chore(deps): bump the inference-dependencies group across 1 directory with 6 updates#525
Conversation
dependabot
Bot
added
dependencies
github-actions
Bot
changed the title
Dependency ReviewThe following issues were found:
Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. License Issuesevaluation/pyproject.toml
OpenSSF Scorecard
Scanned Files
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #525 +/- ##
=======================================
Coverage 65.07% 65.07%
=======================================
Files 253 253
Lines 15621 15621
Branches 2087 2128 +41
=======================================
Hits 10166 10166
Misses 5165 5165
Partials 290 290
🚀 New features to boost your workflow:
|
|
@dependabot rebase |
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/pip/evaluation/inference-dependencies-79c1e3c617
branch
from
1d7658d to
761c964
Compare
|
@dependabot rebase |
… with 6 updates Bumps the inference-dependencies group with 6 updates in the /evaluation directory: | Package | From | To | | --- | --- | --- | | [numpy](https://github.com/numpy/numpy) | `2.2.6` | `2.4.4` | | [marshmallow](https://github.com/marshmallow-code/marshmallow) | `3.26.2` | `4.3.0` | | [onnxscript](https://github.com/microsoft/onnxscript) | `0.6.2` | `0.7.0` | | [torch](https://github.com/pytorch/pytorch) | `2.10.0` | `2.11.0` | | [tensordict](https://github.com/pytorch/tensordict) | `0.12.1` | `0.12.2` | | [lerobot](https://github.com/huggingface/lerobot) | `0.5.0` | `0.5.1` | Updates `numpy` from 2.2.6 to 2.4.4 - [Release notes](https://github.com/numpy/numpy/releases) - [Changelog](https://github.com/numpy/numpy/blob/main/doc/RELEASE_WALKTHROUGH.rst) - [Commits](numpy/numpy@v2.2.6...v2.4.4) Updates `marshmallow` from 3.26.2 to 4.3.0 - [Changelog](https://github.com/marshmallow-code/marshmallow/blob/dev/CHANGELOG.rst) - [Commits](marshmallow-code/marshmallow@3.26.2...4.3.0) Updates `onnxscript` from 0.6.2 to 0.7.0 - [Release notes](https://github.com/microsoft/onnxscript/releases) - [Commits](microsoft/onnxscript@v0.6.2...v0.7.0) Updates `torch` from 2.10.0 to 2.11.0 - [Release notes](https://github.com/pytorch/pytorch/releases) - [Changelog](https://github.com/pytorch/pytorch/blob/main/RELEASE.md) - [Commits](pytorch/pytorch@v2.10.0...v2.11.0) Updates `tensordict` from 0.12.1 to 0.12.2 - [Release notes](https://github.com/pytorch/tensordict/releases) - [Commits](pytorch/tensordict@v0.12.1...v0.12.2) Updates `lerobot` from 0.5.0 to 0.5.1 - [Release notes](https://github.com/huggingface/lerobot/releases) - [Commits](huggingface/lerobot@v0.5.0...v0.5.1) --- updated-dependencies: - dependency-name: numpy dependency-version: 2.4.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: inference-dependencies - dependency-name: marshmallow dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: inference-dependencies - dependency-name: onnxscript dependency-version: 0.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: inference-dependencies - dependency-name: torch dependency-version: 2.11.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: inference-dependencies - dependency-name: tensordict dependency-version: 0.12.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: inference-dependencies - dependency-name: lerobot dependency-version: 0.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: inference-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/pip/evaluation/inference-dependencies-79c1e3c617
branch
from
761c964 to
79ccaef
Compare
|
✅ AW Dependabot PR Review completed successfully! |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Advisory Review Summary
PR: chore(deps): bump the inference-dependencies group across 1 directory with 6 updates
Manifest: evaluation/pyproject.toml (pip ecosystem, /evaluation Dependabot entry)
Surfaces touched: python-runtime (evaluation/)
Advisory IDs found in PR body: None. CVE-2025-68480 identified from marshmallow changelog (security fix included in this upgrade path).
Ecosystems and surfaces:
python-runtime—pip/uvunderevaluation/— 6 packages bumped
| Package | From | To | Severity | Surface |
|---|---|---|---|---|
| numpy | 2.2.6 | 2.4.4 | Low | python-runtime |
| marshmallow | 3.26.2 | 4.3.0 | Medium (major bump + CVE-2025-68480) | python-runtime |
| onnxscript | 0.6.2 | 0.7.0 | Low | python-runtime |
| torch | 2.10.0 | 2.11.0 | High (CUDA ABI + Volta GPU break) | python-runtime |
| tensordict | 0.12.1 | 0.12.2 | Low (ABI-sensitive, patch) | python-runtime |
| lerobot | 0.5.0 | 0.5.1 | Low | python-runtime |
numpy
Bump from 2.2.6 → 2.4.4 stays within the NumPy 2.x series. Releases 2.3.x and 2.4.x are patch/minor fixes: OpenBLAS threading on ARM, FNV-1a 64-bit hash fix, ufunc where=True warning. No ABI break expected across this range. Source: numpy 2.4.4 release notes.
Repo-specific note:
training/rl/pyproject.tomlandtraining/il/lerobot/pyproject.tomlpinnumpy==1.26.4(NumPy 1.x) and are NOT touched by this PR. No cross-surface ABI conflict introduced.
marshmallow
Major version bump 3.26.2 → 4.3.0. Source: marshmallow CHANGELOG.
Backwards-incompatible changes (4.0.0):
@validates-decorated methods now receivedata_keyas a keyword argument.fields.UUIDno longer subclassesfields.String.from_iso_date,from_iso_time,from_iso_datetime,isoformat,to_iso_time,to_iso_datetime,from_rfc,rfcformat,is_keyed_tuple,get_fixed_timezoneremoved frommarshmallow.utils.fields.Booleanno longer serializes non-boolean values.- Date/time deserialization now uses standard-library
fromisoformat.
Security fix: CVE-2025-68480 was patched in marshmallow 4.1.2 — "Merge error store messages without rebuilding collections." Source: CHANGELOG.rst 4.1.2 entry. Note: this CVE is present only in the 4.x series; the 3.x line status is unconfirmed from available sources.
Validate with pytest in evaluation/ to catch any call sites that use removed utilities or rely on the old @validates positional signature.
onnxscript
Minor bump 0.6.2 → 0.7.0. New onnxscript.nn module, new GraphBuilder API, rewriter/optimizer bug fixes (BatchNorm+Conv fusion, DynamicQuantizeLinear constant-folding guard). No documented breaking changes. Source: onnxscript v0.7.0 release notes.
torch ⚠️ HIGH RISK
Minor version bump 2.10.0 → 2.11.0, but contains two backwards-incompatible CUDA changes. Source: PyTorch 2.11.0 release notes.
Breaking change 1 — PyPI wheels now bundle CUDA 13.0:
Starting with PyTorch 2.11,
pip install torchinstalls CUDA 13.0 wheels on PyPI. Hosts with CUDA 12.x-only drivers will fail at runtime. Additionally, CUDA 13.0 supports only Turing (SM 7.5) and newer on Linux x86_64 — Maxwell and Pascal GPUs are unsupported.
Use--index-url (download.pytorch.org/redacted) for CUDA 12.8, orcu126` for CUDA 12.6.
Breaking change 2 — Volta (SM 7.0 / V100) support removed from CUDA 12.8 and 12.9 builds:
If evaluation nodes run V100 GPUs with CUDA 12.8+, those nodes will fail. Use CUDA 12.6 builds or build from source with
TORCH_CUDA_ARCH_LISTincluding7.0.
Repo-specific risk: The evaluation surface uses onnxruntime-gpu==1.24.4 alongside torch. Verify CUDA 13.0 compatibility of onnxruntime-gpu before merging. Run the RL/evaluation GPU smoke test.
tensordict
Patch release 0.12.1 → 0.12.2 (ABI-sensitive surface). Fixes _ragged_idx loss during consolidation of nested tensors — could cause numerical incorrectness in multi-dimensional ragged tensors. No breaking API changes. Source: TensorDict v0.12.2 release notes.
lerobot
Patch release 0.5.0 → 0.5.1. Minor fixes (SDK detection, documentation). No breaking changes. Source: lerobot 0.5.1 release.
Lockfile note
evaluation/uv.lock exists alongside evaluation/pyproject.toml. This PR (pip ecosystem) updates only pyproject.toml version pins; uv.lock is not regenerated. Run uv lock in evaluation/ after merging to keep the lockfile consistent, or confirm that CI regenerates it automatically.
Uncovered manifest note
training/il/lerobot/pyproject.toml contains pinned dependencies (including numpy==1.26.4, torch, and lerobot) but has no corresponding Dependabot entry in .github/dependabot.yml. Consider adding a pip or uv entry for /training/il/lerobot to keep that manifest under automated update coverage.
Advisory verdict: COMMENT — torch 2.11.0 introduces backwards-incompatible CUDA architecture changes (CUDA 13.0 default on PyPI, Volta GPU support removed from CUDA 12.8+ builds) that require validation against the evaluation cluster's GPU hardware and driver stack before merging.
Note
🔒 Integrity filter blocked 1 item
The following item was blocked because it doesn't meet the GitHub integrity level.
- #525
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | noneGenerated by AW Dependabot PR Review for issue #525 · ● 1.2M
| "torch==2.10.0", | ||
| "tensordict==0.12.1", | ||
| "lerobot==0.5.0", | ||
| "torch==2.11.0", |
There was a problem hiding this comment.
⚠️ torch 2.10.0 → 2.11.0 — CUDA breaking changes
Two backwards-incompatible GPU changes in this release (full release notes):
-
PyPI wheels now bundle CUDA 13.0 (
pip install torchon PyPI now installs CUDA 13.0 wheels instead of CUDA 12.x). Hosts with only CUDA 12.x drivers will fail to load the installed wheel. Use--index-url (download.pytorch.org/redacted) to pin CUDA 12.8, orcu126` for CUDA 12.6. -
Volta (SM 7.0 / V100) support removed from CUDA 12.8 and 12.9 builds. If any evaluation node runs on V100 GPUs and uses CUDA 12.8+, those nodes will fail. Use the CUDA 12.6 build URL (
cu126) to retain V100 support.
Recommended: Verify the CUDA driver version and GPU architecture of evaluation nodes before merging. Run ruff check and a GPU smoke test via the owning package's test suite.
| "azure-identity==1.25.3", | ||
| "azure-ai-ml==1.32.0", | ||
| "marshmallow==3.26.2", | ||
| "marshmallow==4.3.0", |
There was a problem hiding this comment.
⚠️ marshmallow 3.26.2 → 4.3.0 — major-version breaking changes
Source: marshmallow CHANGELOG (4.0.0 entry — see "upgrading_4_0").
Key backwards-incompatible changes since 3.x:
@validates-decorated methods now receivedata_keyas a keyword argument (was positional).fields.UUIDno longer subclassesfields.String.Schema.load()no longer silently skips schema validators when a generator is passed.from_iso_date,from_iso_time,from_iso_datetime,isoformat,to_iso_time,to_iso_datetime,from_rfc,rfcformat,is_keyed_tuple,get_fixed_timezoneremoved frommarshmallow.utils.fields.Booleanno longer serializes non-boolean values.- Date/time deserialization now uses the standard-library
fromisoformatmethods. - Security fix included: CVE-2025-68480 was fixed in marshmallow 4.1.2 (merged error store message handling). Source: CHANGELOG.rst 4.1.2 entry.
If any evaluation code calls the removed utility functions or relies on the old @validates signature, it will raise at runtime.
| requires-python = ">=3.12" | ||
| dependencies = [ | ||
| "numpy==2.2.6", | ||
| "numpy==2.4.4", |
There was a problem hiding this comment.
numpy 2.2.6 → 2.4.4 — ABI-sensitive, stays within 2.x
Surface: python-runtime (ABI-sensitive per rubric). Source: numpy 2.4.4 release notes.
This bump stays within the NumPy 2.x series (2.2 → 2.4); no ABI break is expected between these minor versions. The 2.4.x releases are patch-level fixes: OpenBLAS threading on ARM (issue #30816), FNV-1a 64-bit hash fix, ufunc where=True warning.
Note: training/rl/pyproject.toml and training/il/lerobot/pyproject.toml both pin numpy==1.26.4 (NumPy 1.x). Those surfaces are not touched by this PR, so there is no cross-surface numpy ABI conflict introduced here. Validate with ruff check and targeted pytest in evaluation/.
| "tensordict==0.12.1", | ||
| "lerobot==0.5.0", | ||
| "torch==2.11.0", | ||
| "tensordict==0.12.2", |
There was a problem hiding this comment.
tensordict 0.12.1 → 0.12.2 — ABI-sensitive patch release
Surface: python-runtime (ABI-sensitive per rubric). Source: TensorDict v0.12.2 release notes.
Patch release: fixes _ragged_idx loss during consolidation of nested tensors, which caused numerical incorrectness when the nested tensor had more than 2 dimensions and ragged_idx != 1. No breaking API changes. Low risk on its own, but should be validated alongside the torch==2.11.0 bump since both affect GPU tensor operations.
| "pyperclip==1.11.0", | ||
| "onnx==1.21.0", | ||
| "onnxscript==0.6.2", | ||
| "onnxscript==0.7.0", |
There was a problem hiding this comment.
onnxscript 0.6.2 → 0.7.0 — minor bump, new GraphBuilder API
Source: onnxscript v0.7.0 release notes.
Notable additions: new onnxscript.nn module (Module, Parameter, Sequential), new GraphBuilder API for programmatic ONNX graph construction, rewriter/optimizer improvements (commutative-ops expansion, BatchNorm+Conv fusion fixes, DynamicQuantizeLinear constant-folding guard). No documented breaking changes. Low risk for this surface.
|
Looks like these dependencies are updatable in another way, so this is no longer needed. |
dependabot
Bot
deleted the
dependabot/pip/evaluation/inference-dependencies-79c1e3c617
branch
2 participants
Bumps the inference-dependencies group with 6 updates in the /evaluation directory:
2.2.62.4.43.26.24.3.00.6.20.7.02.10.02.11.00.12.10.12.20.5.00.5.1Updates
numpyfrom 2.2.6 to 2.4.4Release notes
Sourced from numpy's releases.
... (truncated)
Changelog
Sourced from numpy's changelog.
... (truncated)
Commits
be93fe2Merge pull request #31090 from charris/prepare-2.4.4f5245dcREL: Prepare for the NumPy 2.4.4 release02e838bMerge pull request #31084 from charris/backport-31056fa74b2dMAINT: numpy.i: Replace deprecatedsprintfwithsnprintf(#31056)533a6dbMerge pull request #31079 from charris/backport-208019e496cbTST: fix POWER VSX feature mapping (#30801)8052c4bMerge pull request #31058 from charris/backport-310217f13b5aMAINT: Skip test on PyPy.4c5fdd6MAINT: Remove unused import of tracemalloc.a3ca5edUpdate numpy/_core/src/multiarray/shape.cUpdates
marshmallowfrom 3.26.2 to 4.3.0Changelog
Sourced from marshmallow's changelog.
... (truncated)
Commits
b596fdbBump version and update changelog256f0aaAdd pre/post_load parameters to Field (#2799)c847ad4Typing improvements to marshmallow.validate (#2940)eb86322Remove redundant docs job (#2939)a44ad62Avoid infinite recursion in nesting docs (#2938)3360e34Bump version and update changelog7b9ce45Fix changelog typos and update releasing docsf07eadcFix validate.Email to accept IDNs (#2937)4acb783Fix Unreachable Warning (#2935)3492faeRemove redundant python-version (#2932)Updates
onnxscriptfrom 0.6.2 to 0.7.0Release notes
Sourced from onnxscript's releases.
... (truncated)
Commits
df97c94Add an option to not inline a function when building the graph (#2851)90f754achore(deps): bump actions/upload-pages-artifact from 4 to 5 (#2895)b068297Bumped version to 0.7.0 (#2894)c8f5f6aMake GraphBuilder.init use keyword-only args after graph (#2893)c6e8ec6Handling initializers in GraphBuilder (#2889)63ffecffix: normalize cache key dtype to prevent initializer name collisions (#2888)13f265cfix(fuse_batchnorm): support convtranpose + bn fusion with group != 1 (#2879)6c092e2Add fusion rule to remove Expand before broadcast-capable binary operators (#...c7d13fbAdd input() and add_output() methods to GraphBuilder (#2828)864b785Fix BatchNorm fusion producing invalid ONNX when Conv nodes share weight init...Updates
torchfrom 2.10.0 to 2.11.0Release notes
Sourced from torch's releases.
... (truncated)
Commits
70d99e9[release only] Increase timeout for rocm libtorch and manywheel builds (#178006)3e05c5a[MPS] Properly handle conjugated tensors in bmm (#178010)db741c7[MPS] fix compiling of SDPA producing nan results (#178009)483b55dUpdate pytorch_sphinx_theme2 version to 0.4.6 (#177616)7f2cdeb[windows][smoke test] Add an option to install cuda if required cuda/cudnn on...76fd078[release-only] Fix libtorch builds. Fix lint (#177299)fa384de[Inductor][MPS] Fix half-precision type mismatches in Metal shader codegen (#...036b25fLet stable::from_blob accept a lambda as deleter (cherry-pick) (#176440)41f8e3e[CI] Stop using G3 runners (#177161)e2fa295[CD] Unpin cuda-bindings dependencies (#177159)Updates
tensordictfrom 0.12.1 to 0.12.2Release notes
Sourced from tensordict's releases.
Commits
8ee33fa[Release] Bump version to 0.12.2dcb6ddd[BugFix] fix ragged_idx of consolidated tensor (#1675)85ea4e7[CI] Temporarily use vmoens/test-infra fork for macOS buildsUpdates
lerobotfrom 0.5.0 to 0.5.1Release notes
Sourced from lerobot's releases.
... (truncated)
Commits
1396b9f🔒 Pin GitHub Actions to commit SHAs (#3265)7c032f1feat(dataset): registering torchvision transforms (#3153)e2f27bfFix lerobot_train script without interpolation (#3281)ea36a4achore(docs): new badge for readme (#3303)399b3c9chore(dependencies): update uv.lock (#3302)913041efix(ci): latest deps tests permissions (#3296)2b541dddocs(ci): add readme for dockerfile (#3295)50a1e67feat(ci): adduv.lock(#3292)d60a700chore(policy): multi dit docs (#3285)8c3d4cfchore(docs): no policy readme in src code (#3286)