security(deps): bump the training-dependencies group across 1 directory with 54 updates

[dependabot]

Bumps the training-dependencies group with 54 updates in the /training/rl directory:

Package	From	To
numpy	1.26.4	2.4.3
azure-core	1.38.2	1.38.3
azure-identity	1.25.2	1.25.3
azure-ai-ml	1.31.0	1.32.0
marshmallow	3.26.2	4.2.2
mlflow	3.5.0	3.10.1
packaging	25.0	26.0
rsl-rl-lib	5.0.0	5.0.1
azure-storage-file-datalake	12.14.0	12.23.0
cachetools	6.2.6	7.0.5
charset-normalizer	3.4.4	3.4.6
croniter	6.0.0	6.2.2
cyclopts	4.6.0	4.10.0
databricks-sdk	0.96.0	0.100.0
fastmcp	2.14.5	3.1.1
filelock	3.25.0	3.25.2
fonttools	4.61.1	4.62.1
google-auth	2.48.0	2.49.1
graphql-core	3.2.7	3.2.8
jaraco-context	6.1.0	6.1.1
kiwisolver	1.4.9	1.5.0
mlflow-skinny	3.5.0	3.10.1
mlflow-tracing	3.5.0	3.10.1
mpmath	1.3.0	1.4.1
msal	1.35.0	1.35.1
opentelemetry-api	1.39.0	1.40.0
opentelemetry-instrumentation	0.60b0	0.61b0
opentelemetry-instrumentation-asgi	0.60b0	0.61b0
opentelemetry-instrumentation-dbapi	0.60b0	0.61b0
opentelemetry-instrumentation-django	0.60b0	0.61b0
opentelemetry-instrumentation-fastapi	0.60b0	0.61b0
opentelemetry-instrumentation-flask	0.60b0	0.61b0
opentelemetry-instrumentation-psycopg2	0.60b0	0.61b0
opentelemetry-instrumentation-requests	0.60b0	0.61b0
opentelemetry-instrumentation-urllib	0.60b0	0.61b0
opentelemetry-instrumentation-urllib3	0.60b0	0.61b0
opentelemetry-instrumentation-wsgi	0.60b0	0.61b0
opentelemetry-sdk	1.39.0	1.40.0
opentelemetry-semantic-conventions	0.60b0	0.61b0
opentelemetry-util-http	0.60b0	0.61b0
pandas	2.3.3	3.0.1
platformdirs	4.9.2	4.9.4
protobuf	6.33.5	7.34.0
py-key-value-aio	0.3.0	0.4.4
pyarrow	21.0.0	23.0.1
pyasn1	0.6.2	0.6.3
pydantic-core	2.41.5	2.42.0
pydocket	0.18.0	0.18.2
pytz	2025.2	2026.1.post1
redis	7.2.1	7.3.0
setuptools	82.0.0	82.0.1
smmap	5.0.2	5.0.3
uvicorn	0.41.0	0.42.0
wrapt	1.17.3	2.1.2

Updates numpy from 1.26.4 to 2.4.3

Release notes

Sourced from numpy's releases.

2.4.3 (Mar 9, 2026)

NumPy 2.4.3 Release Notes

The NumPy 2.4.3 is a patch release that fixes bugs discovered after the 2.4.2 release. The most user visible fix may be a threading fix for OpenBLAS on ARM, closing issue #30816.

This release supports Python versions 3.11-3.14

Contributors

A total of 11 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• Antareep Sarkar +
• Charles Harris
• Joren Hammudoglu
• Matthieu Darbois
• Matti Picus
• Nathan Goldbaum
• Peter Hawkins
• Pieter Eendebak
• Sebastian Berg
• Warren Weckesser
• stratakis +

Pull requests merged

A total of 14 pull requests were merged for this release.

• #30759: MAINT: Prepare 2.4.x for further development
• #30827: BUG: Fix some leaks found via LeakSanitizer (#30756)
• #30841: MAINT: Synchronize 2.4.x submodules with main
• #30849: TYP: matlib: missing extended precision imports
• #30850: BUG: Fix weak hash function in np.isin(). (#30840)
• #30921: BUG: fix infinite recursion in np.ma.flatten_structured_array...
• #30922: BUG: Fix buffer overrun in CPU baseline validation (#30877)
• #30923: BUG: Fix busdaycalendar's handling of a bool array weekmask....
• #30924: BUG: Fix reference leaks and NULL pointer dereferences (#30908)
• #30925: MAINT: fix two minor issues noticed when touching the C API setup
• #30955: ENH: Test .kind not .char in np.testing.assert_equal (#30879)
• #30957: BUG: fix type issues in uses if PyDataType macros
• #30958: MAINT: Don't use vulture 2.15, it has false positives
• #30973: MAINT: update openblas (#30961)

2.4.2 (Feb 1, 2026)

NumPy 2.4.2 Release Notes

The NumPy 2.4.2 is a patch release that fixes bugs discovered after the 2.4.1 release. Highlights are:

... (truncated)

Changelog

Sourced from numpy's changelog.

This is a walkthrough of the NumPy 2.4.0 release on Linux, which will be the first feature release using the numpy/numpy-release <https://github.com/numpy/numpy-release>__ repository.

The commands can be copied into the command line, but be sure to replace 2.4.0 with the correct version. This should be read together with the :ref:general release guide <prepare_release>.

Facility preparation

Before beginning to make a release, use the requirements/*_requirements.txt files to ensure that you have the needed software. Most software can be installed with pip, but some will require apt-get, dnf, or whatever your system uses for software. You will also need a GitHub personal access token (PAT) to push the documentation. There are a few ways to streamline things:

• Git can be set up to use a keyring to store your GitHub personal access token. Search online for the details.

Prior to release

Add/drop Python versions

When adding or dropping Python versions, multiple config and CI files need to be edited in addition to changing the minimum version in pyproject.toml. Make these changes in an ordinary PR against main and backport if necessary. We currently release wheels for new Python versions after the first Python RC once manylinux and cibuildwheel support that new Python version.

Backport pull requests

Changes that have been marked for this release must be backported to the maintenance/2.4.x branch.

Update 2.4.0 milestones

Look at the issues/prs with 2.4.0 milestones and either push them off to a later version, or maybe remove the milestone. You may need to add a milestone.

Check the numpy-release repo

... (truncated)

Commits

• 8bcb2e7 Merge pull request #30974 from charris/prepare-2.4.3
• 9a2b5ee REL: Prepare for the NumPy 2.4.3 release
• a822ac2 Merge pull request #30973 from charris/backport-30961
• 039bf54 MAINT: update openblas (#30961)
• 254bafa Merge pull request #30955 from charris/backport-30879
• 0cc7d38 ENH: Test .kind not .char in np.testing.assert_equal (#30879)
• 9ee571d Merge pull request #30957 from charris/backport-30918
• f302a16 Merge pull request #30958 from charris/backport-30938
• d240a09 MAINT: Don't use vulture 2.15, it has false positives
• 4fc08e9 MAINT: Don't use vulture 2.15, it has false positives
• Additional commits viewable in compare view

Updates azure-core from 1.38.2 to 1.38.3

Release notes

Sourced from azure-core's releases.

azure-core_1.38.3

1.38.3 (2026-03-12)

Bugs Fixed

• Fixed PipelineClient.format_url to preserve trailing slash in the base URL when the URL template is query-string-only (e.g., ?key=value). #45365
• Fixed SensitiveHeaderCleanupPolicy to persist the insecure_domain_change flag across retries after a cross-domain redirect. #45518

Other Changes

• Added jitter to token refresh timing in BearerTokenCredentialPolicy and AsyncBearerTokenCredentialPolicy to prevent simultaneous token refresh attempts across multiple processes. This helps mitigate the thundering herd problem during token refresh operations. #43720

Commits

• c6e48b5 [Core] Prepare release (#45656)
• 079e76b Port data-plane packages in sdk/core/ to pyproject.toml (#45556)
• 2117dfb [Core] Persist cross domain redirect flag (#45518)
• 2d0a9aa [Core] Update pytest fixture scope (#45563)
• 4c4c869 [Core] Add jitter to token refresh intervals (#43720)
• 41391f1 [azure-core] Fix format_url dropping trailing slash when URL template is qu...
• 9fdb4f1 [Corehttp] Changelog update (#45113)
• f40b764 Increment package version after release of azure-core (#45246)
• See full diff in compare view

Updates azure-identity from 1.25.2 to 1.25.3

Release notes

Sourced from azure-identity's releases.

azure-identity_1.25.3

1.25.3 (2026-03-12)

Bugs Fixed

• Fixed an issue where an expired token could skip refresh when a recent token request was made, due to the retry delay taking precedence over expiration. (#45496)

Other Changes

• Bumped minimum dependency on msal to >=1.35.1.

Commits

• a989ea4 [Identity] Prep patch release
• 7972883 [Identity] Adjust refresh logic (#45496)
• 04764a9 add psscript to convert apiview json files to md (#45589)
• 50e0165 Sync eng/common directory with azure-sdk-tools for PR 14461 (#45646)
• 5333117 Add Bo to /sdk/ai/azure-ai-projects owner list (#45664)
• 775d694 Doc and automation updates for .github sync directory changes (#45630)
• c6e48b5 [Core] Prepare release (#45656)
• ae769c4 Fix custom Memory Stores LRO poller operation (#45662)
• 6074492 Add asset id none check in dt (#45618)
• e1a986a Bump tar from 7.5.10 to 7.5.11 in /eng/common/tsp-client (#45640)
• Additional commits viewable in compare view

Updates azure-ai-ml from 1.31.0 to 1.32.0

Release notes

Sourced from azure-ai-ml's releases.

azure-ai-ml_1.32.0

1.32.0 (2026-03-04)

Bugs Fixed

• Skip _list_secrets for identity-based datastores to prevent noisy telemetry traces.

Commits

• 4f79bdf Remove empty 'Other Changes' section from CHANGELOG
• fe81c2e Update CHANGELOG for version 1.32.0
• b5e2280 Update CHANGELOG.md
• 2ddc7b9 [AutoPR azure-mgmt-artifactsigning]-generated-from-SDK Generation - Python-58...
• c270319 App Configuration - Snapshot references (#44116)
• f605066 [CODEOWNERS Data Quality] Fix up CODEOWNERS (#44945)
• 47e90c1 Use azpysdk ApiStub in CI (#44439)
• 7700f5a [VoiceLive] Add code owners (#45191)
• a9b472f [AutoPR azure-mgmt-managedops]-generated-from-SDK Generation - Python-5788712...
• bef7492 [AutoPR azure-mgmt-postgresqlflexibleservers]-generated-from-SDK Generation -...
• Additional commits viewable in compare view

Updates marshmallow from 3.26.2 to 4.2.2

Changelog

Sourced from marshmallow's changelog.

4.2.2 (2026-02-04)

Bug fixes:

• Fix behavior of fields.Contant(None) (:issue:2868). Thanks :user:T90REAL for reporting and emmanuel-ferdman for the fix.

4.2.1 (2026-01-23)

Bug fixes:

• Fix validation of URLs beginning with uppercare FILE (:issue:2891). Thanks :user:thanhlecongg for reporting and fixing.

4.2.0 (2026-01-04)

Other changes:

• many argument of Nested properly overrides schema instance value (:pr:2854). Thanks :user:jafournier for the PR.

4.1.2 (2025-12-19)

Bug fixes:

• :cve:2025-68480: Merge error store messages without rebuilding collections. Thanks 카푸치노 for reporting and :user:deckar01 for the fix.

4.1.1 (2025-11-05)

Bug fixes:

• Ensure URL validator is case-insensitive when using custom schemes (:pr:2874). Thanks :user:T90REAL for the PR.

4.1.0 (2025-11-01)

Other changes:

• Add __len__ implementation to missing so that it can be used with validate.Length <marshmallow.validate.Length> (:pr:2861). Thanks :user:agentgodzilla for the PR.
• Drop support for Python 3.9 (:pr:2363).

... (truncated)

Commits

• 2a3812d Bump version and update changelog
• 19ca8dc Fix Constant field rejecting None values during load (#2894)
• 213ee3a [pre-commit.ci] pre-commit autoupdate (#2896)
• ba8b512 Update AUTHORS.rst
• 40105ad Bump version and update changelog
• 39e7c83 Merge pull request #2892 from thanhlecongg/fix-2891
• 78a94ea Fix docstring typo
• 8dc078e fix issue #2891
• c62b911 add tests for issue #2891
• d07bf5e [pre-commit.ci] pre-commit autoupdate (#2887)
• Additional commits viewable in compare view

Updates mlflow from 3.5.0 to 3.10.1

Release notes

Sourced from mlflow's releases.

v3.10.1

MLflow 3.10.1 is a patch release that contains some minor feature enhancements, bug fixes, and documentation updates.

Features:

• [UI] Add try-it page on Gateway usage example modal (#21077, @​PattaraS)
• [UI] Filter gateway experiments from the experiment list page (#21130, @​copilot-swe-agent)

Bug fixes:

• [UI] Fix "View full dashboard" link in gateway usage tab when workspace is enabled (#21191, @​copilot-swe-agent)
• [UI] Persist AI Gateway default passphrase security banner dismissal to localStorage (#21292, @​copilot-swe-agent)
• [Evaluation] Demote unused parameters log message from WARNING to DEBUG in instructions judge (#21294, @​copilot-swe-agent)
• [UI] Clear "All" time selector when switching to overview tab (#21371, @​daniellok-db)
• [Prompts / UI] Fix Traces view in Prompts tab not being scrollable (#21282, @​TomeHirata)
• [UI] Fix judge builder instruction textarea (#21299, @​daniellok-db)
• [UI] Fix group mode to aggregate "Additional runs" as "Unassigned" group in charts (#21155, @​copilot-swe-agent)
• [UI] Fix artifact download when workspaces are enabled (#21074, @​timsolovev)
• [Tracing] Fix NOT NULL constraint on assessments.trace_id during trace export (#21348, @​dbczumar)
• [Tracking] Fix 403 Forbidden for artifact list via query param when default_permission=NO_PERMISSIONS (#21220, @​copilot-swe-agent)
• [UI] [ML-63097] Fix broken LLM judge documentation links (#21347, @​smoorjani)
• [Tracing] Fix Run Judge failed with litellm.InternalServerError: Invalid response object. (#21262, @​PattaraS)
• [Tracing / UI] Update Action menu: indentation to avoid confusion (#21266, @​PattaraS)
• [Model Registry] Fix MlflowClient.copy_model_version for the case that copy UC model across workspaces (#21212, @​WeichenXu123)
• [UI] Fix empty description box rendering for sanitized-empty experiment descriptions (#21223, @​copilot-swe-agent)
• [Artifacts] Fix single artifact downloading through HttpArtifactRepository (#12955, @​Koenkk)
• [Tracing] Fix find_last_user_message_index skipping skill content injections (#21119, @​alkispoly-db)
• [Tracing] Fix retrieval context extraction when span outputs are stored as strings (#21213, @​smoorjani)
• [UI] Fix visibility toggle button in chart tooltip not working (#21071, @​daniellok-db)
• [UI] Move gateway experiment filtering to server-side query to fix inconsistent page sizes (#21138, @​copilot-swe-agent)
• [Gateway] Downgrade spurious warning to debug log for gateway endpoints with fallback_config but no FALLBACK models (#21123, @​copilot-swe-agent)
• [Tracing] Fix MCP fn_wrapper to pass None for optional params with UNSET defaults (#21051, @​yangbaechu)
• [Tracking] Add CASCADE to logged_model tables experiment_id foreign keys (#20185, @​harupy)
• [Tracing] Fix MCP fn_wrapper handling of Click UNSET defaults (#20953) (#20962, @​yangbaechu)

Documentation updates:

• [Docs] Update SSO oidc plugin doc: add google identity platform / AWS cognito / Azure Entra ID configuration guide (#20591, @​WeichenXu123)
• [Docs / Tracing] Fix distributed tracing rendering and improve doc (#21070, @​B-Step62)
• [Docs] docs: Add single quotes to install commands with extras to prevent zsh errors (#21227, @​mshavliuk)
• [Docs / Model Registry] Fix outdated docstring claiming models:/ URIs are unsupported in register_model (#21197, @​copilot-swe-agent)
• [Docs] Replace MinIO with RustFS in docker-compose setup (#21099, @​jmaggesi)

Small bug fixes and documentation updates:

#20740, #21148, #21149, #21096, @​TomeHirata; #21368, #21118, @​B-Step62; #21384, #21345, #21236, #21106, #21033, #21115, #21034, @​smoorjani; #21326, #21133, #21036, @​copilot-swe-agent; #21293, @​daniellok-db; #21175, @​caponetto; #21305, #21264, @​serena-ruan; #21216, @​justinwei-db; #21038, #21082, @​bbqiu; #21143, #20733, @​mprahl; #20488, @​mdalvz0000; #21142, @​EPgg92; #21094, @​PattaraS

v3.10.0

We're excited to announce MLflow 3.10.0, which includes several notable updates:

... (truncated)

Changelog

Sourced from mlflow's changelog.

3.10.1 (2026-03-05)

MLflow 3.10.1 is a patch release that contains some minor feature enhancements, bug fixes, and documentation updates.

Features:

• [UI] Add try-it page on Gateway usage example modal (#21077, @​PattaraS)
• [UI] Filter gateway experiments from the experiment list page (#21130, @​copilot-swe-agent)

Bug fixes:

• [UI] Fix "View full dashboard" link in gateway usage tab when workspace is enabled (#21191, @​copilot-swe-agent)
• [UI] Persist AI Gateway default passphrase security banner dismissal to localStorage (#21292, @​copilot-swe-agent)
• [Evaluation] Demote unused parameters log message from WARNING to DEBUG in instructions judge (#21294, @​copilot-swe-agent)
• [UI] Clear "All" time selector when switching to overview tab (#21371, @​daniellok-db)
• [Prompts / UI] Fix Traces view in Prompts tab not being scrollable (#21282, @​TomeHirata)
• [UI] Fix judge builder instruction textarea (#21299, @​daniellok-db)
• [UI] Fix group mode to aggregate "Additional runs" as "Unassigned" group in charts (#21155, @​copilot-swe-agent)
• [UI] Fix artifact download when workspaces are enabled (#21074, @​timsolovev)
• [Tracing] Fix NOT NULL constraint on assessments.trace_id during trace export (#21348, @​dbczumar)
• [Tracking] Fix 403 Forbidden for artifact list via query param when default_permission=NO_PERMISSIONS (#21220, @​copilot-swe-agent)
• [UI] [ML-63097] Fix broken LLM judge documentation links (#21347, @​smoorjani)
• [] Fix Run Judge failed with litellm.InternalServerError: Invalid response object. (#21262, @​PattaraS)
• [Tracing / UI] Update Action menu: indentation to avoid confusion (#21266, @​PattaraS)
• [Model Registry] Fix MlflowClient.copy_model_version for the case that copy UC model across workspaces (#21212, @​WeichenXu123)
• [UI] Fix empty description box rendering for sanitized-empty experiment descriptions (#21223, @​copilot-swe-agent)
• [Artifacts] Fix single artifact downloading through HttpArtifactRepository (#12955, @​Koenkk)
• [Tracing] Fix find_last_user_message_index skipping skill content injections (#21119, @​alkispoly-db)
• [] Fix retrieval context extraction when span outputs are stored as strings (#21213, @​smoorjani)
• [UI] Fix visibility toggle button in chart tooltip not working (#21071, @​daniellok-db)
• [UI] Move gateway experiment filtering to server-side query to fix inconsistent page sizes (#21138, @​copilot-swe-agent)
• [] Downgrade spurious warning to debug log for gateway endpoints with fallback_config but no FALLBACK models (#21123, @​copilot-swe-agent)
• [Tracing] Fix MCP fn_wrapper to pass None for optional params with UNSET defaults (#21051, @​yangbaechu)
• [Tracking] Add CASCADE to logged_model tables experiment_id foreign keys (#20185, @​harupy)
• [Tracing] Fix MCP fn_wrapper handling of Click UNSET defaults (#20953) (#20962, @​yangbaechu)

Documentation updates:

• [Docs] Update SSO oidc plugin doc: add google identity platform / AWS cognito / Azure Entra ID configuration guide (#20591, @​WeichenXu123)
• [Docs / Tracing] Fix distributed tracing rendering and improve doc (#21070, @​B-Step62)
• [Docs] docs: Add single quotes to install commands with extras to prevent zsh errors (#21227, @​mshavliuk)
• [Docs / Model Registry] Fix outdated docstring claiming models:/ URIs are unsupported in register_model (#21197, @​copilot-swe-agent)
• [Docs] Replace MinIO with RustFS in docker-compose setup (#21099, @​jmaggesi)

Small bug fixes and documentation updates:

#20740, #21148, #21149, #21096, @​TomeHirata; #21368, #21118, @​B-Step62; #21384, #21345, #21236, #21106, #21033, #21115, #21034, @​smoorjani; #21326, #21133, #21036, @​copilot-swe-agent; #21293, @​daniellok-db; #21175, @​caponetto; #21305, #21264, @​serena-ruan; #21216, @​justinwei-db; #21038, #21082, @​bbqiu; #21143, #20733, @​mprahl; #20488, @​mdalvz0000; #21142, @​EPgg92; #21094, @​PattaraS

3.10.0 (2026-02-20)

... (truncated)

Commits

• cadc323 Bump version to 3.10.1 (#21396)
• 3d17d6c Add back virtualenv to fix the docker build until the next release (#20740)
• 3cfc12f Update SSO oidc plugin doc: add google identity platform / AWS cognito / Azur...
• bcaad26 Fix "View full dashboard" link in gateway usage tab when workspace is enabled...
• ff3249f Update GenAI link and video in the getting started page (#21368)
• 1591d03 Persist AI Gateway default passphrase security banner dismissal to localStora...
• 32979c9 Demote unused parameters log message from WARNING to DEBUG in instructions ju...
• 18eeea0 Make simulator explicitly avoid stating goal in first message (#21384)
• 42d4356 Clear "All" time selector when switching to overview tab (#21371)
• 1a14934 Fix Traces view in Prompts tab not being scrollable (#21282)
• Additional commits viewable in compare view

Updates packaging from 25.0 to 26.0

Release notes

Sourced from packaging's releases.

26.0

Read about the performance improvements here: https://iscinumpy.dev/post/packaging-faster.

What's Changed

Features:

• PEP 751: support pylock by @​sbidoul in pypa/packaging#900
• PEP 794: import name metadata by @​brettcannon in pypa/packaging#948
• Support writing metadata by @​henryiii in pypa/packaging#846
• Support __replace__ for Version by @​henryiii in pypa/packaging#1003
• Support positional pattern matching for Version and Specifier by @​henryiii in pypa/packaging#1004

Behavior adaptations:

• PEP 440 handling of prereleases for Specifier.contains, SpecifierSet.contains, and SpecifierSet.filter by @​notatallshaw in pypa/packaging#897
• Handle PEP 440 edge case in SpecifierSet.filter by @​notatallshaw in pypa/packaging#942
• Adjust arbitrary equality intersection preservation in SpecifierSet by @​notatallshaw in pypa/packaging#951
• Return False instead of raising for .contains with invalid version by @​Liam-DeVoe in pypa/packaging#932
• Support arbitrary equality on arbitrary strings for Specifier and SpecifierSet's filter and contains method. by @​notatallshaw in pypa/packaging#954
• Only try to parse as Version on certain marker keys, return False on unequal ordered comparsions by @​JP-Ellis in pypa/packaging#939

Fixes:

• Update _hash when unpickling Tag() by @​dholth in pypa/packaging#860
• Correct comment and simplify implicit prerelease handling in Specifier.prereleases by @​notatallshaw in pypa/packaging#896
• Use explicit _GLibCVersion NamedTuple in _manylinux by @​cthoyt in pypa/packaging#868
• Detect invalid license expressions containing () by @​bwoodsend in pypa/packaging#879
• Correct regex for metadata 'name' format by @​di in pypa/packaging#925
• Improve the message around expecting a semicolon by @​pradyunsg in pypa/packaging#833
• Support nested parens in license expressions by @​Liam-DeVoe in pypa/packaging#931
• Add space before at symbol in Requirements string by @​henryiii in pypa/packaging#953
• A root logger use found by ruff LOG, use packaging logger instead by @​henryiii in pypa/packaging#965
• Better support for subclassing Marker and Requirement by @​henryiii in pypa/packaging#1022
• Normalize all extras, not just if it comes first by @​henryiii in pypa/packaging#1024
• Don't produce a broken repr if Marker fails to construct by @​henryiii in pypa/packaging#1033

Performance:

• Avoid recompiling regexes in the tokenizer for a 3x speedup by @​hauntsaninja in pypa/packaging#1019
• Improve performance in _manylinux.py by @​cthoyt in pypa/packaging#869
• Minor cleanups to Version by @​bearomorphism in pypa/packaging#913
• Skip redundant creation of Versions in specifier comparison by @​notatallshaw in pypa/packaging#986
• Cache Specifier's Version by @​notatallshaw in pypa/packaging#985
• Make Version a little faster by @​henryiii in pypa/packaging#987
• Minor Version regex cleanup by @​henryiii in pypa/packaging#990
• Faster regex on Python 3.11.5+ by @​henryiii in pypa/packaging#988 and pypa/packaging#1055
• Lazily calculate _key in Version by @​notatallshaw in pypa/packaging#989 and regression for packaging_legacy fixed by @​henryiii in pypa/packaging#1048
• Faster canonicalize_version by @​henryiii in pypa/packaging#993
• Use fullmatch in a couple more places by @​henryiii in pypa/packaging#992

... (truncated)

Changelog

Sourced from packaging's changelog.

26.0 - 2026-01-20

Features:

PEP 751: support pylock (:pull:900)
PEP 794: import name metadata (:pull:948)
Support for writing metadata to a file (:pull:846)
Support __replace__ on Version (:pull:1003)
Support positional pattern matching for Version and SpecifierSet (:pull:1004)

Behavior adaptations:

PEP 440 handling of prereleases for Specifier.contains, SpecifierSet.contains, and SpecifierSet.filter (:pull:897)
Handle PEP 440 edge case in SpecifierSet.filter (:pull:942)
Adjust arbitrary equality intersection preservation in SpecifierSet (:pull:951)
Return False instead of raising for .contains with invalid version (:pull:932)
Support arbitrary equality on arbitrary strings for Specifier and SpecifierSet's filter and contains method. (:pull:954)
Only try to parse as Version on certain marker keys, return False on unequal ordered comparisons (:pull:939)

Fixes:

Update _hash when unpickling Tag() (:pull:860)
Correct comment and simplify implicit prerelease handling in Specifier.prereleases (:pull:896)
Use explicit _GLibCVersion NamedTuple in _manylinux (:pull:868)
Detect invalid license expressions containing () (:pull:879)
Correct regex for metadata 'name' format (:pull:925)
Improve the message around expecting a semicolon (:pull:833)
Support nested parens in license expressions (:pull:931)
Add space before at symbol in Requirements string (:pull:953)
A root logger use found, use a packaging logger instead (:pull:965)
Better support for subclassing Marker and Requirement (:pull:1022)
Normalize all extras, not just if it comes first (:pull:1024)
Don't produce a broken repr if Marker fails to construct (:pull:1033)

Performance:

Avoid recompiling regexes in the tokenizer for a 3x speedup (:pull:1019)
Improve performance in _manylinux.py (:pull:869)
Minor cleanups to Version (:pull:913)
Skip redundant creation of Version's in specifier comparison (:pull:986)
Cache the Specifier's Version (:pull:985)
Make Version a little faster (:pull:987)
Minor Version regex cleanup (:pull:990)
Faster regex on Python 3.11.5+ for Version (:pull:988, :pull:1055)
Lazily calculate _key in Version (:pull:989, :pull:1048)
Faster canonicalize_version (:pull:993)
Use re.fullmatch in a couple more places (:pull:992, :pull:1029)
Use map instead of generator (:pull:996)
Deprecate ._version (_Version, a NamedTuple) (:pull:995, :pull:106...
Description has been truncated

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 28 package(s) with unknown licenses.

See the Details below.

License Issues

training/rl/pyproject.toml

Package	Version	License	Issue Type
azure-storage-blob	>= 12.10.0	Null	Unknown License
azureml-mlflow	1.62.0.post1	Null	Unknown License
cryptography	>= 46.0.0	Null	Unknown License
numpy	>= 1.26.0,< 2.0.0	Null	Unknown License
packaging	>= 25,< 27	Null	Unknown License
rsl-rl-lib	5.0.1	Null	Unknown License

training/rl/requirements.txt

Package	Version	License	Issue Type
azureml-mlflow	1.62.0.post1	Null	Unknown License
cuda-bindings	12.9.4	Null	Unknown License
cuda-pathfinder	1.4.3	Null	Unknown License
databricks-sdk	0.100.0	Null	Unknown License
nvidia-cublas-cu12	12.8.4.1	Null	Unknown License
nvidia-cuda-cupti-cu12	12.8.90	Null	Unknown License
nvidia-cuda-nvrtc-cu12	12.8.93	Null	Unknown License
nvidia-cuda-runtime-cu12	12.8.90	Null	Unknown License
nvidia-cudnn-cu12	9.10.2.21	Null	Unknown License
nvidia-cufft-cu12	11.3.3.83	Null	Unknown License
nvidia-cufile-cu12	1.13.1.3	Null	Unknown License
nvidia-curand-cu12	10.3.9.90	Null	Unknown License
nvidia-cusolver-cu12	11.7.3.90	Null	Unknown License
nvidia-cusparse-cu12	12.5.8.93	Null	Unknown License
nvidia-cusparselt-cu12	0.7.1	Null	Unknown License
nvidia-nccl-cu12	2.27.5	Null	Unknown License
nvidia-nvjitlink-cu12	12.8.93	Null	Unknown License
nvidia-nvshmem-cu12	3.4.5	Null	Unknown License
nvidia-nvtx-cu12	12.8.90	Null	Unknown License
protobuf	6.33.6	Null	Unknown License
rsl-rl-lib	5.0.1	Null	Unknown License
uvicorn	0.42.0	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
pip/azure-ai-ml	1.32.0	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices 🟢 5 badge detected: Passing Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 8 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed
pip/azure-core	1.38.3	Unknown	Unknown
pip/azure-identity	1.25.3	Unknown	Unknown
pip/azure-storage-blob	>= 12.10.0	Unknown	Unknown
pip/azureml-mlflow	1.62.0.post1	Unknown	Unknown
pip/cryptography	>= 46.0.0	Unknown	Unknown
pip/numpy	>= 1.26.0,< 2.0.0	Unknown	Unknown
pip/packaging	>= 25,< 27	Unknown	Unknown
pip/rsl-rl-lib	5.0.1	Unknown	Unknown
pip/azure-ai-ml	1.32.0	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices 🟢 5 badge detected: Passing Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 8 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed
pip/azure-core	1.38.3	Unknown	Unknown
pip/azure-identity	1.25.3	Unknown	Unknown
pip/azure-storage-blob	12.27.1	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices 🟢 5 badge detected: Passing Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 8 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed
pip/azure-storage-file-datalake	12.22.0	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices 🟢 5 badge detected: Passing Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 8 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed
pip/azureml-mlflow	1.62.0.post1	Unknown	Unknown
pip/charset-normalizer	3.4.6	Unknown	Unknown
pip/cuda-bindings	12.9.4	Unknown	Unknown
pip/cuda-pathfinder	1.4.3	Unknown	Unknown
pip/databricks-sdk	0.100.0	Unknown	Unknown
pip/filelock	3.25.2	Unknown	Unknown
pip/fonttools	4.62.1	🟢 5.7	Details Check Score Reason Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 3 Found 6/19 approved changesets -- score normalized to 3 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/google-auth	2.49.1	🟢 7.3	Details Check Score Reason Maintained ⚠️ 0 project is archived Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found SAST 🟢 5 SAST tool is not run on all commits -- score normalized to 5
pip/graphql-core	3.2.8	🟢 5.5	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 1 Found 5/30 approved changesets -- score normalized to 1 Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/gunicorn	23.0.0	Unknown	Unknown
pip/huey	2.6.0	Unknown	Unknown
pip/kiwisolver	1.5.0	Unknown	Unknown
pip/mlflow	3.9.0	Unknown	Unknown
pip/mlflow-skinny	3.9.0	Unknown	Unknown
pip/mlflow-tracing	3.9.0	Unknown	Unknown
pip/msal	1.35.1	🟢 6.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 9 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy ⚠️ 0 security policy file not detected Packaging 🟢 10 packaging workflow detected SAST 🟢 8 SAST tool is not run on all commits -- score normalized to 8 Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches
pip/numpy	2.4.3	Unknown	Unknown
pip/nvidia-cublas-cu12	12.8.4.1	Unknown	Unknown
pip/nvidia-cuda-cupti-cu12	12.8.90	Unknown	Unknown
pip/nvidia-cuda-nvrtc-cu12	12.8.93	Unknown	Unknown
pip/nvidia-cuda-runtime-cu12	12.8.90	Unknown	Unknown
pip/nvidia-cudnn-cu12	9.10.2.21	Unknown	Unknown
pip/nvidia-cufft-cu12	11.3.3.83	Unknown	Unknown
pip/nvidia-cufile-cu12	1.13.1.3	Unknown	Unknown
pip/nvidia-curand-cu12	10.3.9.90	Unknown	Unknown
pip/nvidia-cusolver-cu12	11.7.3.90	Unknown	Unknown
pip/nvidia-cusparse-cu12	12.5.8.93	Unknown	Unknown
pip/nvidia-cusparselt-cu12	0.7.1	Unknown	Unknown
pip/nvidia-nccl-cu12	2.27.5	Unknown	Unknown
pip/nvidia-nvjitlink-cu12	12.8.93	Unknown	Unknown
pip/nvidia-nvshmem-cu12	3.4.5	Unknown	Unknown
pip/nvidia-nvtx-cu12	12.8.90	Unknown	Unknown
pip/prettytable	3.17.0	Unknown	Unknown
pip/protobuf	6.33.6	Unknown	Unknown
pip/pyarrow	22.0.0	Unknown	Unknown
pip/rsl-rl-lib	5.0.1	Unknown	Unknown
pip/setuptools	82.0.1	Unknown	Unknown
pip/skops	0.13.0	Unknown	Unknown
pip/smmap	5.0.3	🟢 5.6	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 3 3 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 6 Found 6/10 approved changesets -- score normalized to 6 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 3 SAST tool is not run on all commits -- score normalized to 3
pip/triton	3.6.0	Unknown	Unknown
pip/uvicorn	0.42.0	Unknown	Unknown
pip/wcwidth	0.6.0	Unknown	Unknown

Scanned Files

• training/rl/pyproject.toml
• training/rl/requirements.txt

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 38.37%. Comparing base (bb73bbb) to head (f5a8b47).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #286   +/-   ##
=======================================
  Coverage   38.37%   38.37%           
=======================================
  Files          73       73           
  Lines        8579     8579           
  Branches      497      497           
=======================================
  Hits         3292     3292           
  Misses       5277     5277           
  Partials       10       10           

Flag	Coverage Δ		*Carryforward flag
pester	79.87% <ø> (ø)
pytest	6.89% <ø> (ø)		Carriedforward from 1a622ff
pytest-dataviewer	61.98% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[WilliamBerryiii]

@akzaidi - can you look this over ... there's a TON of security patches that we should apply in this PR.

[akzaidi]

Upon validation, the Dependabot dependency bump with two critical constraint need address for OSMO/AzureML.

Direct dependency updates (from Dependabot)

Package	Old	New
azure-core	1.38.2	1.38.3
azure-identity	1.25.2	1.25.3
azure-ai-ml	1.31.0	1.32.0
packaging	>=25,<26	>=25,<27
rsl-rl-lib	5.0.0	5.0.1

Constraint fixes (added in this PR)

numpy>=1.26.0,<3.0.0 → >=1.26.0,<2.0.0

The Isaac Sim 2.3.2 container has pre-compiled numpy extensions (/isaac-sim/extscache/) that are ABI-incompatible with numpy 2.x. Although train.sh force-installs numpy<2.0.0, the subsequent uv pip compile resolves numpy==2.4.3 from the <3.0.0 range, and uv pip install --requirement overwrites the pre-installed 1.26.4 — causing AttributeError: partially initialized module 'numpy.core.arrayprint' at simulation startup. Tightening the constraint ensures the compiled lock never resolves numpy 2.x.

azure-storage-blob==12.28.0 → >=12.10.0

azureml-mlflow==1.62.0 requires azure-storage-blob<=12.27.1. The exact pin at 12.28.0 made uv pip compile unsolvable — this was a pre-existing bug on main as well. Relaxing to >=12.10.0 lets the resolver pick 12.27.1 (the highest version compatible with all constraints).

requirements.txt regenerated

The Dependabot-generated requirements.txt contained versions that uv pip compile would never resolve (e.g., marshmallow 4.x, protobuf 7.x, pandas 3.x). Regenerated via uv pip compile pyproject.toml --python-version 3.11 to match actual runtime resolution.

Validation

Test	Platform	Framework	Result
Training	OSMO	SKRL	Pass ✅ — isaaclab-inline-training-69 completed, MLflow logged
Training	OSMO	RSL-RL	Fail ❌ — KeyError: 'actor' (pre-existing: rsl-rl-lib 5.x incompatible with Isaac Lab 2.3.2)
Eval submission	AzureML	SKRL	Pass ✅ — job submitted and scheduled via azure-ai-ml==1.32.0

Known issues (pre-existing, not introduced by this PR)

• rsl-rl-lib 5.x / Isaac Lab 2.3.2 incompatibility: The construct_algorithm() API changed in 5.x; Isaac Lab's RslRlOnPolicyRunnerCfg doesn't produce the expected actor config key. Tracked separately.
• AzureML validation command path: submit-azureml-validation.sh references stale path training/scripts/validate.sh (should be validate.sh). From the domain architecture migration.

---