Support cbor2 6.x deserialization changes

[muratclk]

Summary

Fixes #2375

cbor2 6.0 introduces breaking deserialization changes:

• Nested dicts return as cbor2.frozendict (not a dict subclass)
• Arrays return as tuple instead of list

This caused isinstance(data, dict) checks in the deserialization path to silently skip processing, breaking recorder round-trip tests.

Changes

• Replace isinstance(..., dict) with isinstance(..., Mapping) in all deserialization functions (deserialize, transfer_to_model, depointer_as_key, _resolve_cache_refs). cbor2.frozendict implements collections.abc.Mapping, so this handles both old and new cbor2 versions.
• Mapping was already imported from collections.abc — no new dependencies.
• Remove the cbor2<6 version cap from pyproject.toml.

Compatibility

• cbor2 5.x: dict is a subclass of Mapping, so all existing behavior is preserved.
• cbor2 6.x: frozendict implements Mapping, so deserialization now works correctly.
• Tuple returns from cbor2 6.x are already handled — deserialize_ndarray calls tuple(data["shape"]) explicitly, and np.array() accepts both list and tuple inputs.

Test plan

• Verify recorder round-trip tests pass with cbor2 5.x
• Verify recorder round-trip tests pass with cbor2 6.x (RC)
• Verify JSON format is unaffected

Summary by CodeRabbit

• New Features
  • Broader support for mapping-like inputs across viewing and deserialization flows, improving compatibility with custom container objects and serialized payloads.
• Chores
  • Relaxed cbor2 version constraint for examples to allow newer patch/major releases.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: muratclk / name: Murat Çelik (22bde7c)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: e57a932f-18ae-439d-942d-318e0f229f24

📥 Commits

Reviewing files that changed from the base of the PR and between cb06b52 and 22bde7c.

📒 Files selected for processing (2)

• newton/_src/viewer/viewer_file.py
• pyproject.toml

✅ Files skipped from review due to trivial changes (1)

• pyproject.toml

🚧 Files skipped from review as they are similar to previous changes (1)

• newton/_src/viewer/viewer_file.py

---

📝 Walkthrough

Walkthrough

Replaced runtime dict checks with collections.abc.Mapping in viewer file functions to accept mapping-like types (e.g., cbor2.frozendict), and removed the upper bound on the cbor2 extras dependency in pyproject.toml.

Changes

Cohort / File(s)	Summary
Mapping Type Checks newton/_src/viewer/viewer_file.py	Replaced isinstance(..., dict) with isinstance(..., Mapping) in transfer_to_model, deserialize, and depointer_as_key to accept mapping-like containers (handles cbor2.frozendict and similar).
Dependency Update pyproject.toml	Relaxed examples optional dependency for cbor2 from cbor2>=5.7.0, <6 to cbor2>=5.7.0 (removed the <6 upper bound).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Cap cbor2 dependency to <6 #2373: Short-term fix that capped cbor2 to <6 to avoid deserialization issues; this change removes the need for that cap by accepting mapping-like types.

Suggested reviewers

• adenzler-nvidia

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Support cbor2 6.x deserialization changes' directly matches the main objective of the PR, clearly summarizing the primary change.
Linked Issues check	✅ Passed	The PR successfully addresses all coding requirements from issue #2375: replaced isinstance(..., dict) checks with Mapping [#2375], and removed the cbor2<6 version cap [#2375].
Out of Scope Changes check	✅ Passed	All changes are directly related to supporting cbor2 6.x: deserialization logic updates in viewer_file.py and dependency constraint removal in pyproject.toml are within scope of issue #2375.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pyproject.toml`:
- Line 82: Update the CHANGELOG.md [Unreleased] entry to reflect that the cbor2
version cap was removed (the PR allows cbor2 6.x) instead of saying it was
capped; locate the line that currently reads something like "Cap `cbor2`
dependency to `<6`" and change it to a concise note such as "Allow `cbor2` 6.x
by removing the `<6` version cap" in the appropriate category so it matches the
pyproject.toml change (the dependency line mentioning "cbor2>=5.7.0").
- Line 82: Update the cbor2 constraint in pyproject.toml by changing the
requirement string "cbor2>=5.7.0" to constrain the major version to <6 (e.g.,
"cbor2>=5.7.0,<6") to avoid pulling in the unreleased/breaking 6.x, and add a
brief entry under the CHANGELOG.md [Unreleased] section noting "Constrain cbor2
to <6 until 6.x breaking changes are validated" so the dependency change is
tracked; locate the dependency line referenced as "cbor2>=5.7.0" and the
CHANGELOG.md [Unreleased] heading to apply these edits.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 2055740a-0a94-43c4-ab26-a0ac9fb1f9fb

📥 Commits

Reviewing files that changed from the base of the PR and between 38c8908 and cb06b52.

📒 Files selected for processing (2)

• newton/_src/viewer/viewer_file.py
• pyproject.toml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify changelog entry exists for cbor2 compatibility change.
fd -i '^CHANGELOG\.md$' | xargs -r rg -n -C2 '\[Unreleased\]|cbor2|binary recording|examples'

Repository: newton-physics/newton

Length of output: 2617

---

Update the CHANGELOG.md entry to reflect removal of the cbor2 version cap.

The existing CHANGELOG entry at line 135 states "Cap cbor2 dependency to <6…", which describes the opposite of this PR's change. Since this PR removes the cap and enables cbor2 6.x support, update the [Unreleased] section to document this change (e.g., "Allow cbor2 6.x by removing the <6 version cap" or similar, in the appropriate category).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` at line 82, Update the CHANGELOG.md [Unreleased] entry to
reflect that the cbor2 version cap was removed (the PR allows cbor2 6.x) instead
of saying it was capped; locate the line that currently reads something like
"Cap `cbor2` dependency to `<6`" and change it to a concise note such as "Allow
`cbor2` 6.x by removing the `<6` version cap" in the appropriate category so it
matches the pyproject.toml change (the dependency line mentioning
"cbor2>=5.7.0").

---

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check whether CI/tests explicitly exercise multiple cbor2 majors.
rg -n -C3 'cbor2|extras|examples|matrix|tox|pytest' .github pyproject.toml tox.ini noxfile.py 2>/dev/null

Repository: newton-physics/newton

Length of output: 5219

---

🏁 Script executed:

#!/bin/bash
# Check cbor2 specifics: releases, breaking changes, and version documentation
# First, find any version pinning or pinned versions in CI/config files
echo "=== Checking for explicit cbor2 version pinning or testing ==="
rg 'cbor2' .github pyproject.toml -n --type yaml --type toml

echo -e "\n=== Checking CHANGELOG.md for dependency-related entries ==="
if [ -f CHANGELOG.md ]; then
  head -100 CHANGELOG.md | rg -i 'cbor2|dependency|version|constraint' -C2
else
  echo "CHANGELOG.md not found at root"
fi

echo -e "\n=== Checking for any requirements files ==="
fd -e 'txt' -e 'lock' -e 'in' | head -20 | xargs -I {} sh -c 'echo "=== {} ===" && rg "cbor2" {} 2>/dev/null || true'

Repository: newton-physics/newton

Length of output: 12590

---

🌐 Web query:

cbor2 Python package version releases and breaking changes between 5.x 6.x 7.x

💡 Result:

What versions exist (as of Apr 8, 2026)

• Latest stable on PyPI: 5.9.0 (uploaded Mar 22, 2026) [1]
• 6.x: only a pre-release is documented: 6.0.0rc1 (Mar 26, 2026) [2]
• 7.x: no 7.x release is listed in the upstream cbor2 version history / docs at this time [2].

Breaking / behavior-changing differences: 5.x → 6.x (6.0.0rc1)

6.0.0rc1 is a major rewrite (single Rust-based implementation replacing the prior Python + C implementations) [2].

Documented backward-incompatible changes in 6.0.0rc1 include [2]:

• Callback signature changes
  • tag_hook now receives (CBORTag, immutable) instead of (CBORDecoder, CBORTag)
  • object_hook now receives (Mapping[Any, Any], bool) instead of (CBORDecoder, dict[Any, Any])
• Removals
  • Removed break_marker singleton
  • Removed CBORDecodeValueError (now ValueError/TypeError are chained under CBORDecodeError)
  • Removed “individual decoding functions” from the public API (previously misused directly)
  • Dropped deprecated cbor2.encoder / cbor2.decoder modules (import from cbor2 directly)
• Semantic / encoding changes
  • Semantic tag 261 decoding may now yield IPv4Interface/IPv6Interface when host bits exist
  • IP address encoding switches to semantic tags 52/54 (instead of deprecated 260/261)
• Type rename / availability
  • cbor2.FrozenDict renamed to frozendict; and on Python 3.15 it defers to the built-in frozendict
• Python support
  • Drops Python 3.9

Notable “upgrade friction” within 5.x (not a major-version break, but relevant)

From the 5.x changelog [2]:

• 5.5.0: deprecated cbor2.encoder, cbor2.decoder, cbor2.types modules (intended removal “next major release”); dropped Python 3.7 [2]
• 5.7.0: dropped Python 3.8 [2]
• 5.9.0: default read_size changed from 4096 to 1 (to restore stream-position behavior); opt-in back to faster buffered reads with read_size=4096 [2]

6.x → 7.x

• No 7.x releases are documented yet, so no confirmed breaking-change list is available upstream at this time [2].

Sources: PyPI project page (release info) [1]; cbor2 upstream “Version history” / changelog (details of 5.x + 6.0.0rc1 breaking changes) [2].

---

🏁 Script executed:

#!/bin/bash
# Verify if CHANGELOG.md exists and what format is used for dependency entries
echo "=== Checking for CHANGELOG.md ==="
find . -maxdepth 2 -iname '*change*' -o -iname '*release*' -o -iname '*history*' | head -10

echo -e "\n=== Checking pyproject.toml for exact current state ==="
sed -n '75,90p' pyproject.toml

echo -e "\n=== Checking if 6.x versions have actually shipped stable (not just rc) ==="
# From the lock file, check if any 6.x non-rc versions are referenced
grep -A5 -B5 'cbor2.*6\.' uv.lock || echo "No cbor2 6.x found in lock"

Repository: newton-physics/newton

Length of output: 9280

---

🌐 Web query:

cbor2 6.0.0 release date stable version 2026

💡 Result:

As of April 8, 2026, cbor2 6.0.0 has not been released (no such release is listed on PyPI). The latest stable cbor2 release available on PyPI is 5.9.0, uploaded on March 22, 2026. [1]

Source: PyPI project page for cbor2. [1]

[1] (pypi.org)

Citations:

• 1: https://pypi.org/project/cbor2/

---

Constrain to <6 instead of <7; add CHANGELOG.md entry.

cbor2 6.0.0 has not yet released to stable—only 6.0.0rc1 exists—and it contains breaking changes (callback signatures, module removals, semantic tag shifts). Constraining to <6 aligns with validated 5.x support and matches the already-applied constraint in uv.lock. When 6.0 stabilizes, compatibility should be explicitly validated before loosening the bound.

Additionally, per coding guidelines, this dependency change requires a corresponding entry in CHANGELOG.md under [Unreleased] (e.g., "Constrain cbor2 to <6 until 6.x breaking changes are validated").

Proposed dependency guardrail

-    "cbor2>=5.7.0",     # for binary recording format (.bin files) - more efficient than JSON
+    "cbor2>=5.7.0,<6",  # allow validated 5.x; avoid untested major version changes

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"cbor2>=5.7.0", # for binary recording format (.bin files) - more efficient than JSON
	"cbor2>=5.7.0,<6", # allow validated 5.x; avoid untested major version changes

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` at line 82, Update the cbor2 constraint in pyproject.toml by
changing the requirement string "cbor2>=5.7.0" to constrain the major version to
<6 (e.g., "cbor2>=5.7.0,<6") to avoid pulling in the unreleased/breaking 6.x,
and add a brief entry under the CHANGELOG.md [Unreleased] section noting
"Constrain cbor2 to <6 until 6.x breaking changes are validated" so the
dependency change is tracked; locate the dependency line referenced as
"cbor2>=5.7.0" and the CHANGELOG.md [Unreleased] heading to apply these edits.

[adenzler-nvidia]

Thanks for the fix. Let's wait a bit before merging until v6 is released.