[codex] test: enforce runtime dependency parity across manifests

[madara88645]

What changed

This PR tightens the Snyk workflow and Python dependency snapshots so they stay aligned.

• removed editable install usage from the Snyk workflow
• made Snyk scan requirements.txt and pyproject.toml explicitly
• added a regression test that requires exact runtime dependency parity
• fixed drift in requirements.txt by adding httpx<0.29 and normalizing jinja2 casing

Why this changed

The repo had drift between the runtime dependency source of truth and the deploy/security snapshot. That makes it easy for security checks or deploy targets to validate a different package set than the app actually declares.

Product impact

This reduces the chance of silent package mismatch issues in CI, security scanning, and deployment packaging. It does not change end-user behavior directly.

Root cause

requirements.txt had fallen out of sync with pyproject.toml, and the Snyk workflow was scanning a broader editable install instead of the exact Python manifest files.

Validation

• uv run --extra dev pytest -q tests/test_snyk_workflow.py tests/test_ci_workflow.py

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
compiler	Ready	Preview, Comment	May 30, 2026 3:05pm

[cursor]

PR risk assessment

Risk level: Low

Code review: Not required (automation approval)

Evidence (from diff only)

Area	Change	Risk note
tests/test_snyk_workflow.py	New regression tests (68 lines)	Locks pyproject.toml ↔ requirements.txt parity and Snyk workflow shape
requirements.txt	Adds httpx<0.29; normalizes jinja2 casing	Brings deploy snapshot in line with existing pyproject.toml runtime deps (no new package introduced)
.github/workflows/snyk.yml	Drops pip install -e .; scans requirements.txt and pyproject.toml explicitly	CI/security scanning only; tighter scope than prior editable install

Why Low (not Medium+)

• No application/runtime logic, auth, API routes, or user-facing UI changed.
• Blast radius is limited to dependency manifests and the Snyk GitHub Action workflow.
• httpx<0.29 already appears in pyproject.toml; this PR fixes manifest drift rather than changing declared runtime behavior.
• CI signal on the PR is green (Smoke, Analyze, snyk, CodeQL, GitGuardian, Vercel).

Actions taken

• Approved per Low-risk rules (no CODEOWNERS file; no reviewers requested; PR was not previously approved).

Slack summary

PR #685 — Low risk — APPROVED
[codex] test: enforce runtime dependency parity across manifests
https://github.com/madara88645/Compiler/pull/685

Changes: Snyk workflow scans explicit manifests; requirements.txt synced to pyproject.toml; new parity regression tests.
Product impact: Stronger CI/security alignment; no direct end-user behavior change.
Reviewers: None assigned (below Medium threshold).

  

_{Sent by Cursor Automation: Assign PR reviewers}

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.