Relax numpy/pandas/networkx pins to support numpy 2 / pandas 2+ / Python 3.14

[bbkrr]

Closes #101

What

Replace the ~= upper-bound caps in setup.py with lower-bound floors, and bump version 2.4.6 → 2.5.0.

-"numpy~=1.23"      +"numpy>=1.23"
-"pandas~=1.3"      +"pandas>=1.3"
-"scipy~=1.9"       +"scipy>=1.9"
-"sympy~=1.5"       +"sympy>=1.5"
-"networkx~=2.7"    +"networkx>=2.7"

Why

The caps blocked numpy 2 / pandas 2+ / networkx 3 and made Python 3.14 impossible (pandas 1.x ships no cp314 wheels). This was blocking the downstream RealRate-Private uv / Python 3.14 migration (realrate/RealRate-Private#2098) and a batch of Dependabot upgrades there.

Verification (Python 3.14 + numpy 2.4.6 / pandas 3.0.3 / scipy 1.17.1 / sympy 1.14.0 / networkx 3.6.1)

• Unit suite: 24/24 pass (2 pre-existing skips)
• make verify-output: all 5 example graphs.json byte-identical to the committed baseline
• RealRate A/B (de_life_insurance evaluate, old py3.9 stack vs new): 8/8 years (2016–2023) identical within 1e-10
• Lint/security: black, flake8, mypy clean; pip-audit on the resolved stack reports no known vulnerabilities

Note (not a regression)

Under numpy 2, sympy.lambdify emits np.maximum/np.minimum with >2 positional args for Max/Min; numpy treats the 3rd positional as out. Behavior is identical under numpy 1.23 (hence the exact A/B match), so it's pre-existing — flagged in #101 for a separate look.

Follow-up

Once merged, tag v2.5.0 and publish to PyPI so RealRate-Private can drop its temporary [tool.uv] override-dependencies workaround.

[bbkrr]

Why 2.5.0 (minor) and not 2.4.7 (patch)

Under semantic versioning: patch (2.4.7) is for backward-compatible bug fixes, minor (2.5.0) is for backward-compatible additions to capability.

This change is the latter, not a bug fix:

• It expands the supported dependency range — numpy 1 → numpy 1 and 2, pandas 1 → 1/2/3, networkx 2 → 2/3.
• It adds support for new Python versions (3.12–3.14) that the old caps made impossible.

No existing behavior changes (the unit suite + make verify-output are byte-identical), so it stays backward-compatible — that's exactly the "new functionality, no breakage" case semver reserves the minor slot for. A patch bump would understate that consumers can now resolve a meaningfully wider stack.

(It's deliberately not a major/3.0.0 either: no public API breaks and nothing is removed for existing users.)

[Copilot]

Pull request overview

Updates the package’s dependency constraints to allow resolving against the modern scientific Python stack (NumPy 2, pandas 2+/3, NetworkX 3) and bumps the library version for a new release.

Changes:

• Bumped package version from 2.4.6 to 2.5.0.
• Relaxed install_requires specifiers from ~= caps to >= floors for numpy, pandas, scipy, sympy, and networkx.
• Added an inline rationale comment explaining the motivation for removing upper bounds (Python 3.14 / modern wheels).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.