Background
During the Docling 2.69 incident (AIPCC-9020), we discovered breaking changes only after they impacted our build pipelines. The pypdfium2 5.x dependency change was visible in upstream commits (on the main branch on GitHub) a few days before the new Docling version containing these changes was released.

The commit making these changes was pushed to main on 14/01. Docling 2.69, the version that broke our builder CI, was released on 20/01.

References:

• Docling upstream commit making these changes
• Docling release containing the changes
• Slack discussion

Proposal
Investigate creating a scheduled tool that monitors upstream package repositories for dependency changes that could impact our builds.

Scope

• Primary goal: A scheduled daily pipeline detects dependency updates in pyproject.toml files for a configurable list of packages, and if there are relevant changes detected, write a comment on #team-aipcc-notifications summarizing all the detected changes with links for further investigation.
• Output: Report of updated dependencies requiring attention
• Extensibility:
  • Using AI for a summary and a quick assessment of whether we need to do anything following these changes
  • Using AI for generating automatic fix PRs (requiring manual review and approval) when a fix is needed
  • Support for setup.py / setup.cfg for older projects (only if needed)

This may not catch 100% of cases, but even partial coverage would improve our ability to anticipate upstream breaking changes.