Add scripts/check_min_deps.py to validate lower bounds

[masenf]

Ensures that pyright has equivalent results on lowest direct dependencies and latest direct dependencies.

Fix package lower bounds

reflex:

• httpx bump for mounts parameter typing
• redis bump for set operation typing to allow bytes keys
• reflex-base, reflex-components-radix bump for compiler changes
• reflex-hosting-cli min version for reflex_cli_v2

reflex-base:

• pydantic bump to align with reflex

reflex-components-core:

• python_multipart lower bound to get python_multipart.multipart
• starlette lower bound to get UploadFiles and friends
• typing_extensions lower bound to get Self

reflex-components-radix:

• reflex-base bump for compiler plugin changes

reflex-docgen

• pyyaml bump for python3.14 compat

[codspeed-hq]

Merging this PR will not alter performance

✅ 24 untouched benchmarks

---

_{Comparing masenf/analyze-package-deps (f258236) with main (e88acf7)¹}

Footnotes

1. No successful run was found on main (7281317) during the generation of this report, so e88acf7 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[greptile-apps]

Greptile Summary

This PR introduces scripts/check_min_deps.py, a tool that validates each workspace package's declared dependency lower bounds by installing the package twice in isolated venvs (once at latest, once at --resolution lowest-direct) and diffing pyright errors. Alongside the new tooling, several package lower bounds are corrected to reflect what the code actually requires.

• New checker script + CI workflow: check_min_deps.py builds two isolated environments per package, runs pyright with --outputjson, and reports errors that appear only at the minimum versions; a min_deps.yml workflow runs the check in a matrix over Python 3.10 and 3.14.
• Dependency lower-bound corrections: httpx bumped to >=0.26, redis to >=6.4, pydantic to >=2.12.0 in reflex-base, and previously unbounded deps gain explicit floors in reflex-components-core.
• reflex-hosting-cli gains a minimum version (>=0.1.66), previously it had no floor at all.

Confidence Score: 5/5

Safe to merge — the new script, its CI workflow, and the lower-bound corrections are self-consistent and well-tested.

The checker script correctly handles the tomllib/tomli split at import time and via PEP 723 inline metadata; tomli is also present in the lock file as a transitive dependency, so the synced dev environment on Python 3.10 has it available. Pyright diagnostic parsing guards against missing range keys. The CI workflow properly gates the check job on the dynamic discover output, pins checkout by SHA, and uses fetch-tags/fetch-depth for uv-dynamic-versioning. All lower-bound bumps are consistent between pyproject.toml and uv.lock.

No files require special attention.

Important Files Changed

Filename	Overview
scripts/check_min_deps.py	New script validating declared minimum dependency lower bounds via pyright diff across two isolated venvs; tomllib/tomli fallback and range-key guard are both properly handled.
.github/workflows/min_deps.yml	New CI workflow dynamically building a matrix from --list output, with fetch-tags/fetch-depth for uv-dynamic-versioning, testing Python 3.10 and 3.14.
tests/units/test_check_min_deps.py	New unit tests covering install-target, source-dir discovery, extras, pyright error extraction, and delta-cancellation; includes importorskip guard for tomli on Python 3.10.
pyproject.toml	Bumps httpx >=0.26, redis >=6.4, reflex-base >=0.9.3, reflex-components-radix >=0.9.2; pins reflex-hosting-cli >=0.1.66; adds T201 ruff ignore for the new script.
packages/reflex-base/pyproject.toml	Pydantic lower bound raised from >=1.10.21 to >=2.12.0, dropping pydantic v1 support.
packages/reflex-components-core/pyproject.toml	Adds explicit lower bounds: python_multipart >=0.0.21, starlette >=0.47.0, typing_extensions >=4.0.0.
packages/reflex-components-radix/pyproject.toml	Bumps reflex-base lower bound from >=0.9.0 to >=0.9.2.
packages/reflex-docgen/pyproject.toml	Bumps pyyaml >=6.0.3 for Python 3.14 compat; removes unbounded typing-extensions dep.

_{Reviews (2): Last reviewed commit: "Avoid KeyError on diagnostic["range"]" | Re-trigger Greptile}