Skip to content

security(deps): bump the inference-dependencies group in /evaluation with 4 updates#512

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/evaluation/inference-dependencies-afc2ed8984
Closed

security(deps): bump the inference-dependencies group in /evaluation with 4 updates#512
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/evaluation/inference-dependencies-afc2ed8984

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 20, 2026
edited
Loading

Bumps the inference-dependencies group in /evaluation with 4 updates: numpy, marshmallow, torch and lerobot.

Updates numpy from 2.2.6 to 2.4.4

Release notes

Sourced from numpy's releases.

2.4.4 (Mar 29, 2026)

NumPy 2.4.4 Release Notes

The NumPy 2.4.4 is a patch release that fixes bugs discovered after the 2.4.3 release. It should finally close issue #30816, the OpenBLAS threading problem on ARM.

This release supports Python versions 3.11-3.14

Contributors

A total of 8 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

  • Charles Harris
  • Daniel Haag +
  • Denis Prokopenko +
  • Harshith J +
  • Koki Watanabe
  • Marten van Kerkwijk
  • Matti Picus
  • Nathan Goldbaum

Pull requests merged

A total of 7 pull requests were merged for this release.

  • #30978: MAINT: Prepare 2.4.x for further development
  • #31049: BUG: Add test to reproduce problem described in #30816 (#30818)
  • #31052: BUG: fix FNV-1a 64-bit selection by using NPY_SIZEOF_UINTP (#31035)
  • #31053: BUG: avoid warning on ufunc with where=True and no output
  • #31058: DOC: document caveats of ndarray.resize on 3.14 and newer
  • #31079: TST: fix POWER VSX feature mapping (#30801)
  • #31084: MAINT: numpy.i: Replace deprecated sprintf with snprintf...

2.4.3 (Mar 9, 2026)

NumPy 2.4.3 Release Notes

The NumPy 2.4.3 is a patch release that fixes bugs discovered after the 2.4.2 release. The most user visible fix may be a threading fix for OpenBLAS on ARM, closing issue #30816.

This release supports Python versions 3.11-3.14

Contributors

A total of 11 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

  • Antareep Sarkar +

... (truncated)

Changelog

Sourced from numpy's changelog.

This is a walkthrough of the NumPy 2.4.0 release on Linux, which will be the first feature release using the numpy/numpy-release <https://github.com/numpy/numpy-release>__ repository.

The commands can be copied into the command line, but be sure to replace 2.4.0 with the correct version. This should be read together with the :ref:general release guide <prepare_release>.

Facility preparation

Before beginning to make a release, use the requirements/*_requirements.txt files to ensure that you have the needed software. Most software can be installed with pip, but some will require apt-get, dnf, or whatever your system uses for software. You will also need a GitHub personal access token (PAT) to push the documentation. There are a few ways to streamline things:

  • Git can be set up to use a keyring to store your GitHub personal access token. Search online for the details.

Prior to release

Add/drop Python versions

When adding or dropping Python versions, multiple config and CI files need to be edited in addition to changing the minimum version in pyproject.toml. Make these changes in an ordinary PR against main and backport if necessary. We currently release wheels for new Python versions after the first Python RC once manylinux and cibuildwheel support that new Python version.

Backport pull requests

Changes that have been marked for this release must be backported to the maintenance/2.4.x branch.

Update 2.4.0 milestones

Look at the issues/prs with 2.4.0 milestones and either push them off to a later version, or maybe remove the milestone. You may need to add a milestone.

Check the numpy-release repo

... (truncated)

Commits
  • be93fe2 Merge pull request #31090 from charris/prepare-2.4.4
  • f5245dc REL: Prepare for the NumPy 2.4.4 release
  • 02e838b Merge pull request #31084 from charris/backport-31056
  • fa74b2d MAINT: numpy.i: Replace deprecated sprintf with snprintf (#31056)
  • 533a6db Merge pull request #31079 from charris/backport-20801
  • 9e496cb TST: fix POWER VSX feature mapping (#30801)
  • 8052c4b Merge pull request #31058 from charris/backport-31021
  • 7f13b5a MAINT: Skip test on PyPy.
  • 4c5fdd6 MAINT: Remove unused import of tracemalloc.
  • a3ca5ed Update numpy/_core/src/multiarray/shape.c
  • Additional commits viewable in compare view

Updates marshmallow from 3.26.2 to 4.3.0

Changelog

Sourced from marshmallow's changelog.

4.3.0 (2026-04-03)

Features:

  • Add pre_load and post_load parameters to marshmallow.fields.Field for field-level pre- and post-processing (:issue:2787).
  • Typing: improvements to marshmallow.validate (:pr:2940).

4.2.4 (2026-04-02)

Bug fixes:

  • marshmallow.validate.URL and marshmallow.validate.Email accept Internationalized Domain Names (IDNs) (:issue:2821, :issue:2936). marshmallow.validate.Email also correctly rejects IDN domains with leading/trailing hyphens. Thanks :user:touhidurrr for the report.
  • Typing: Fix typing of nested in marshmallow.fields.Nested (:pr:2935).

4.2.3 (2026-03-25)

Bug fixes:

  • Make marshmallow.fields.Number and marshmallow.fields.Mapping abstract base classes to prevent using them within Schemas (:issue:2924). Thanks :user:MartingaleCoda for reporting.
  • Allow required to be set on marshmallow.fields.Contant (:issue:2900). Thanks :user:nosnickid for the report and :user:worksbyfriday for the PR.
  • Fix marshmallow.validate.OneOf emitting extra pairs when labels outnumber choices (:issue:2869). Thanks: user:T90REAL for the report and :user:rstar327 for the PR.
  • Fix behavior when passing a dot-delimited attribute name to partial for a key with data_key set (:pr:2903). Thanks :user:bysiber for the PR.
  • Fix Enum field by-name lookup to only return actual members (:pr:2902). Thanks :user:bysiber for the PR.
  • marshmallow.fields.DateTime with format="timestamp_ms" properly rejects bool values (:pr:2904). Thanks :user:bysiber for the PR.
  • Fix typing of error_messages argument to marshmallow.fields.Field (:pr:1636). Thanks :user:repole for reporting and :user:dhruvildarji for the PR.

Other changes:

  • Add ipaddress.* to marshmallow.Schema.TYPE_MAPPING (:issue:1695). Thanks :user:liberforce for the suggestion and :user:dhruvildarji for the PR.

4.2.2 (2026-02-04)

Bug fixes:

  • Fix behavior of fields.Contant(None) (:issue:2868).

... (truncated)

Commits

Updates torch from 2.10.0 to 2.11.0

Release notes

Sourced from torch's releases.

PyTorch 2.11.0 Release Notes

Highlights

For more details about these highlighted features, you can look at the release blogpost. Below are the full release notes for this release.

Backwards Incompatible Changes

Release Engineering

... (truncated)

Commits
  • 70d99e9 [release only] Increase timeout for rocm libtorch and manywheel builds (#178006)
  • 3e05c5a [MPS] Properly handle conjugated tensors in bmm (#178010)
  • db741c7 [MPS] fix compiling of SDPA producing nan results (#178009)
  • 483b55d Update pytorch_sphinx_theme2 version to 0.4.6 (#177616)
  • 7f2cdeb [windows][smoke test] Add an option to install cuda if required cuda/cudnn on...
  • 76fd078 [release-only] Fix libtorch builds. Fix lint (#177299)
  • fa384de [Inductor][MPS] Fix half-precision type mismatches in Metal shader codegen (#...
  • 036b25f Let stable::from_blob accept a lambda as deleter (cherry-pick) (#176440)
  • 41f8e3e [CI] Stop using G3 runners (#177161)
  • e2fa295 [CD] Unpin cuda-bindings dependencies (#177159)
  • Additional commits viewable in compare view

Updates lerobot from 0.5.0 to 0.5.1

Release notes

Sourced from lerobot's releases.

Release v0.5.1

What's Changed

New Contributors

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the inference-dependencies group
2f4520a 
Bumps the inference-dependencies group in /evaluation with 4 updates: [numpy](https://github.com/numpy/numpy), [marshmallow](https://github.com/marshmallow-code/marshmallow), [torch](https://github.com/pytorch/pytorch) and [lerobot](https://github.com/huggingface/lerobot).


Updates `numpy` from 2.2.6 to 2.4.4
- [Release notes](https://github.com/numpy/numpy/releases)
- [Changelog](https://github.com/numpy/numpy/blob/main/doc/RELEASE_WALKTHROUGH.rst)
- [Commits](numpy/numpy@v2.2.6...v2.4.4)

Updates `marshmallow` from 3.26.2 to 4.3.0
- [Changelog](https://github.com/marshmallow-code/marshmallow/blob/dev/CHANGELOG.rst)
- [Commits](marshmallow-code/marshmallow@3.26.2...4.3.0)

Updates `torch` from 2.10.0 to 2.11.0
- [Release notes](https://github.com/pytorch/pytorch/releases)
- [Changelog](https://github.com/pytorch/pytorch/blob/main/RELEASE.md)
- [Commits](pytorch/pytorch@v2.10.0...v2.11.0)

Updates `lerobot` from 0.5.0 to 0.5.1
- [Release notes](https://github.com/huggingface/lerobot/releases)
- [Commits](huggingface/lerobot@v0.5.0...v0.5.1)

---
updated-dependencies:
- dependency-name: numpy
  dependency-version: 2.4.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: inference-dependencies
- dependency-name: marshmallow
  dependency-version: 4.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: inference-dependencies
- dependency-name: torch
  dependency-version: 2.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: inference-dependencies
- dependency-name: lerobot
  dependency-version: 0.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: inference-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Dependency version updates python Pull requests that update python code labels Apr 20, 2026
@github-actions github-actions Bot changed the title chore(deps): bump the inference-dependencies group in /evaluation with 4 updates security(deps): bump the inference-dependencies group in /evaluation with 4 updates Apr 20, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 20, 2026

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 3 package(s) with unknown licenses.
See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 2f4520a.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

evaluation/pyproject.toml

PackageVersionLicenseIssue Type
lerobot0.5.1NullUnknown License
marshmallow4.3.0NullUnknown License
torch2.11.0NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
pip/lerobot 0.5.1 UnknownUnknown
pip/marshmallow 4.3.0 UnknownUnknown
pip/numpy 2.4.4 UnknownUnknown
pip/torch 2.11.0 UnknownUnknown

Scanned Files

  • evaluation/pyproject.toml

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Apr 20, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.19%. Comparing base (7196d6d) to head (2f4520a).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #512   +/-   ##
=======================================
  Coverage   65.19%   65.19%           
=======================================
  Files         254      254           
  Lines       15804    15804           
  Branches     2118     2118           
=======================================
  Hits        10303    10303           
  Misses       5212     5212           
  Partials      289      289
Flag Coverage Δ
pester 81.11% <ø> (ø)
pytest 92.40% <ø> (ø)
pytest-dataviewer 65.12% <ø> (ø)
pytest-fuzz 1.56% <ø> (ø)
vitest 51.77% <ø> (ø)
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@WilliamBerryiii
Copy link
Copy Markdown
Member

WilliamBerryiii commented Apr 20, 2026

@dependabot recreate

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 20, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Apr 20, 2026
@dependabot dependabot Bot deleted the dependabot/pip/evaluation/inference-dependencies-afc2ed8984 branch April 20, 2026 18:47
@katriendg katriendg mentioned this pull request Apr 27, 2026
Merged
28 tasks
katriendg added a commit that referenced this pull request Apr 27, 2026
@katriendg
chore(docs): update stale Python 3.11 references to 3.12 (#575)
6f85c95 
Updated all remaining Python 3.11 references across the repository to
reflect the Python 3.12+ minimum version requirement. The
`pyproject.toml` files already declared `requires-python = ">=3.12"`,
but CI workflows, documentation, issue templates, and agent/skill
definitions still referenced 3.11. This PR brings everything into
alignment.

Closes #572

## Type of Change
<!-- Mark relevant options with [x] -->

- [ ] 🐛 Bug fix (non-breaking change fixing an issue)
- [ ] ✨ New feature (non-breaking change adding functionality)
- [ ] 💥 Breaking change (fix or feature causing existing functionality
to change)
- [x] 📚 Documentation update
- [ ] 🏗️ Infrastructure change (Terraform/IaC)
- [ ] ♻️ Refactoring (no functional changes)

## Component(s) Affected
<!-- Mark all that apply -->

- [ ] `infrastructure/terraform/prerequisites/` - Azure subscription
setup
- [ ] `infrastructure/terraform/` - Terraform infrastructure
- [ ] `infrastructure/setup/` - OSMO control plane / Helm
- [x] `workflows/` - Training and evaluation workflows
- [ ] `training/` - Training pipelines and scripts
- [x] `docs/` - Documentation

## Testing Performed
<!-- Describe testing. Check applicable items -->

- [ ] Terraform `plan` reviewed (no unexpected changes)
- [ ] Terraform `apply` tested in dev environment
- [ ] Training scripts tested locally with Isaac Sim
- [ ] OSMO workflow submitted successfully
- [ ] Smoke tests passed (`smoke_test_azure.py`)

## Documentation Impact
<!-- Select one -->

- [ ] No documentation changes needed
- [x] Documentation updated in this PR
- [ ] Documentation issue filed

## Bug Fix Checklist

*Complete this section for bug fix PRs. Skip for other contribution
types.*

- [ ] Linked to issue being fixed
- [ ] Regression test included, OR
- [ ] Justification for no regression test:

## Checklist

- [x] My code follows the [project conventions](copilot-instructions.md)
- [x] Commit messages follow [conventional commit
format](instructions/commit-message.instructions.md)
- [x] I have performed a self-review
- [x] Documentation impact assessed above
- [x] No new linting warnings introduced

## Changes

Updated **17 files** across the repository to replace stale Python 3.11
references with Python 3.12, aligning documentation, CI/CD, and
configuration with the already-declared `requires-python = ">=3.12"` in
all `pyproject.toml` files.

### CI/CD Workflows

Three pytest workflow files and the dependabot PR review specification
were pinned to Python 3.11 for `actions/setup-python`. All four now
specify `python-version: '3.12'`.

- Updated *pytest-data-pipeline.yml*, *pytest-dm-tools.yml*, and
*pytest-inference.yml* to use `python-version: '3.12'`
- Updated *aw-dependabot-pr-review.md* runtime version from `"3.11"` to
`"3.12"`

### Documentation

Seven documentation files referenced Python 3.11 in prerequisites
tables, setup instructions, or recipe descriptions.

- Updated **README.md** setup script description and prerequisites list
to reference Python 3.12
- Updated prerequisite tables in *docs/contributing/README.md*,
*docs/getting-started/README.md*, and *docs/recipes/README.md*
- Updated
*docs/recipes/data-collection/preparing-datasets-for-training.md*
prerequisites
- Updated *data-management/viewer/README.md* prerequisites and `uv venv`
command from `--python 3.11` to `--python 3.12`
- Updated
*data-management/specifications/viewer-deployment.specification.md*
backend base image from Python 3.11 to 3.12

### Agent and Skill Definitions

- Updated ruff **target-version** from `py311` to `py312` in
*dataviewer-developer.agent.md*
- Updated Python requirement from 3.11+ to 3.12+ in
*dataviewer/SKILL.md* and *osmo-lerobot-training/SKILL.md*
- Updated `uv venv` troubleshooting command in *dataviewer/SKILL.md*

### Issue Templates

- Added **3.12.x** to the Python version list in *00-general.md* and
*01-bug-report.yml* (preserves 3.11.x for backward compatibility)
- Replaced 3.11.x placeholder with **3.12.x** in *04-training-issue.yml*

## Related Issues

Closes #572
Related to #512

## Notes

- All 6 `pyproject.toml` files already declared `requires-python =
">=3.12"` — no package metadata changes were needed
- No Python source code was modified; changes are purely configuration
and documentation
- The general issue template preserves 3.11.x as a selectable version
for users reporting issues from older environments, while the
training-specific template enforces 3.12.x as the default
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Dependency version updates python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@codecov-commenter @WilliamBerryiii