Skip to content

security(deps): bump the inference-dependencies group across 1 directory with 10 updates #544

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dependabot wants to merge 1 commit into from
+12 −12
Closed

security(deps): bump the inference-dependencies group across 1 directory with 10 updates #544

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 12 additions & 12 deletions evaluation/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,25 @@ version = "0.1.0"
description = "Evaluation workflow runtime dependencies"
requires-python = ">=3.12"
dependencies = [
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lock file not updated. This PR modifies evaluation/pyproject.toml but the corresponding evaluation/uv.lock is not included in the diff. After merge, running uv sync in the evaluation/ directory will regenerate the lock file. CI that relies on the lock file for reproducible installs should regenerate and commit it, or the environment may still install the old pinned versions until the lock is refreshed.

"numpy==2.2.6",
"numpy==2.4.4",
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ABI note — numpy 2.2.6 → 2.4.4 (within 2.x series). The jump crosses numpy 2.3 and 2.4 minor releases. Both are bug-fix/maintenance series with no known CUDA ABI break, and 2.4.4 specifically resolves an OpenBLAS threading issue on ARM (numpy#30816).

Cross-surface divergence: training/rl/pyproject.toml still pins numpy==1.26.4 (1.x series). Any shared evaluation–training code that imports numpy needs to be compatible with both 1.26.x and 2.4.x. The 2.x C API breaks ABI with 1.x extension modules — confirm no shared Cython/C extension code bridges both environments.

Validation: ruff check evaluation/ plus pytest evaluation/.

"azure-core==1.39.0",
"azure-storage-blob==12.28.0",
"azure-identity==1.25.3",
"azure-ai-ml==1.32.0",
"marshmallow==3.26.2",
"marshmallow==4.3.0",
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Major version bump: marshmallow 3.26.2 → 4.3.0. marshmallow 4.0 removed APIs deprecated in the 3.x series (e.g. Schema.Meta.fields/additional unification, @post_load(pass_many=True), marshmallow.compat module, and behaviour changes in Schema.load()/dump() error handling). Any code in evaluation/ that uses marshmallow 3.x patterns will need to be audited against the [marshmallow 4.0 migration guide]((marshmallow.readthedocs.io/redacted)

Note: training/rl/pyproject.toml still pins marshmallow==3.26.2 — the two surfaces now use incompatible major versions. Ensure any shared serialisation helpers are tested with both.

"mlflow==3.11.1",
"packaging==25.0",
"packaging==26.1",
"psutil==7.2.2",
"pynvml==13.0.1",
"pyperclip==1.11.0",
"onnx==1.21.0",
"onnxscript==0.6.2",
"onnxruntime-gpu==1.24.4",
"onnxscript==0.7.0",
"onnxruntime-gpu==1.25.0",
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ CUDA minimum version raised to 12.0onnxruntime-gpu 1.25.0 drops support for CUDA 11.x. Any environment (CI, GPU nodes, Isaac Sim host) that is still pinned to a CUDA 11.x driver will fail at inference time. Verify that all GPU compute environments have been upgraded to CUDA ≥ 12.0 before merging.

Additionally, this release notes the fix for CVE-2026-27904 (via minimatch 3.1.2 → 3.1.4 upgrade in the ORT JS toolchain — see microsoft/onnxruntime#27667). This CVE affects the JavaScript/build toolchain component of ORT, not the Python runtime path; Python users of the prebuilt wheel are not exposed at runtime.

Source: onnxruntime v1.25.0 release notes

"toml==0.10.2",
"gymnasium==1.2.3",
"torch==2.10.0",
"tensordict==0.12.1",
"lerobot==0.5.0",
"gymnasium==1.3.0",
"torch==2.11.0",
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

torch 2.10.0 → 2.11.0 — minor version, but PyTorch minor releases routinely include backwards-incompatible changes. The PyTorch 2.11.0 release notes list a "Backwards Incompatible Changes" section (see release engineering and Security sub-sections). Verify evaluation/ GPU-accelerated inference paths (e.g. sil/, metrics/) against those changes before merging to a GPU fleet.

tensordict 0.12.1 → 0.12.2 is a patch bump aligned to this torch minor; no breaking changes expected.

"tensordict==0.12.2",
"lerobot==0.5.1",
]

[build-system]
Expand All @@ -37,10 +37,10 @@ dev = [
"pytest==9.0.3",
"pytest-mock==3.15.1",
"pytest-cov==7.1.0",
"hypothesis==6.151.13",
"hypothesis==6.152.1",
"matplotlib==3.10.8",
"numpy==2.2.6",
"torch==2.10.0",
"numpy==2.4.4",
"torch==2.11.0",
]

[tool.pytest.ini_options]
Expand Down
Loading