Skip to content

Bump dropbox from 11.36.2 to 12.0.2#37673

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/uv/dropbox-12.0.2
Closed

Bump dropbox from 11.36.2 to 12.0.2#37673
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/uv/dropbox-12.0.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 5, 2026

Copy link
Copy Markdown
Contributor

Bumps dropbox from 11.36.2 to 12.0.2.

Release notes

Sourced from dropbox's releases.

v12.0.2

Release Notes:

  • Remove the pin for urllib3 (#507)

v12.0.1

Release Notes:

  • Fix incorrect pin of requests (#505)

v12.0.0

Release Notes:

  • Fixes to Restore CI (#492, #501)
  • Fixes to doc generation (#500, #503)
  • Manual Spec Update (#498)
  • Stop providing a hardcoded CA bundle (#489, #499)
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [dropbox](https://github.com/dropbox/dropbox-sdk-python) from 11.36.2 to 12.0.2.
- [Release notes](https://github.com/dropbox/dropbox-sdk-python/releases)
- [Commits](dropbox/dropbox-sdk-python@v11.36.2...v12.0.2)

---
updated-dependencies:
- dependency-name: dropbox
  dependency-version: 12.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the product/invisible Change has no end-user visible impact label May 5, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 5, 2026 10:10
@dimagimon dimagimon added the dependencies Pull requests that update a dependency file label May 5, 2026
@claude

claude Bot commented May 5, 2026

Copy link
Copy Markdown

🔍 Dependency Analysis Summary

This PR upgrades the dropbox Python SDK by a full major version (11.36.2 → 12.0.2). The v12 release is primarily a maintenance/infrastructure release — the headline change is the removal of the SDK's bundled CA certificate, with no existing APIs removed. Overall risk is LOW.

📋 Detailed Changelog Review

dropbox (11.36.2 → 12.0.2)

  • Changes:

    • v12.0.0: Removed the hardcoded CA bundle the SDK previously shipped with. SSL verification now delegates to requests' default mechanism (i.e. certifi and/or system certificates). The optional ca_certs parameter on the Dropbox client is still supported for custom pinning. The runtime dependency on pkg_resources/setuptools was removed as a side effect. An API spec update added 18 new team_log_generated struct types (ransomware restoration, encryption key management, backup features) and minor updates to files, check_api_v2_types, and team_policies; no existing routes were removed.
    • v12.0.1: Fixed an overly strict requests version pin that caused install conflicts.
    • v12.0.2: Removed the urllib3 version pin, resolving similar conflicts.
  • Breaking Changes: None for CommCare HQ's usage. The CA bundle removal is the only structural change, and requests handles SSL transparently in standard environments.

  • Migration Notes: None required. If CommCare HQ ever instantiates Dropbox(..., ca_certs=...) with a custom bundle, that path still works. No usage of that parameter was found in the codebase.

⚠️ Impact Assessment

  • Breaking Changes Found: No — all APIs used by CommCare HQ are unchanged across this version range.

  • Affected Files: The following files import from the dropbox package and were audited:

    • corehq/apps/dropbox/utils.pyDropbox, CommitInfo, UploadSessionCursor, WriteMode, DropboxOAuth2Flow
    • corehq/apps/dropbox/tasks.pyDropbox, RequestedVisibility, SharedLinkSettings
    • corehq/apps/dropbox/views.pyDropboxOAuth2Flow and OAuth exception classes
    • corehq/apps/dropbox/models.pyDropbox, AuthError
    • corehq/apps/dropbox/decorators.pyget_dropbox_auth_flow wrapper
    • corehq/apps/dropbox/management/commands/upload_file_to_dropbox.pyupload_to_dropbox
    • corehq/ex-submodules/soil/util.py — references Dropbox URL only (no SDK import)

    All imports and method calls (files_upload_session_start, files_upload_session_append_v2, files_upload_session_finish, sharing_create_shared_link_with_settings, users_get_current_account, DropboxOAuth2Flow.start()/.finish()) exist unchanged in v12.

  • Test Impact: No test changes needed. corehq/apps/dropbox/tests/test_dropbox_upload_helper.py patches _ensure_valid_token and won't be affected.

  • Configuration Changes: None.

🛠️ Recommendations

  • Action Required: None — this upgrade is a straightforward drop-in.
  • Testing Focus: Smoke-test the Dropbox OAuth flow and a file upload in staging if a Dropbox-connected environment is available, since this is a major version bump. The functional change (CA bundle) is handled by requests/certifi, so it should be transparent.
  • Follow-up Tasks: None.
  • Merge Recommendation: APPROVE — no breaking changes, no API removals, and the dependency pin fixes in v12.0.1/12.0.2 are a net positive for future compatibility.

📚 Useful Links

@millerdev

Copy link
Copy Markdown
Contributor

Upgrade also done by #37669, so this PR will be automatically closed if that one gets merged.

@dependabot @github

dependabot Bot commented on behalf of github May 5, 2026

Copy link
Copy Markdown
Contributor Author

Looks like dropbox is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this May 5, 2026
@dependabot dependabot Bot deleted the dependabot/uv/dropbox-12.0.2 branch May 5, 2026 14:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file product/invisible Change has no end-user visible impact

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants