security(deps): bump the training-dependencies group in /training/rl with 14 updates

[dependabot]

Bumps the training-dependencies group in /training/rl with 14 updates:

Package	From	To
marshmallow	4.2.3	4.3.0
azure-monitor-opentelemetry-exporter	1.0.0b49	1.0.0b50
charset-normalizer	3.4.6	3.4.7
click	8.3.1	8.3.2
cuda-pathfinder	1.5.0	1.5.1
fastapi	0.135.2	0.135.3
orjson	3.11.7	3.11.8
pandas	3.0.1	3.0.2
pillow	12.1.1	12.2.0
pydantic-core	2.44.0	2.45.0
sqlalchemy	2.0.48	2.0.49
tzdata	2025.3	2026.1
uvicorn	0.42.0	0.43.0
werkzeug	3.1.7	3.1.8

Updates marshmallow from 4.2.3 to 4.3.0

Changelog

Sourced from marshmallow's changelog.

4.3.0 (2026-04-03)

Features:

• Add pre_load and post_load parameters to marshmallow.fields.Field for field-level pre- and post-processing (:issue:2787).
• Typing: improvements to marshmallow.validate (:pr:2940).

4.2.4 (2026-04-02)

Bug fixes:

• marshmallow.validate.URL and marshmallow.validate.Email accept Internationalized Domain Names (IDNs) (:issue:2821, :issue:2936). marshmallow.validate.Email also correctly rejects IDN domains with leading/trailing hyphens. Thanks :user:touhidurrr for the report.
• Typing: Fix typing of nested in marshmallow.fields.Nested (:pr:2935).

Commits

• b596fdb Bump version and update changelog
• 256f0aa Add pre/post_load parameters to Field (#2799)
• c847ad4 Typing improvements to marshmallow.validate (#2940)
• eb86322 Remove redundant docs job (#2939)
• a44ad62 Avoid infinite recursion in nesting docs (#2938)
• 3360e34 Bump version and update changelog
• 7b9ce45 Fix changelog typos and update releasing docs
• f07eadc Fix validate.Email to accept IDNs (#2937)
• 4acb783 Fix Unreachable Warning (#2935)
• 3492fae Remove redundant python-version (#2932)
• Additional commits viewable in compare view

Updates azure-monitor-opentelemetry-exporter from 1.0.0b49 to 1.0.0b50

Release notes

Sourced from azure-monitor-opentelemetry-exporter's releases.

azure-monitor-opentelemetry-exporter_1.0.0b50

1.0.0b50 (2026-04-03)

Bugs Fixed

• Fix duplicate authentication policy in live metrics exporter causing Unauthorized errors for authenticated Application Insights resources (#46024)
• Suppress internal sdkstats HTTP pipeline logs from appearing in user's logs (#45966)
• Kubernetes pod name takes precedence when populating cloud_RoleInstance (#45884)

Other Changes

• Revert custom properties limit to 8kb (#46066)

Commits

• 24212d1 Exporter release 1.0.0b50 (#46054)
• 087778f Revert custom properties limit to 8kb (#46066)
• d8bed7e [monitor-opentelemetry] Fix duplicate auth policy in live metrics exporter (#...
• de23b45 Suppress internal sdkstats HTTP pipeline logs from appearing in user's traces...
• ce28bf7 Modify logic to ensure that the cloud_RoleInstance gets populated with the k8...
• 5fe509b Remove deprecated events package and methods (#45684)
• faf2a72 Increment package version after release of azure-monitor-opentelemetry (#45811)
• 77b2899 Distro release 1.8.7 (#45801)
• 4b5be11 Change import path for LoggingHandler to accommodate upstream breaking change...
• 9950092 Increment package version after release of azure-monitor-opentelemetry-export...
• See full diff in compare view

Updates charset-normalizer from 3.4.6 to 3.4.7

Release notes

Sourced from charset-normalizer's releases.

Version 3.4.7

3.4.7 (2026-04-02)

Changed

• Pre-built optimized version using mypy[c] v1.20.
• Relax setuptools constraint to setuptools>=68,<82.1.

Fixed

• Correctly remove SIG remnant in utf-7 decoded string. (#718) (#716)

Changelog

Sourced from charset-normalizer's changelog.

3.4.7 (2026-04-02)

Changed

• Pre-built optimized version using mypy[c] v1.20.
• Relax setuptools constraint to setuptools>=68,<82.1.

Fixed

• Correctly remove SIG remnant in utf-7 decoded string. (#718) (#716)

Commits

• 0f07891 Merge pull request #729 from jawah/release-3.4.7
• fdbeb29 chore: update dev, and ci requirements
• b66f922 chore: add ft classifier
• f94249d chore: add test cases for utf_7 recent fix
• 95c866f chore: bump version to 3.4.7
• 4f429bb chore: bump mypy pre-commit to v1.20
• b579cd6 fix: correctly remove SIG remnant in utf-7 decoded string
• 58bf944 ⬆️ Bump github/codeql-action from 4.32.4 to 4.35.1 (#728)
• 44cf8a1 ⬆️ Bump actions/download-artifact from 8.0.0 to 8.0.1 (#726)
• 362bc20 ⬆️ Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 (#725)
• Additional commits viewable in compare view

Updates click from 8.3.1 to 8.3.2

Release notes

Sourced from click's releases.

8.3.2

This is the Click 8.3.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.2/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-2 Milestone: https://github.com/pallets/click/milestone/29

• Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. #3084 #3152
• Hide Sentinel.UNSET values as None when using lookup_default(). #3136 #3199 #3202 #3209 #3212 #3224
• Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer. #824 #2991 #2993 #3110 #3139 #3140
• Add comprehensive tests for CliRunner stream lifecycle, covering logging interaction, multi-threaded safety, and sequential invocation isolation. Add high-iteration stress tests behind a stress marker with a dedicated CI job. #3139
• Fix callable flag_value being instantiated when used as a default via default=True. #3121 #3201 #3213 #3225

Changelog

Sourced from click's changelog.

Version 8.3.2

Released 2026-04-02

• Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. :issue:3084 :pr:3152
• Hide Sentinel.UNSET values as None when using lookup_default(). :issue:3136 :pr:3199 :pr:3202 :pr:3209 :pr:3212 :pr:3224
• Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer. :issue:824 :issue:2991 :issue:2993 :issue:3110 :pr:3139 :pr:3140
• Add comprehensive tests for CliRunner stream lifecycle, covering logging interaction, multi-threaded safety, and sequential invocation isolation. Add high-iteration stress tests behind a stress marker with a dedicated CI job. :pr:3139
• Fix callable flag_value being instantiated when used as a default via default=True. :issue:3121 :pr:3201 :pr:3213 :pr:3225

Commits

• 052c006 Change update release date.
• 502b7ce Merge branch 'stable' of https://github.com/pallets/click into release-8.3.2
• a0a37e4 Change publish to werkzeug latest. (#3301)
• 57be6fc Change publish to werkzeug latest.
• 781d6a8 Update publish workflows (#3266)
• ff795b6 Update precommit pins with tox
• dd87ef4 Update github action pins with tox
• 93d3f9d Release version 8.3.2
• 3299ba1 Add missing PR to changelog. (#3264)
• b7f62c4 Add missing PR to changelog.
• Additional commits viewable in compare view

Updates cuda-pathfinder from 1.5.0 to 1.5.1

Release notes

Sourced from cuda-pathfinder's releases.

cuda-pathfinder v1.5.1

Release notes

• https://nvidia.github.io/cuda-python/cuda-pathfinder/latest/release/1.5.1-notes.html

Documentation

• https://nvidia.github.io/cuda-python/cuda-pathfinder/1.5.1/

PyPI

• https://pypi.org/project/cuda-pathfinder/1.5.1/

Conda

• https://anaconda.org/conda-forge/cuda-pathfinder/files?version=1.5.1
• conda install conda-forge::cuda-pathfinder=1.5.1

Commits

• 1c8f297 docs(pathfinder): prepare 1.5.1 release notes (#1854)
• 1476822 [FEA]: Add support for pathfinder.find_bitcode_lib("nvshmem_device") (#1828)
• 900cd2e Claim cuda-python repository in context7 (#1757)
• 6a7d08c pathfinder: extended bin search paths with nvidia/cu13/bin (#1846)
• 64b8c07 bench: Initial cuda.bindings latency benchmarks structure (#1736)
• 56edbb0 Extract requires() test mark to eliminate repeated numpy version checks (#1844)
• fa25626 build(deps): bump the actions-monthly group with 5 updates (#1848)
• 66a687c Enhance Graph.update() and add whole-graph update tests (#1843)
• 6211c5a pathfinder: support cusolverMp dynamic loading and header searching (#1845)
• 682182b Improve cuda_bindings examples (#1842)
• Additional commits viewable in compare view

Updates fastapi from 0.135.2 to 0.135.3

Release notes

Sourced from fastapi's releases.

0.135.3

Features

• ✨ Add support for @app.vibe(). PR #15280 by @​tiangolo.
  • New docs: Vibe Coding.

Docs

• ✏️ Fix typo for client_secret in OAuth2 form docstrings. PR #14946 by @​bysiber.

Internal

• 👥 Update FastAPI People - Experts. PR #15279 by @​tiangolo.
• ⬆ Bump orjson from 3.11.7 to 3.11.8. PR #15276 by @​dependabot[bot].
• ⬆ Bump ruff from 0.15.0 to 0.15.8. PR #15277 by @​dependabot[bot].
• 👥 Update FastAPI GitHub topic repositories. PR #15274 by @​tiangolo.
• ⬆ Bump fastmcp from 2.14.5 to 3.2.0. PR #15267 by @​dependabot[bot].
• 👥 Update FastAPI People - Contributors and Translators. PR #15270 by @​tiangolo.
• ⬆ Bump requests from 2.32.5 to 2.33.0. PR #15228 by @​dependabot[bot].
• 👷 Add ty check to lint.sh. PR #15136 by @​svlandeg.

Commits

• 1f442c4 🔖 Release version 0.135.3
• 8f5d157 📝 Update release notes
• 428452a 📝 Update release notes
• 70580da ✨ Add support for @app.vibe() (#15280)
• 6ee8747 📝 Update release notes
• 3e72c09 👥 Update FastAPI People - Experts (#15279)
• 96df35f 📝 Update release notes
• 6c81125 ⬆ Bump orjson from 3.11.7 to 3.11.8 (#15276)
• 428f82c 📝 Update release notes
• 5599c59 ⬆ Bump ruff from 0.15.0 to 0.15.8 (#15277)
• Additional commits viewable in compare view

Updates orjson from 3.11.7 to 3.11.8

Release notes

Sourced from orjson's releases.

3.11.8

Changed

• Build and compatibility improvements.

Changelog

Sourced from orjson's changelog.

3.11.8 - 2026-03-31

Changed

• Build and compatibility improvements.

Commits

• 5cbb3d0 3.11.8
• 4195d7f writer::half
• d00641b writer::uuid
• c84d9b4 build and compatibility misc
• 4547234 ffi::numpy
• 0d4a5ad datetime PyRef idiom
• e93a13d Cross-compile avoids maturin v1.12 build-details.json error
• See full diff in compare view

Updates pandas from 3.0.1 to 3.0.2

Release notes

Sourced from pandas's releases.

pandas 3.0.2

We are pleased to announce the release of pandas 3.0.2. This is a patch release in the 3.0.x series and includes some regression fixes and bug fixes. We recommend that all users of the 3.0.x series upgrade to this version.

See the full whatsnew for a list of all the changes.

Pandas 3.0 supports Python 3.11 and higher. The release can be installed from PyPI:

python -m pip install --upgrade pandas==3.0.*

Or from conda-forge

conda install -c conda-forge pandas=3.0

Please report any issues with the release on the pandas issue tracker.

Thanks to all the contributors who made this release possible.

Commits

• ab90747 RLS: 3.0.2 (#64934)
• 6f27013 Backport PR #64931 on branch 3.0.x (DOC/BLD: temporary disable upload of docs...
• 48ddc60 Backport PR #64664 on branch 3.0.x (BUG: DataFrame.sum() crashes on empty Dat...
• 8774488 [backport 3.0.x] PERF: fix slow python loop in validation for ArrowStringArra...
• 33af6cc Backport PR #64133 on branch 3.0.x (BUG: str.find returns byte offset instead...
• 4ef49d8 [backport 3.0.x] BUG: fix convert_dtypes dropping values from sliced mixed-dt...
• 0668f34 [backport 3.0.x] BUG: Fix HDFStore.put with StringDtype columns and compressi...
• 23f2f44 [backport 3.0.x] BUG: Suppress unnecessary RuntimeWarning in to_datetime with...
• 83ba804 Backport PR #64886: BUG: Compute Variance of Complex Numbers Correctly (#64892)
• bb5ca1a Backport PR #64386 on branch 3.0.x (BUG: fix sort_index AssertionError with R...
• Additional commits viewable in compare view

Updates pillow from 12.1.1 to 12.2.0

Release notes

Sourced from pillow's releases.

12.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

Documentation

• Update 12.2.0 release notes #9522 [@​hugovk]
• Add loader plugins: AMOS abk, Atari Degas, 40+ more obscure formats via Netpbm #9482 [@​bitplane]
• Update Python versions #9515 [@​radarhere]
• Jeffrey A. Clark -> Jeffrey 'Alex' Clark #9513 [@​aclark4life]
• Add release notes for #9394, #9419 and #9456 #9467 [@​radarhere]
• Add Amiga Workbench .info loader to 3rd party plugins list #9459 [@​bitplane]
• Merge PFM documentation into PPM #9434 [@​radarhere]
• Update macOS tested Pillow versions #9431 [@​radarhere]
• Fix CVE number #9430 [@​hugovk]

Dependencies

• Update xz to 5.8.3 #9523 [@​radarhere]
• Update libjpeg-turbo to 3.1.4.1 #9507 [@​radarhere]
• Update libpng to 1.6.56 #9499 [@​radarhere]
• Update freetype to 2.14.3 #9485 [@​radarhere]
• Updated libavif to 1.4.1 #9479 [@​radarhere]
• Updated harfbuzz to 13.2.1 #9461 [@​radarhere]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Update harfbuzz to 13.0.1 #9453 [@​radarhere]
• Update libavif to 1.4.0 #9460 [@​radarhere]
• Update freetype to 2.14.2 #9449 [@​radarhere]
• Update actions/download-artifact action to v8 #9451 [@renovate[bot]]
• Updated libpng to 1.6.55 #9425 [@​radarhere]

Testing

• Cleanup .spider extension in the same test where it is added #9517 [@​radarhere]
• Run tests in parallel via tox for 3.5x speedup #9516 [@​hugovk]
• Enable colour in CI logs #9486 [@​hugovk]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Simplify TGA test code #9477 [@​radarhere]
• Update tests to check for ValueError when encoding an empty image #9464 [@​radarhere]
• Upgrade CI from macos-15-intel to macos-26-intel #9454 [@​hugovk]
• Add check-case-conflict hook #9446 [@​radarhere]
• Specify platform when pulling docker image #9440 [@​radarhere]
• GHA: Cache libavif and webp builds for Ubuntu #9437 [@​hugovk]
• Update macOS tested Pillow versions #9431 [@​radarhere]

Other changes

• Check calloc return value #9527 [@​radarhere]
• Check all allocs in the Arrow tree #9488 [@​wiredfool]
• Reject non-numeric elements inside list coords #9526 [@​hugovk]
• Move variable declaration inside define #9525 [@​radarhere]

... (truncated)

Commits

• 3c41c09 12.2.0 version bump
• cdaa29e Check calloc return value (#9527)
• 585b2f5 Check calloc return value
• ecf011e Check all allocs in the Arrow tree (#9488)
• cf6de8c Reject non-numeric elements inside list coords (#9526)
• ffdcede Update 12.2.0 release notes (#9522)
• 7929d77 Added security release notes (#149)
• c4f7aa5 Added security release notes
• 22cdb5f Move variable declaration inside define (#9525)
• fc15b3b Resize tall images vertically first (#9524)
• Additional commits viewable in compare view

Updates pydantic-core from 2.44.0 to 2.45.0

Commits

• See full diff in compare view

Updates sqlalchemy from 2.0.48 to 2.0.49

Release notes

Sourced from sqlalchemy's releases.

2.0.49

Released: April 3, 2026

orm

• [orm] [bug] Fixed issue where _orm.Session.get() would bypass the identity map and emit unnecessary SQL when with_for_update=False was passed, rather than treating it equivalently to the default of None. Pull request courtesy of Joshua Swanson.

  References: #13176

• [orm] [bug] Fixed issue where chained _orm.joinedload() options would not be applied correctly when the final relationship in the chain is declared on a base mapper and accessed through a subclass mapper in a _orm.with_polymorphic() query. The path registry now correctly computes the natural path when a property declared on a base class is accessed through a path containing a subclass mapper, ensuring the loader option can be located during query compilation.

  References: #13193

• [orm] [bug] [inheritance] Fixed issue where using _orm.Load.options() to apply a chained loader option such as _orm.joinedload() or _orm.selectinload() with _orm.PropComparator.of_type() for a polymorphic relationship would not generate the necessary clauses for the polymorphic subclasses. The polymorphic loading strategy is now correctly propagated when using a call such as joinedload(A.b).options(joinedload(B.c.of_type(poly))) to match the behavior of direct chaining e.g. joinedload(A.b).joinedload(B.c.of_type(poly)).

  References: #13202

• [orm] [bug] [inheritance] Fixed issue where using chained loader options such as _orm.selectinload() after _orm.joinedload() with _orm.PropComparator.of_type() for a polymorphic relationship would not properly apply the chained loader option. The loader option is now correctly applied when using a call such as joinedload(A.b.of_type(poly)).selectinload(poly.SubClass.c) to eagerly load related objects.

  References: #13209

typing

• [typing] [bug] Fixed a typing issue where the typed members of :data:.func would return the appropriate class of the same name, however this creates an issue for

... (truncated)

Commits

• See full diff in compare view

Updates tzdata from 2025.3 to 2026.1

Release notes

Sourced from tzdata's releases.

2026.1: Release of upstream tzdata 2026a

Version 2026.1

Upstream version 2026a released 2026-03-02T06:59:49+00:00

Briefly:

Moldova has used EU transition times since 2022. The "right" TZif files are no longer installed by default. -DTZ_RUNTIME_LEAPS=0 disables runtime support for leap seconds. TZif files are no longer limited to 50 bytes of abbreviations. zic is no longer limited to 50 leap seconds. Several integer overflow bugs have been fixed.

Changes to past and future timestamps

Since 2022 Moldova has observed EU transition times, that is, it has sprung forward at 03:00, not 02:00, and has fallen back at 04:00, not 03:00. (Thanks to Heitor David Pinto.)

Changes to data

Remove Europe/Chisinau from zonenow.tab, as it now agrees with Europe/Athens for future timestamps.

Changelog

Sourced from tzdata's changelog.

Version 2026.1

Upstream version 2026a released 2026-03-02T06:59:49+00:00

Briefly:

Moldova has used EU transition times since 2022. The "right" TZif files are no longer installed by default. -DTZ_RUNTIME_LEAPS=0 disables runtime support for leap seconds. TZif files are no longer limited to 50 bytes of abbreviations. zic is no longer limited to 50 leap seconds. Several integer overflow bugs have been fixed.

Changes to past and future timestamps

Since 2022 Moldova has observed EU transition times, that is, it has sprung forward at 03:00, not 02:00, and has fallen back at 04:00, not 03:00. (Thanks to Heitor David Pinto.)

Changes to data

Remove Europe/Chisinau from zonenow.tab, as it now agrees with Europe/Athens for future timestamps.

---

Commits

• 4997cab Update tzdata to version '2026a' (#123)
• 4d6c41f Update development status to 'Production/Stable' (#127)
• 7c1ce85 Remove 'v' from tags in auto-tag.yml
• 77a9c09 Update docs links to tzdata.python.org (#125)
• 11148f6 Remove quotes from update branch names
• 98fa430 Bump actions/checkout from 5 to 6 in the actions group (#122)
• 7ef7c61 Add auto-tag workflow (#110)
• 3fec560 Update tzdata to version '2025c'
• See full diff in compare view

Updates uvicorn from 0.42.0 to 0.43.0

Release notes

Sourced from uvicorn's releases.

Version 0.43.0

Changed

• Emit http.disconnect ASGI receive() event on server shutting down for streaming responses (#2829)
• Use native context parameter for create_task on Python 3.11+ (#2859)
• Drop cast in ASGI types (#2875)

---

Full Changelog: Kludex/uvicorn@0.42.0...0.43.0

Changelog

Sourced from uvicorn's changelog.

0.43.0 (April 3, 2026)

You can quit Uvicorn now. We heard you, @​pamelafox - all 47 of your Ctrl+C's (thanks for flagging it, and thanks to @​tiangolo for the fix 🙏). See the tweet.

Changed

• Emit http.disconnect ASGI receive() event on server shutting down for streaming responses (#2829)
• Use native context parameter for create_task on Python 3.11+ (#2859)
• Drop cast in ASGI types (#2875)

Commits

• 8d397c7 Version 0.43.0 (#2885)
• 587042d 🐛 Emit http.disconnect ASGI receive() event on server shutting down for s...
• c9a75fb chore(deps): bump the github-actions group with 3 updates (#2878)
• 84fd578 chore(deps): bump pygments from 2.19.2 to 2.20.0 (#2877)
• cd52d34 Use native context parameter for create_task on Python 3.11+ (#2859)
• 5211880 Drop cast in ASGI types (#2875)
• 1cb8e74 Add websocket 500 fallback header test (#2874)
• 28efbb2 chore(deps-dev): bump cryptography from 46.0.5 to 46.0.6 (#2873)
• 042ffeb ci: add zizmor (#2872)
• c61f9d4 chore(deps): bump requests from 2.32.5 to 2.33.0 (#2871)
• See full diff in compare view

Updates werkzeug from 3.1.7 to 3.1.8

Release notes

Sourced from werkzeug's releases.

3.1.8

This is the Werkzeug 3.1.8 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.8/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-8 Milestone: https://github.com/pallets/werkzeug/milestone/45?closed=1

• Request.host and get_host return the empty string if the header is missing or has invalid characters. #3142

Changelog

Sourced from werkzeug's changelog.

Version 3.1.8

Released 2026-04-02

• Request.host and get_host return the empty string if the header is missing or has invalid characters. :issue:3142

Commits

• c1a26b4 release version 3.1.8
• 7926f0b relax get_host strictness (#3148)
• deab88f relax get_host strictness
• 65eb639 start version 3.1.8
• 7720b76 release version 3.1.7 (#3135)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 13 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 225ecd6.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

training/rl/pyproject.toml

Package	Version	License	Issue Type
marshmallow	>= 3.5,< 4.4.0	Null	Unknown License

training/rl/requirements.txt

Package	Version	License	Issue Type
charset-normalizer	3.4.7	Null	Unknown License
click	8.3.2	Null	Unknown License
cuda-pathfinder	1.5.1	Null	Unknown License
fastapi	0.135.3	Null	Unknown License
marshmallow	4.3.0	Null	Unknown License
orjson	3.11.8	Null	Unknown License
pandas	3.0.2	Null	Unknown License
pillow	12.2.0	Null	Unknown License
sqlalchemy	2.0.49	Null	Unknown License
uvicorn	0.43.0	Null	Unknown License
werkzeug	3.1.8	Null	Unknown License
tzdata	2026.1	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
pip/marshmallow	>= 3.5,< 4.4.0	Unknown	Unknown
pip/azure-monitor-opentelemetry-exporter	1.0.0b50	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices 🟢 5 badge detected: Passing Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 8 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed
pip/charset-normalizer	3.4.7	Unknown	Unknown
pip/click	8.3.2	Unknown	Unknown
pip/cuda-pathfinder	1.5.1	Unknown	Unknown
pip/fastapi	0.135.3	Unknown	Unknown
pip/marshmallow	4.3.0	Unknown	Unknown
pip/orjson	3.11.8	Unknown	Unknown
pip/pandas	3.0.2	Unknown	Unknown
pip/pillow	12.2.0	Unknown	Unknown
pip/pydantic-core	2.45.0	Unknown	Unknown
pip/sqlalchemy	2.0.49	Unknown	Unknown
pip/tzdata	2026.1	🟢 5.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 16/22 approved changesets -- score normalized to 7 Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/uvicorn	0.43.0	Unknown	Unknown
pip/werkzeug	3.1.8	Unknown	Unknown

Scanned Files

• training/rl/pyproject.toml
• training/rl/requirements.txt

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 50.46%. Comparing base (176d9c9) to head (225ecd6).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #394   +/-   ##
=======================================
  Coverage   50.46%   50.46%           
=======================================
  Files         267      267           
  Lines       18098    18098           
  Branches     1903     1855   -48     
=======================================
  Hits         9134     9134           
  Misses       8674     8674           
  Partials      290      290           

Flag	Coverage Δ		*Carryforward flag
pester	81.96% <ø> (ø)
pytest	6.89% <ø> (ø)		Carriedforward from 37630a4
pytest-dataviewer	61.97% <ø> (ø)
vitest	50.72% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.