Skip to content

security(deps): bump the inference-dependencies group across 1 directory with 8 updates #539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dependabot wants to merge 1 commit into from
Closed

security(deps): bump the inference-dependencies group across 1 directory with 8 updates #539

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions evaluation/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,25 @@ version = "0.1.0"
description = "Evaluation workflow runtime dependencies"
requires-python = ">=3.12"
dependencies = [
"numpy==2.2.6",
"numpy==2.4.4",
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

numpy 2.2.6 → 2.4.4 — cross-minor jump on ABI-sensitive surface

This bump skips the entire 2.3.x series and lands on 2.4.4. NumPy 2.x introduced C-ABI breaking changes (NEP 47/50). The 2.4.x branch supports Python 3.11–3.14 and includes fixes for OpenBLAS threading on ARM (issue #30816) — no security advisories found.

Risk: onnxruntime-gpu==1.24.4 is pinned alongside this and is CUDA/ABI-sensitive. Verify onnxruntime-gpu built against numpy 2.x ABI is compatible with numpy 2.4. Run pytest evaluation/tests/ on a GPU node before merging.

Source: NumPy 2.4.4 release notes

"azure-core==1.39.0",
"azure-storage-blob==12.28.0",
"azure-identity==1.25.3",
"azure-ai-ml==1.32.0",
"marshmallow==3.26.2",
"marshmallow==4.3.0",
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Major version bump — marshmallow 3.26.2 → 4.3.0

marshmallow crossed a major version boundary (3 → 4). The 4.x line removed several deprecated 3.x APIs:

  • missing and default field arguments have changed semantics (see marshmallow 4.0.0 changelog).
  • fields.Number and fields.Mapping are now abstract base classes and cannot be used directly in schemas.
  • post_load(pass_many=True) and other decorator behaviors have breaking-change semantics in 4.x.

No Python files in evaluation/ directly import marshmallow, suggesting it is consumed indirectly via mlflow==3.11.1 or azure-ai-ml==1.32.0. Verify that those pinned versions support marshmallow 4.x before merging.

Validation: ruff check evaluation/ && pytest evaluation/tests/ against the new lockfile.

"mlflow==3.11.1",
"packaging==25.0",
"packaging==26.1",
"psutil==7.2.2",
"pynvml==13.0.1",
"pyperclip==1.11.0",
"onnx==1.21.0",
"onnxscript==0.6.2",
"onnxscript==0.7.0",
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

onnxscript 0.6.2 → 0.7.0 — pre-1.0 minor bump

onnxscript is a pre-1.0 package; minor version increments may include breaking API changes per semantic versioning conventions for unstable packages. No GHSA/CVE advisories were found.

Changelog: microsoft/onnxscript releases. Verify that any onnxscript API usage in the evaluation codebase is not affected by 0.7.0 changes.

"onnxruntime-gpu==1.24.4",
"toml==0.10.2",
"gymnasium==1.2.3",
"torch==2.10.0",
"tensordict==0.12.1",
"lerobot==0.5.0",
"torch==2.11.0",
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

torch 2.10.0 → 2.11.0 — check onnxruntime-gpu ABI compatibility

Minor version bump for PyTorch on the python-runtime surface. PyTorch and onnxruntime-gpu share CUDA runtime libraries; mismatched CUDA minor expectations can cause silent ABI failures at inference time.

onnxruntime-gpu==1.24.4 (line 20) is not being bumped in this PR — confirm that onnxruntime-gpu 1.24.4 lists torch 2.11.x in its supported matrix. Validate with a SIL smoke run of evaluation/sil/policy_runner.py on GPU hardware after merging.

No security advisories identified for this bump.

"tensordict==0.12.2",
"lerobot==0.5.1",
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lerobot 0.5.0 → 0.5.1 — pre-1.0 patch bump

Patch release in a pre-1.0 package. Low risk, but confirm this version is compatible with the torch==2.11.0 being co-bumped in this PR (lerobot depends on torch).

Source: huggingface/lerobot releases

]

[build-system]
Expand All @@ -37,10 +37,10 @@ dev = [
"pytest==9.0.3",
"pytest-mock==3.15.1",
"pytest-cov==7.1.0",
"hypothesis==6.151.13",
"hypothesis==6.152.1",
"matplotlib==3.10.8",
"numpy==2.2.6",
"torch==2.10.0",
"numpy==2.4.4",
"torch==2.11.0",
]

[tool.pytest.ini_options]
Expand Down
Loading