Skip to content

Update dependency e2b#299

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/e2b-2.x-lockfile
Open

Update dependency e2b#299
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/e2b-2.x-lockfile

Conversation

@renovate

@renovate renovate Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
e2b (source) 2.26.02.30.0 age confidence
e2b (source) 2.28.02.31.0 age confidence

Release Notes

e2b-dev/e2b (e2b)

v2.30.0

Minor Changes
  • e873ee9: Add an allowNetworkMounts/allow_network_mounts option to filesystem directory watching. When enabled, paths on network filesystem mounts (NFS, CIFS, SMB, FUSE) can be watched — they are rejected by default because events on network mounts may be unreliable or not delivered at all. Requires envd 0.6.4 or later; watching with this option against an older sandbox raises a template error.
Patch Changes
  • cab59ca: Fix Sandbox.getMetrics() sending start and end as path parameters instead of query parameters, which caused the requested time range to be silently ignored
  • 0b0c728: Fix Volume.readFile returning undefined instead of an empty Blob/ReadableStream for empty files, and apply the documented 60s default request timeout to volume content requests.
  • feb2d45: Return boolean from the Sandbox.kill() instance method (true if the sandbox was killed, false if it was not found), matching the static Sandbox.kill() and the Python SDK.
  • 91e84d9: Raise an error for non-2xx API and envd responses with empty bodies (e.g. Content-Length: 0) instead of treating them as successful.

v2.29.1

Compare Source

Patch Changes
  • 1d5259c: Fix a batch of connection-handling bugs in the JS and Python SDKs:
    • Python: HTTP transport caches now key on the configured proxy, so clients created with different (or no) proxy settings no longer silently reuse a transport built for the first proxy seen.
    • Python: request_timeout is now applied to control-plane (E2B API) requests; previously the underlying httpx client was built with no timeout at all.
    • Python: the server-stream parser no longer stalls (or drops the final envelope) when the remaining payload of an envelope is shorter than the 5-byte envelope header.
    • JS + Python: passing debug: false explicitly now overrides the E2B_DEBUG=true environment variable instead of being ignored.
    • JS: the RPC logger no longer crashes requests with a TypeError when a response contains protobuf int64 (bigint) fields; they are now logged as strings.

v2.29.0

Compare Source

Minor Changes
  • 961ffba: feat(sdks): expose user-defined file metadata on sandbox.files

    Adds a metadata option to file uploads (write / writeFiles / write_files) and surfaces persisted metadata on every EntryInfo / WriteInfo returned by getInfo, list, rename, and write responses. On upload, metadata is sent as X-Metadata-<key>: <value> request headers; envd persists the values as extended attributes in the user.e2b. xattr namespace and returns them on subsequent filesystem reads (including user.e2b.* xattrs set out-of-band). Keys are sent as HTTP header names and are lowercased by the sandbox; metadata is validated client-side (keys must be valid HTTP header tokens, values must be printable US-ASCII) and invalid input raises InvalidArgumentError / InvalidArgumentException. The same metadata map is applied to every file in a multi-file upload. Requires envd 0.6.2 or later.

  • da85b1e: Add an includeEntry/include_entry option to filesystem directory watching. When enabled, each FilesystemEvent carries the affected entry's EntryInfo (best-effort; left unset for events where the path no longer exists, such as remove/rename-away). Requires envd 0.6.3 or later; watching with this option against an older sandbox raises a template error.

Patch Changes
  • 7dc861f: fix: align behavior between the JS and Python SDKs

    Python SDK:

    • commands.send_stdin and CommandHandle.send_stdin now accept bytes in addition to str, and the handle's send_stdin / close_stdin now accept a request_timeout.
    • git.reset now accepts a typed GitResetMode and its validation error matches the JS SDK wording/ordering. GitResetMode is now exported.
    • sandbox_url is now propagated through get_api_params.
    • Template.from_image() now raises when only one of username / password is provided.
    • get_info() no longer carries the envd access token on the returned SandboxInfo (the _envd_access_token field was unused), matching the JS SDK which strips it from getInfo.
    • get_metrics() now raises TemplateException (was SandboxException) with the same message as the JS SDK when the sandbox is too old.

    JS SDK:

    • Sandbox.getInfo() now includes sandboxDomain, matching the Python SDK's single get_info. getFullInfo is deprecated and now just wraps getInfo (it no longer returns the envd access token).
    • Sandbox.getMetrics() now returns [] in debug mode, matching the Python SDK. The debug short-circuit for getMetrics / kill is implemented on both the instance and static methods, so it applies consistently whether called as Sandbox.kill(sandboxId) or sandbox.kill().
    • Template.fromImage() now requires both username and password when registry credentials are provided.
    • Template.getBuildStatus() now defaults logsOffset to 0.
    • requestTimeoutMs: 0 now explicitly disables the request timeout.
    • getMetrics() now throws TemplateError (was SandboxError) when the sandbox is too old to support metrics.

v2.28.2

Compare Source

Patch Changes
  • 4e16cff: Add proxy connection parameter to route SDK requests through an HTTP proxy, matching the Python SDK. When set, it applies to API requests, all requests made to the returned sandbox, and volume requests.
  • 4e16cff: Fix proxy not being applied to volume content requests. Volume.create/Volume.connect now store the proxy on the returned instance, so instance methods (list, readFile, writeFile, makeDir, getInfo, updateMetadata, remove, …) route through it without having to pass proxy on every call. A per-call proxy still takes precedence.

v2.28.1

Compare Source

Patch Changes
  • 08012ee: feat: add sendStdin/send_stdin and closeStdin/close_stdin to CommandHandle

    You can now send and close stdin directly on a background command handle instead of going through sandbox.commands with the command's PID.

  • ca18220: Use components['schemas'][...] instead of verbose paths[...] traversal for OpenAPI-generated type references.

v2.28.0

Compare Source

Minor Changes
  • 073661a: Add API-only custom header options for the JavaScript and Python SDKs.
Patch Changes
  • e7a82ea: Remove unused internal code: wait helper (js-sdk), asSandboxTemplate/asHeadline/selectOption/basicDockerfile (cli), and format_execution_timeout_error (python-sdk). No public API changes.
  • 5b2bb94: Return a dedicated rate limit error for HTTP 429 responses from the envd API. Previously these were surfaced as a generic sandbox error, unlike the main API client which already raised RateLimitError (JS) / RateLimitException (Python). Rate limit errors are now consistent across all SDK request paths.

v2.27.1

Compare Source

Patch Changes
  • ad37796: fix: await async callbacks in CommandHandle.wait()
  • b7fa99e: Silence the undici HTTP/2 fallback warning.

v2.27.0

Compare Source

Minor Changes
  • 2691c73: Sync OpenAPI spec from e2b-dev/infra. Notable changes: SandboxMetrics gains memCache / mem_cache (cached memory in bytes), NodeStatus gains standby, TeamUser.email is now nullable and deprecated, and POST /v3/templates can now return 403.
Patch Changes
  • a6bf71a: fix(sdks): Template.fromDockerfile / Template.from_dockerfile now correctly handle multi-source COPY/ADD instructions. Previously, only the first source was kept and all intermediate sources were silently dropped; now each source is emitted as its own copy() call to the same destination.
  • 4a4bb36: Validate the E2B API key format client-side. SDKs now throw an AuthenticationError / AuthenticationException with an example token (e.g. e2b_0000000000000000000000000000000000000000) when the key does not start with e2b_ followed by hex characters.

Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — Renovate lockfile bump for e2b (Python 2.26→2.30, JS 2.28→2.31), no source changes.

Extended reasoning...

Overview

This is a Renovate-generated dependency update PR that touches only two lockfiles: pnpm-lock.yaml and python/poetry.lock. It bumps the e2b SDK — Python from 2.26.0 → 2.30.0 and JS from 2.28.0 → 2.31.0 — and pulls along transitive updates (@bufbuild/protobuf 2.12.0→2.12.1, undici 7.27.0→7.28.0, tar 7.5.16→7.5.19, brace-expansion 5.0.6→5.0.7, picomatch 4.0.4→4.0.5). No application source code, config, or CI is modified.

Security risks

None introduced by this change itself. The transitive updates are patch-level bumps that generally include fixes. The e2b release notes are dominated by bug fixes (connection handling, timeout propagation, rate-limit error consistency, empty-response handling) and additive features (metadata on uploads, network-mount watch option, proxy propagation) — nothing here weakens the security posture.

Level of scrutiny

Low. This is a lockfile-only Renovate PR within the same minor-version band (2.x → 2.x) of a package the project already depends on. The bug-hunting pass produced no findings, and there is no logic change to review.

Other factors

The upstream release notes explicitly call out backwards-compatible additive features and bug fixes; the couple of behavior changes (e.g. getMetrics() now throws TemplateError, Sandbox.kill() now returns a boolean in JS) are unlikely to affect this repository unless it exercises those exact code paths, which a lockfile-only change would not silently break at runtime import. Prior commits show a pattern of routinely merging similar Renovate updates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants