Change: Pin codespell version to 2.3.0 (latest release)

[n-thumann]

What

This PR pins codespell to the currently latest release (2.3.0 right now).

Why

When running poetry upgrade troubadix, pipx won't upgrade the dependencies as long as they still meet the dependency requirements.
This requirement is currently:

➜  ~ bat ~/.local/share/pipx/venvs/troubadix/lib/python3.12/site-packages/troubadix-25.1.2.dist-info/METADATA | rg codespell
Requires-Dist: codespell (>=2.0.0,<3.0.0)

In case e.g. codespell 2.3.1 is release we updated pyproject.toml / poetry.lock, an end-user still won't necessarily have the same codespell version.

We can reproduce this behavior by installing a non-latest Troubadix, then manually installing a non-latest version of codespell in the venv. After upgrading Troubadix, codespell is still at the older release, because it still meets the dependency requirement:

➜  ~ pipx install troubadix==25.1.1                                                 
  installed package troubadix 25.1.1, installed using Python 3.12.3
  These apps are now globally available
    - troubadix
    - troubadix-allowed-rev-diff
    - troubadix-changed-cves
    - troubadix-changed-oid
    - troubadix-changed-packages
    - troubadix-deprecate-vts
    - troubadix-file-extensions
    - troubadix-last-modification
    - troubadix-no-solution
    - troubadix-version-updated
done! ✨ 🌟 ✨
➜  ~ ls -la ~/.local/share/pipx/venvs/troubadix/lib/python3.12/site-packages/ | rg codespell
drwxrwxr-x  2 nthumann nthumann   4096 Jan 16 10:33 codespell-2.3.0.dist-info
drwxrwxr-x  5 nthumann nthumann   4096 Jan 16 10:33 codespell_lib
➜  ~ pipx inject troubadix codespell==2.0.0                                                
  injected package codespell into venv troubadix
done! ✨ 🌟 ✨
➜  ~ ls -la ~/.local/share/pipx/venvs/troubadix/lib/python3.12/site-packages/ | rg codespell
drwxrwxr-x  2 nthumann nthumann   4096 Jan 16 10:33 codespell-2.0.0.dist-info
drwxrwxr-x  4 nthumann nthumann   4096 Jan 16 10:33 codespell_lib
➜  ~ pipx upgrade troubadix                                                                 
upgraded package troubadix from 25.1.1 to 25.1.2 (location: /home/nthumann/.local/share/pipx/venvs/troubadix)
➜  ~ ls -la ~/.local/share/pipx/venvs/troubadix/lib/python3.12/site-packages/ | rg codespell
drwxrwxr-x  2 nthumann nthumann   4096 Jan 16 10:33 codespell-2.0.0.dist-info
drwxrwxr-x  4 nthumann nthumann   4096 Jan 16 10:33 codespell_lib

We can fix this by always explicitly requiring the latest codespell version in pyproject.toml instead of a version range.
After this change the METADATA file contains:

➜  dist bat troubadix-25.1.3.dev1.dist-info/METADATA | rg codespell
Requires-Dist: codespell (==2.3.0)

After that it's still possible to manually inject a lower codespell version (I guess this is on purpose), however pipx upgrade troubadix will enforce the version specified in METADATA again.

References

Checklist

• Tests

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA f51109d.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
pip/codespell	2.3.0	🟢 7.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• pyproject.toml

[github-actions]

Conventional Commits Report

Type	Number
Changed	1

🚀 Conventional commits found.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.82%. Comparing base (cdf71e8) to head (f51109d).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #783   +/-   ##
=======================================
  Coverage   79.82%   79.82%           
=======================================
  Files          87       87           
  Lines        3023     3023           
  Branches      589      589           
=======================================
  Hits         2413     2413           
  Misses        462      462           
  Partials      148      148           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.