chore: deterministic dependency pinning (SHA-pin getdist, camb floor, scipy root-cause)#200
Merged
Merged
Conversation
Make dependency resolution deterministic on the things that bite, since the
container installs via `uv pip install -e .[test,glass]` which resolves fresh
from pyproject and never reads a lockfile — pyproject is the source of truth.
- SHA-pin the two mutable git deps so builds are reproducible:
- shear_psf_leakage @develop -> 48e5756 (branch is mutable, highest drift
risk)
- getdist @upper_triangle_whisker -> 113cd22
- Add a `camb>=1.6` floor (hygiene); no cap, since we want the eventual
scipy-1.18 fix release.
- Sharpen the `scipy<1.18` comment with the precise root cause (FITPACK
Fortran->C return-shape change breaking camb's BBN Y_He predictor) and a
cap-lift trigger.
- Relax the stale exact pin `jupytext==1.15.1` -> `jupytext>=1.15`.
No in-code breakage from scipy 1.18 / numpy 2 exists in sp_validation source;
the only victim of the scipy change is camb's internal BBN predictor, so the
scipy cap is the correct and sufficient fix.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
shear_psf_leakage is actively co-developed CosmoStat code; SHA-pinning it would only create bump-churn. Track the mutable develop branch instead. getdist stays SHA-pinned (external feature-branch fork, pinned for repro). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
5 tasks
cailmdaley
added a commit
that referenced
this pull request
Jun 30, 2026
#199 (the old PR base, refactor/src-module-layout) was squash-merged into develop (5b8ffdc), so the old base is dead — this brings the ruff work onto current develop instead. Conflicts resolved toward develop's content (the canonical post-#199 code), then `ruff format` + the region-aware policy re-applied on top, so chore/ruff's net contribution over develop stays exactly: the repo-wide format pass, the lint gate (pre-commit + CI), and the behavior-preserving bug fixes. develop's #200 dependency pins are carried in, and the two obsolete scripts #199 deleted (cosmo_val/match_LF_SP.py, scripts/create_joint_shape_cat.py) stay deleted. Verified: `ruff check .` clean except the 5 known undefined names (@sachaguer's, flagged on the PR), `ruff format --check .` clean, every tracked .py compiles. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01SkTwLDgicfeoK8Np2bgwp3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The container installs via
uv pip install -e .[test,glass], which resolves fresh frompyproject.tomland never reads a lockfile (uv.lockis gitignored). Sopyproject.tomlis the real source of truth for what gets installed at build time. This PR tightens constraints only where resolution is non-deterministic or known-broken — it does not freeze the stack.Scope deliberately narrow: no
uv.lock, no Dockerfile change, caps only where there is a known breakage (today: only scipy).Per-dependency changes
scipy<1.18(kept)<1.18(kept; comment sharpened)camb>=1.6> 1.6.6.shear_psf_leakage@develop@develop(kept)developso we stay current. SHA-pinning would only create bump-churn (Cail's call).getdist@upper_triangle_whisker(branch)@113cd22a9a0d013b6f72fe734be81f260f3d3be5jupytext==1.15.1(exact)>=1.15Everything else (
numpy>=2.0,treecorr>=5.0,astropy>=5.0,cs_util>=0.2.1,joblib>=0.13, theglassexact-pin group, thedocsfloors) is left as-is. Goal is "properly versioned + modern," not frozen.scipy / camb root cause
scipy 1.18.0 (2026-06-19) ported FITPACK from Fortran to C, which changed the return shape of spline evaluation for scalar input:
camb's BBN Y_He predictor (
camb/bbn.py) wraps the result innp.float64(res). That collapses a 0-d array to a clean scalar but leaves a shape-(1,) array as(1,).set_cosmologythen fails at the ctypes float assignmentself.YHe = YHe:…which fails every
get_cosmo-backed test. camb 1.6.6 is the latest on PyPI and current camb master is also unfixed — there is no camb release to bump to. The upstream fix is one line (coerce the(1,)result to a scalar); when it ships in a release> 1.6.6, the scipy cap can be lifted.In-code breakage scan: clean
A scan of tracked sp_validation source (
src/,scripts/,workflow/,cosmo_val/,cosmo_inference/) for the scipy-1.18 scalar-shape change, numpy-2 removed/renamed names, and astropyQuantityscalar extraction found zero hits. Allinterp1d/RectBivariateSplineusages operate on arrays; tests already usenp.trapezoid. The only victim of the scipy change in the whole stack is camb's internal BBN predictor (third-party), so the scipy cap is the correct and sufficient fix — no sp_validation code change is needed.Verification
getdistSHA-pin confirmed a valid commit viagit ls-remote.uv pip compile pyproject.toml(to a throwaway path, no lockfile written) resolves cleanly (exit 0):scipy==1.17.1(cap binds),camb==1.6.6,cs-util==0.2.1,jupytext==1.19.3,getdistat its pinned SHA, andshear_psf_leakagetrackingdevelop.— Claude on behalf of Cail