chore: Bump DuckDB versions to 1.4.x and duckdb-engine to 0.17.x

[aaronsteers]

Summary

Updates DuckDB dependencies to their latest versions:

• duckdb: ^1.1.0 → ^1.4.0 (resolves to 1.4.3)
• duckdb-engine: ^0.13.2 → ^0.17.0 (resolves to 0.17.0)

Why Dependabot didn't create this PR: The repository's Dependabot configuration uses package-ecosystem: "pip" which has limited support for Poetry's pyproject.toml format. Dependabot's pip ecosystem primarily looks for requirements.txt or setup.py files and has known issues parsing Poetry-specific dependency syntax (caret ^ constraints, dependency groups, etc.). This is a documented limitation in dependabot-core#8603.

Review & Testing Checklist for Human

This is a significant version bump for a core dependency. DuckDB is used for the default local cache in PyAirbyte.

• Verify CI tests pass, particularly DuckDB cache integration tests (test_duckdb_cache.py, test_all_cache_types.py)
• Review DuckDB 1.4.x release notes for any breaking changes that could affect PyAirbyte's SQL processor or cache implementations
• Consider running a quick local test with source.read() to a DuckDB cache to validate end-to-end functionality

Notes

Requested by @aaronsteers

Link to Devin run: https://app.devin.ai/sessions/49728e8ed39b40e9ab728baee97d3d60

Important

Auto-merge enabled.

This PR is set to merge automatically when all requirements are met.

Summary by CodeRabbit

• Chores
  • Updated database dependencies to latest stable versions to improve compatibility and performance.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Note

Auto-merge may have been disabled. Please check the PR status to confirm.

[devin-ai-integration]

Original prompt from AJ Steers

@Devin - Can you bump the duckdb library versions in pyairbyte? Also, tell me why dependabot did not send me a PR for this?
Thread URL: https://airbytehq-team.slack.com/archives/D089P0UPVT4/p1767897033509079

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

Testing This PyAirbyte Version

You can test this version of PyAirbyte using the following:

# Run PyAirbyte CLI from this branch:
uvx --from 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1767897155-bump-duckdb-versions' pyairbyte --help

# Install PyAirbyte from this branch for development:
pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1767897155-bump-duckdb-versions'

Helpful Resources

• PyAirbyte Documentation
• API Reference

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

• /fix-pr - Fixes most formatting and linting issues
• /poetry-lock - Updates poetry.lock file
• /test-pr - Runs tests with the updated PyAirbyte
• /prerelease - Builds and publishes a prerelease version to PyPI

Community Support

Questions? Join the #pyairbyte channel in our Slack workspace.

📝 Edit this welcome message.

[github-actions]

PyTest Results (Fast Tests Only, No Creds)

221 tests  ±0   220 ✅ ±0   34s ⏱️ -2s
  1 suites ±0     0 💤 ±0 
  1 files   ±0     1 ❌ ±0 

For more details on these failures, see this check.

Results for commit 1e57e70. ± Comparison against base commit 3c36bef.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated duckdb dependencies in pyproject.toml: duckdb from ^1.1.0 to ^1.4.0 and duckdb-engine from ^0.13.2 to ^0.17.0. These are straightforward version bumps to newer compatible releases.

Changes

Cohort / File(s)	Summary
Dependency Version Upgrades pyproject.toml	Bumped duckdb from ^1.1.0 to ^1.4.0 and duckdb-engine from ^0.13.2 to ^0.17.0

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Quick thought: Since these are minor version bumps spanning a few minor versions, have you had a chance to verify there are no breaking changes in those release ranges between the old and new versions? Also, did you confirm that the rest of your codebase is compatible with these newer versions, wdyt?

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: upgrading DuckDB from 1.1.x to 1.4.x and duckdb-engine from 0.13.x to 0.17.x, which matches the file changes in pyproject.toml.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/1767897155-bump-duckdb-versions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pyproject.toml (1)

24-25: Nice! The LTS upgrade brings important security and performance improvements—consider simplifying the SQLAlchemy constraint.

These version bumps to DuckDB 1.4.x (LTS) and duckdb-engine 0.17.0 are solid upgrades that include:

• Performance gains: 2x+ faster sorting, more efficient small writes, and 5x faster checkpointing
• Database encryption: AES-256-GCM support
• Security fixes in DuckDB 1.4.2+: CVE-2025-64429 (encryption vulnerabilities)—confirmed fixed in the 1.4.3 version your PR will resolve to

Since duckdb-engine 0.17.0 is fully compatible with SQLAlchemy 2.0.36, you could address the TODO at line 47-48 and remove the !=2.0.36 constraint from the SQLAlchemy version spec. The regression that warranted the exclusion should no longer apply, wdyt?

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3c36bef and 1e57e70.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: update-description
• GitHub Check: Pytest (All, Python 3.11, Windows)
• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Pytest (All, Python 3.10, Windows)
• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (Fast)

🔇 Additional comments (1)

pyproject.toml (1)

47-48: Consider revisiting this TODO with the new duckdb-engine version, wdyt?

With the upgrade to duckdb-engine 0.17.0, this SQLAlchemy constraint might no longer be necessary. The regression in SQLAlchemy v2.0.36 was reported with duckdb-engine v0.13.2, which is the version being replaced in this PR.

Could you verify whether the SQLAlchemy !=2.0.36 exclusion can be removed now that duckdb-engine has been upgraded to 0.17.0?

Based on learnings about the SQLAlchemy 2.0.36 regression with duckdb-engine 0.13.2.