveralls