chore(deps): bump the dataviewer-backend-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the dataviewer-backend-dependencies group with 5 updates in the /data-management/viewer/backend directory:

Package	From	To
fastapi	0.135.3	0.136.0
pydantic	2.13.1	2.13.2
ruff	0.15.10	0.15.11
huggingface-hub	1.10.2	1.11.0
ultralytics	8.4.37	8.4.39

Updates fastapi from 0.135.3 to 0.136.0

Release notes

Sourced from fastapi's releases.

0.136.0

Upgrades

• ⬆️ Support free-threaded Python 3.14t. PR #15149 by @​svlandeg.

0.135.4

Refactors

• 🔥 Remove April Fool's @app.vibe() 🤪. PR #15363 by @​tiangolo.

Internal

• ⬆ Bump cryptography from 46.0.5 to 46.0.7. PR #15314 by @​dependabot[bot].
• ⬆ Bump strawberry-graphql from 0.307.1 to 0.312.3. PR #15309 by @​dependabot[bot].
• 🔨 Add pre-commit hook to ensure latest release header has date. PR #15293 by @​YuriiMotov.

Commits

• 708606c 🔖 Release version 0.136.0
• 13be6a3 📝 Update release notes
• 4b26487 ⬆️ Support free-threaded Python 3.14t (#15149)
• f796c34 🔖 Release version 0.135.4
• 09d1d1c 📝 Update release notes
• ae4e45c 🔥 Remove April Fool's @app.vibe() 🤪 (#15363)
• 9653034 📝 Update release notes
• 6f9a102 ⬆ Bump cryptography from 46.0.5 to 46.0.7 (#15314)
• eba8942 📝 Update release notes
• 77d080c ⬆ Bump strawberry-graphql from 0.307.1 to 0.312.3 (#15309)
• Additional commits viewable in compare view

Updates pydantic from 2.13.1 to 2.13.2

Release notes

Sourced from pydantic's releases.

v2.13.2 2026-04-17

v2.13.2 (2026-04-17)

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

Full Changelog: pydantic/pydantic@v2.13.1...v2.13.2

Changelog

Sourced from pydantic's changelog.

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

Commits

• ca3ddd1 Prepare release v2.13.2
• 000e823 Fix ValidationInfo.field_name missing with model_validate_json()
• See full diff in compare view

Updates ruff from 0.15.10 to 0.15.11

Release notes

Sourced from ruff's releases.

0.15.11

Release Notes

Released on 2026-04-16.

Preview features

• [ruff] Ignore RUF029 when function is decorated with asynccontextmanager (#24642)
• [airflow] Implement airflow-xcom-pull-in-template-string (AIR201) (#23583)
• [flake8-bandit] Fix S103 false positives and negatives in mask analysis (#24424)

Bug fixes

• [flake8-async] Omit overridden methods for ASYNC109 (#24648)

Documentation

• [flake8-async] Add override mention to ASYNC109 docs (#24666)
• Update Neovim config examples to use vim.lsp.config (#24577)

Contributors

• @​augustelalande
• @​anishgirianish
• @​benberryallwood
• @​charliermarsh
• @​Dev-iL

Install ruff 0.15.11

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ruff/releases/download/0.15.11/ruff-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/ruff/releases/download/0.15.11/ruff-installer.ps1 | iex"

Download ruff 0.15.11

File	Platform	Checksum
ruff-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
ruff-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
ruff-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
ruff-i686-pc-windows-msvc.zip	x86 Windows	checksum

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.11

Released on 2026-04-16.

Preview features

• [ruff] Ignore RUF029 when function is decorated with asynccontextmanager (#24642)
• [airflow] Implement airflow-xcom-pull-in-template-string (AIR201) (#23583)
• [flake8-bandit] Fix S103 false positives and negatives in mask analysis (#24424)

Bug fixes

• [flake8-async] Omit overridden methods for ASYNC109 (#24648)

Documentation

• [flake8-async] Add override mention to ASYNC109 docs (#24666)
• Update Neovim config examples to use vim.lsp.config (#24577)

Contributors

• @​augustelalande
• @​anishgirianish
• @​benberryallwood
• @​charliermarsh
• @​Dev-iL

Commits

• 53554b1 Bump 0.15.11 (#24678)
• 08c56c8 Factor out the mdtest crate (#24616)
• 725fbb7 [ty] Use partially qualified names when reporting diagnostics regarding bad c...
• ddd6a30 [ty] Do not suggest argument completion when at value of keyword argument (#2...
• 9282e61 Disallow @​disjoint_base on TypedDicts and Protocols (#24671)
• e9986d8 [ty] Reject using properties with Never setters or deleters (#24510)
• 9cf212f [ty] Normalize property setter and deleter wrappers (#24509)
• 12a1589 Add override mention to ASYNC109 docs (#24666)
• dccb03d [ty] Avoid panicking on overloaded Callable type context (#24661)
• 61f9a0a [ty] Sync vendored typeshed stubs (#24646)
• Additional commits viewable in compare view

Updates huggingface-hub from 1.10.2 to 1.11.0

Release notes

Sourced from huggingface-hub's releases.

[v1.11.0] Semantic Spaces search, Space logs, and more

🔍 Semantic search for Spaces

Discover Spaces using natural language. The new search_spaces() API and hf spaces search CLI use embedding-based semantic search to find relevant Spaces based on what they do - not just keyword matching on their name.

>>> from huggingface_hub import search_spaces
>>> results = search_spaces("remove background from photo")
>>> for space in results:
...     print(f"{space.id} (score: {space.score:.2f})")
briaai/BRIA-RMBG-1.4 (score: 0.87)

The same capability is available in the CLI:

$ hf spaces search "remove background from photo" --limit 3
ID                           TITLE                 SDK    LIKES STAGE   CATEGORY           SCORE
---------------------------- --------------------- ------ ----- ------- ------------------ -----
not-lain/background-removal  Background Removal    gradio 2794  RUNNING Image Editing      0.85 
briaai/BRIA-RMBG-2.0         BRIA RMBG 2.0         gradio 918   RUNNING Background Removal 0.84 
Xenova/remove-background-web Remove Background Web static 739   RUNNING Background Removal 0.81 
Hint: Use --description to show AI-generated descriptions.
Filter by SDK, get JSON with descriptions
$ hf spaces search "chatbot" --sdk gradio --description --json --limit 1 | jq
[
{
"id": "BarBar288/Chatbot",
"title": "Chatbot",
"sdk": "gradio",
"likes": 4,
"stage": "RUNNING",
"category": "Other",
"score": 0.5,
"description": "Perform various AI tasks like chat, image generation, and text-to-speech"
}
]

• Add hf spaces command with semantic search by @​Wauplin in #4094

📜 Programmatic access to Space logs

When a Space fails to build or crashes at runtime, you can now retrieve the logs programmatically — no need to open the browser. This is particularly useful for agentic workflows that need to debug Space failures autonomously.

>>> from huggingface_hub import fetch_space_logs
</tr></table>

... (truncated)

Commits

• 6ae4175 Release: v1.11.0
• 5524921 Release: v1.11.0.rc0
• 26d7886 Deprecate model_name in favor of search in list_models (#4112)
• f6b3dbe [CLI] Clarify that -v/--volume accepts multiple volumes (#4113)
• b7ed360 [Spaces] Add fetch_space_logs + hf spaces logs command (#4091)
• 6cace2b [CLI] Add hf spaces volumes commands (#4109)
• 0cbf4dc [Internal] Update AGENTS.md (#4110)
• b3a8eb5 [CLI] Add hf spaces search command with semantic search (#4094)
• d6f252c [docs] Promote manage-spaces walkthrough steps to H3 (#4108)
• 52e6adb [CLI] Add hf auth token command (#4104)
• Additional commits viewable in compare view

Updates ultralytics from 8.4.37 to 8.4.39

Commits

• d86cb96 ultralytics 8.4.39 Use dashed incremented run paths (#24193)
• b50af59 Clarify 4-role rbac availability on pro plan (#24263)
• 426bab3 Correct AP data region label from Hong Kong to Taiwan (#24264)
• 4b5c458 Docs: remove explorer references, redirect to ultralytics platform (#24262)
• fdddfc4 Fix integrations docs drift for neptune and mlflow (#24259)
• f4d0fda Harden retry behavior in docker and links workflows (#24261)
• 4912cff Fix in-place obb gt_bboxes modification in RotatedTaskAlignedAssigner (#2...
• 08612af Add supported model variants note to sony-imx500 integration page (#24248)
• 0579ac7 Add CLI parity for region, security, and parking solutions (#24251)
• d93fb45 Fix redirected URLs (#24255)
• Additional commits viewable in compare view

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 4 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA c0ff8e0.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

data-management/viewer/backend/uv.lock

Package	Version	License	Issue Type
fastapi	0.136.0	Null	Unknown License
pydantic	2.13.2	Null	Unknown License
ruff	0.15.11	Null	Unknown License
ultralytics	8.4.39	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
pip/fastapi	0.136.0	Unknown	Unknown
pip/huggingface-hub	1.11.0	🟢 6.2	Details Check Score Reason Code-Review 🟢 8 Found 25/29 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST 🟢 10 SAST tool is run on all commits
pip/pydantic	2.13.2	Unknown	Unknown
pip/pydantic-core	2.46.2	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/ruff	0.15.11	Unknown	Unknown
pip/ultralytics	8.4.39	Unknown	Unknown

Scanned Files

• data-management/viewer/backend/uv.lock

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.19%. Comparing base (109ee81) to head (c0ff8e0).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #516   +/-   ##
=======================================
  Coverage   65.19%   65.19%           
=======================================
  Files         254      254           
  Lines       15804    15804           
  Branches     2070     2070           
=======================================
  Hits        10303    10303           
  Misses       5212     5212           
  Partials      289      289           

Flag	Coverage Δ
pester	81.11% <ø> (ø)
pytest	92.40% <ø> (ø)
pytest-dataviewer	65.12% <ø> (ø)
pytest-fuzz	1.56% <ø> (ø)
vitest	51.77% <ø> (ø)

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[katriendg]

@dependabot rebase