security(deps): bump the dataviewer-dependencies group in /data-management/viewer with 6 updates#565
Merged
bindsi merged 2 commits intoApr 27, 2026
Conversation
Bumps the dataviewer-dependencies group in /data-management/viewer with 6 updates: | Package | From | To | | --- | --- | --- | | [fastapi](https://github.com/fastapi/fastapi) | `0.136.0` | `0.136.1` | | [uvicorn[standard]](https://github.com/Kludex/uvicorn) | `0.44.0` | `0.46.0` | | [pyarrow](https://github.com/apache/arrow) | `23.0.1` | `24.0.0` | | [ruff](https://github.com/astral-sh/ruff) | `0.15.11` | `0.15.12` | | [huggingface-hub](https://github.com/huggingface/huggingface_hub) | `1.11.0` | `1.12.0` | | [ultralytics](https://github.com/ultralytics/ultralytics) | `8.4.40` | `8.4.41` | Updates `fastapi` from 0.136.0 to 0.136.1 - [Release notes](https://github.com/fastapi/fastapi/releases) - [Commits](fastapi/fastapi@0.136.0...0.136.1) Updates `uvicorn[standard]` from 0.44.0 to 0.46.0 - [Release notes](https://github.com/Kludex/uvicorn/releases) - [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md) - [Commits](Kludex/uvicorn@0.44.0...0.46.0) Updates `pyarrow` from 23.0.1 to 24.0.0 - [Release notes](https://github.com/apache/arrow/releases) - [Commits](apache/arrow@apache-arrow-23.0.1...apache-arrow-24.0.0) Updates `ruff` from 0.15.11 to 0.15.12 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.15.11...0.15.12) Updates `huggingface-hub` from 1.11.0 to 1.12.0 - [Release notes](https://github.com/huggingface/huggingface_hub/releases) - [Commits](huggingface/huggingface_hub@v1.11.0...v1.12.0) Updates `ultralytics` from 8.4.40 to 8.4.41 - [Release notes](https://github.com/ultralytics/ultralytics/releases) - [Commits](ultralytics/ultralytics@v8.4.40...v8.4.41) --- updated-dependencies: - dependency-name: fastapi dependency-version: 0.136.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dataviewer-dependencies - dependency-name: uvicorn[standard] dependency-version: 0.46.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dataviewer-dependencies - dependency-name: pyarrow dependency-version: 24.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dataviewer-dependencies - dependency-name: ruff dependency-version: 0.15.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dataviewer-dependencies - dependency-name: huggingface-hub dependency-version: 1.12.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dataviewer-dependencies - dependency-name: ultralytics dependency-version: 8.4.41 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dataviewer-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dataviewer
dependencies
dependabot
Bot
added
dataviewer
dependencies
github-actions
Bot
changed the title
Contributor
Dependency ReviewThe following issues were found:
Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. License Issuesdata-management/viewer/uv.lock
OpenSSF Scorecard
Scanned Files
|
Contributor
|
✅ AW Dependabot PR Review completed successfully! |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #565 +/- ##
==========================================
+ Coverage 63.91% 66.56% +2.65%
==========================================
Files 250 262 +12
Lines 15409 16639 +1230
Branches 2163 2260 +97
==========================================
+ Hits 9848 11076 +1228
Misses 5274 5274
- Partials 287 289 +2
*This pull request uses carry forward flags. Click here to find out more. 🚀 New features to boost your workflow:
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Advisory Review Summary
This grouped Dependabot PR bumps 6 packages in the python-runtime surface (uv/pip under data-management/viewer/). No explicit GHSA or CVE identifiers were found in the PR body despite the security(deps): title prefix — Dependabot may have triggered the security classification from an advisory in one of the packages that was not explicitly linked.
Files changed:
data-management/viewer/pyproject.toml(manifest — direct deps and optional extras)data-management/viewer/uv.lock(lockfile — transitive pins)
Ecosystems / surfaces touched:
python-runtime—uv/pipunderdata-management/viewer/
Package Table
| Package | From | To | Severity | Surface |
|---|---|---|---|---|
fastapi |
0.136.0 | 0.136.1 | No advisory found | python-runtime |
uvicorn[standard] |
0.44.0 | 0.46.0 | No advisory found | python-runtime |
pyarrow |
23.0.1 | 24.0.0 | python-runtime | |
ruff |
0.15.11 | 0.15.12 | No advisory found | python-runtime (dev) |
huggingface-hub |
1.11.0 | 1.12.0 | No advisory found | python-runtime |
ultralytics |
8.4.40 | 8.4.41 | No advisory found | python-runtime |
fastapi
0.136.0 → 0.136.1 (patch) — No advisory identifiers found in this PR. The release notes (sourced from the PR body itself) describe Pydantic v2 deprecation addressing and internal tooling updates only. No breaking changes reported.
"⬆️ Update Pydantic v2 code to address deprecations." — fastapi 0.136.1 release
Repo-specific risk: Low. Patch bump with no API surface changes.
uvicorn[standard]
0.44.0 → 0.46.0 (minor, skips 0.45.x) — No advisory identifiers found. Two minor versions are skipped. The uvicorn changelog at https://github.com/encode/uvicorn/releases should be reviewed for any behavioural changes to the ASGI lifespan, HTTP/1.1 handling, or [standard] extras (e.g. websockets, httptools, watchfiles).
Repo-specific risk: Low–Medium. Skipped minor version warrants changelog review before merge.
pyarrow
23.0.1 → 24.0.0 (MAJOR) — pyarrow is listed as an ABI-sensitive package in the python-runtime surface rubric. A major version bump may introduce Cython/C-extension ABI changes, dataset/IPC format updates, or API removals that affect pandas, scipy, or opencv interop inside the viewer.
No GHSA or CVE record was found in this PR body; however, the security(deps): prefix suggests Dependabot may have matched an advisory. Verify against:
- GitHub Advisory Database: https://github.com/advisories?query=pyarrow
- OSV: (osv.dev/redacted)
- Apache Arrow 24.0.0 release notes: https://github.com/apache/arrow/releases/tag/apache-arrow-24.0.0
Validation advice: Run ruff check and the full pytest suite under data-management/viewer/ on a representative dataset before merging.
ruff
0.15.11 → 0.15.12 (patch, dev-only) — Dev dependency only ([project.optional-dependencies] dev). Patch bump of the linter. No runtime impact. No advisory found. Release notes: https://github.com/astral-sh/ruff/releases/tag/0.15.12
Repo-specific risk: Negligible.
huggingface-hub
1.11.0 → 1.12.0 (minor) — Optional extras group (huggingface). No advisory identifiers found. Minor bump; verify any hub client code in the viewer backend is compatible. Release notes: https://github.com/huggingface/huggingface_hub/releases/tag/v1.12.0
Repo-specific risk: Low.
ultralytics
8.4.40 → 8.4.41 (patch, yolo extra) — Optional extras group (yolo). Patch bump of the YOLO inference library. No advisory found. Release notes: https://github.com/ultralytics/ultralytics/releases/tag/v8.4.41
Repo-specific risk: Low.
Advisory verdict: COMMENT — The pyarrow major version bump (23.0.1 → 24.0.0) is a high-risk ABI-sensitive change under the python-runtime surface rubric, requiring maintainer validation before merge.
Note
🔒 Integrity filter blocked 1 item
The following item was blocked because it doesn't meet the GitHub integrity level.
- #565
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | noneGenerated by AW Dependabot PR Review for issue #565 · ● 918.5K
…wer-dependencies-5d6c7a3e3f
Contributor
|
❌ AW Dependabot PR Review failed. Please review the logs for details. |
bindsi
approved these changes
Apr 27, 2026
bindsi
deleted the
dependabot/uv/data-management/viewer/dataviewer-dependencies-5d6c7a3e3f
branch
Contributor
There was a problem hiding this comment.
Advisory Review Summary
Affected ecosystems and surfaces: python-runtime (uv/pip — data-management/viewer/pyproject.toml + uv.lock)
| Package | From | To | Severity | Surface |
|---|---|---|---|---|
| fastapi | 0.136.0 | 0.136.1 | None detected | python-runtime |
| uvicorn[standard] | 0.44.0 | 0.46.0 | None detected | python-runtime |
| pyarrow | 23.0.1 | 24.0.0 | python-runtime | |
| ruff | 0.15.11 | 0.15.12 | None detected | python-runtime (dev) |
| huggingface-hub | 1.11.0 | 1.12.0 | None detected | python-runtime |
| ultralytics | 8.4.40 | 8.4.41 | None detected | python-runtime |
Advisory note: No GHSA or CVE IDs were found in the PR body. External advisory APIs (GitHub Advisory Database, OSV.dev, NVD) were unreachable from this environment. The
security(deps)title indicates Dependabot linked an advisory; maintainers should confirm the specific identifier via GitHub Advisories for pyarrow before merging.
fastapi
- Version change:
0.136.0 → 0.136.1(patch) - Release notes (fastapi/releases):
⬆️ Update Pydantic v2 code to address deprecations — PR #15101 by
@svlandeg - Risk: Low. Patch update addressing deprecation warnings; no breaking changes expected.
uvicorn[standard]
- Version change:
0.44.0 → 0.46.0(minor; skips 0.45.x series) - Release notes: See encode/uvicorn changelog and releases.
- Risk: Low. Skipping a minor series is worth confirming via the changelog for any HTTP/1.1, WebSocket, or lifespan handler changes that could affect the viewer backend API.
pyarrow ⚠️
- Version change:
23.0.1 → 24.0.0(MAJOR version bump) - Advisory: No GHSA/CVE ID found in PR body; advisory APIs unavailable. See GitHub Advisories — pyarrow and [Apache Arrow 24.0.0 release notes]((arrow.apache.org/redacted) for the full changelog.
- Risk: HIGH.
pyarrowis explicitly listed in thepython-runtimesurface high-risk triggers. Apache Arrow major versions introduce:- C++ ABI changes that break IPC serialisation between processes
- Breaking Dataset and Parquet reader API changes
- Compatibility shifts with co-installed
pandas,numpy, andscipy(all present in this manifest atnumpy==2.4.4,scipy==1.17.1,pandas==3.0.2) - Potential ABI conflicts with
opencv-python-headless==4.13.0.92(also in this manifest)
- Validation required: Run
ruff checkandpytestindata-management/viewer/backend/on a GPU/CPU node before merging.
ruff
- Version change:
0.15.11 → 0.15.12(patch) - Risk: Low. Dev-only linting tool; no runtime impact.
huggingface-hub
- Version change:
1.11.0 → 1.12.0(minor) - Release notes (huggingface_hub/releases):
[Buckets] New
searchparam forlist_buckets; CLI migration to singleton; add draft generation to release workflow; download sync optimisations. - Risk: Low. Additive feature release; no breaking changes flagged.
ultralytics
- Version change:
8.4.40 → 8.4.41(patch) - Release notes (sourced from PR body, ultralytics/releases):
Fix SAM3 FP ghost IDs in video tracking (#24249); Avoid mutable NDJSON dataset cache collisions (#24290).
- Risk: Low. Patch fixes in tracking and dataset cache.
Advisory verdict: COMMENT — pyarrow crosses a major version boundary (23 → 24) and is classified as a high-risk ABI-sensitive dependency under the python-runtime surface rubric. Validation (ruff check + pytest in data-management/viewer/backend/) is recommended before merging.
Note
🔒 Integrity filter blocked 1 item
The following item was blocked because it doesn't meet the GitHub integrity level.
- #565
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | noneGenerated by AW Dependabot PR Review for issue #565 · ● 833.1K
| dependencies = [ | ||
| "fastapi==0.136.0", | ||
| "uvicorn[standard]==0.44.0", | ||
| "fastapi==0.136.1", |
Contributor
There was a problem hiding this comment.
fastapi 0.136.0 → 0.136.1 — low risk
Patch update that addresses Pydantic v2 deprecations. No breaking changes expected.
| "scikit-learn==1.8.0", | ||
| "pandas==3.0.2", | ||
| "pyarrow==23.0.1", | ||
| "pyarrow==24.0.0", |
Contributor
There was a problem hiding this comment.
pyarrow crosses a major version boundary (23.0.1 → 24.0.0). Apache Arrow major releases introduce C++ ABI and IPC format changes that can break:
- DataFrame/Table serialisation contracts between processes
- Interoperability with
pandas,numpy, andscipy(all present in this manifest) - Dataset and Parquet reader APIs
The python-runtime surface rubric explicitly flags pyarrow as high-risk. No GHSA or CVE IDs were found in the PR body; external advisory APIs were unreachable, so the security driver could not be confirmed. Check the GitHub Advisory Database for pyarrow to identify the specific advisory.
Recommended validation: ruff check + pytest in data-management/viewer/backend/ before merging.
| "fastapi==0.136.0", | ||
| "uvicorn[standard]==0.44.0", | ||
| "fastapi==0.136.1", | ||
| "uvicorn[standard]==0.46.0", |
Contributor
There was a problem hiding this comment.
uvicorn[standard] 0.44.0 → 0.46.0 — skips 0.45.x
This bump skips the entire 0.45.x release series. While overall risk is low, verify the uvicorn changelog for any HTTP/1.1, WebSocket, or lifespan handling changes that could affect the viewer backend API behaviour.
This was referenced Apr 27, 2026
katriendg
added a commit
that referenced
this pull request
Apr 27, 2026
…#574) Enhanced the Dependabot PR reviewer agentic workflow to execute lint and test suites when a high-risk dependency bump is detected (e.g., `pyarrow` major version crossing an ABI boundary). Previously, the agent could only *advise* maintainers to run checks manually — it now executes them directly and reports concrete pass/fail results in the review body. > Motivated by PR #565 where a `pyarrow 23.0.1 → 24.0.0` bump was flagged as high-risk but required manual `ruff check` + `pytest` to confirm compatibility. The workflow had all runtimes pre-configured and bash tool access — it should have done this itself. ## Description ### Agent Validation Logic Added a **Validation Execution** section to the *dependabot-pr-reviewer.agent.md* with structured rules for when and how to run checks: - Per-surface command table mapping trigger conditions to exact validation commands across 6 surfaces (python-runtime dataviewer/evaluation/training, dataviewer-frontend, terraform-providers, gomod) - **Reporting format** requiring a `### Validation Results` block with commands executed, pass/fail counts, and a clear ✅/⚠️ status line - **Verdict adjustment** rules allowing upgrade from `COMMENT` → `APPROVE` when all checks pass, keeping `COMMENT` when they fail or are skipped - Execution rules capping validation at 5 minutes and skipping low-risk patches entirely ### Workflow Configuration - Fixed invalid `pre-agent-steps:` field → `steps:` to match the current gh-aw schema (resolved a compilation error, this was likely due to a gh-aw version pinned to a Pre-release, since the workflow was originally authored. Pinned back to latest Release v0.68.3 to ensure stability.) - Expanded the `bash:` tool allowlist with 10 validation commands: `uv run ruff check`, `uv run pytest`, `npm ci && npm run validate`, `terraform init -backend=false && terraform validate`, `go vet ./...`, `go build ./...`, `go mod verify` ### Lock File Regeneration - Recompiled *aw-dependabot-pr-review.lock.yml* with gh-aw v0.68.3 (latest stable release) - Added *actions-lock.json* tracking action SHA pins for `actions/github-script@v9` and `github/gh-aw-actions/setup@v0.68.3` ## Type of Change - [ ] 🐛 Bug fix (non-breaking change fixing an issue) - [x] ✨ New feature (non-breaking change adding functionality) - [ ] 💥 Breaking change (fix or feature causing existing functionality to change) - [ ] 📚 Documentation update - [ ] 🏗️ Infrastructure change (Terraform/IaC) - [ ] ♻️ Refactoring (no functional changes) ## Component(s) Affected - [ ] `infrastructure/terraform/prerequisites/` - Azure subscription setup - [ ] `infrastructure/terraform/` - Terraform infrastructure - [ ] `infrastructure/setup/` - OSMO control plane / Helm - [ ] `workflows/` - Training and evaluation workflows - [ ] `training/` - Training pipelines and scripts - [ ] `docs/` - Documentation ## Testing Performed - [ ] Terraform `plan` reviewed (no unexpected changes) - [ ] Terraform `apply` tested in dev environment - [ ] Training scripts tested locally with Isaac Sim - [ ] OSMO workflow submitted successfully - [ ] Smoke tests passed (`smoke_test_azure.py`) ## Documentation Impact - [x] No documentation changes needed - [ ] Documentation updated in this PR - [ ] Documentation issue filed ## Bug Fix Checklist *Complete this section for bug fix PRs. Skip for other contribution types.* - [ ] Linked to issue being fixed - [ ] Regression test included, OR - [ ] Justification for no regression test: ## Checklist - [x] My code follows the [project conventions](copilot-instructions.md) - [x] Commit messages follow [conventional commit format](instructions/commit-message.instructions.md) - [x] I have performed a self-review - [x] Documentation impact assessed above - [x] No new linting warnings introduced ## Related Issues Closes #573
WilliamBerryiii
pushed a commit
that referenced
this pull request
May 8, 2026
🤖 I have created a release *beep* *boop* --- ## [0.8.0](v0.7.4...v0.8.0) (2026-05-08) ### ⚠ BREAKING CHANGES * **dataviewer:** bump frontend stack to React 19, Vite 8, Tailwind v4, MSAL 5, ESLint 10 ([#524](#524)) ### ✨ Features * **agents:** add automated validation for high-risk Dependabot bumps ([#574](#574)) ([8c3686a](8c3686a)), closes [#573](#573) * **data:** add camera selector to annotation workspace and fix AV1 frame extraction ([#591](#591)) ([c809d2f](c809d2f)) * **data:** seed dataviewer frontend test foundation and per-section codecov flags ([#594](#594)) ([c06c4e3](c06c4e3)) * **dataviewer:** add OWASP security middleware stack ([#439](#439)) ([239edb9](239edb9)) * **infrastructure:** add conversion pipeline Terraform module ([#542](#542)) ([244531e](244531e)) * **infrastructure:** upgrade OSMO to chart 1.2.1 / image 6.2 with secure auth and skrl 2.0.0 compatibility ([#492](#492)) ([edfd7a5](edfd7a5)) * **pipeline:** add ACSA setup for ROS2 bag sync to Blob ([#451](#451)) ([c271a54](c271a54)) * **workflows:** add advisory Dependabot PR reviewer agentic workflow ([#498](#498)) ([d4bb140](d4bb140)) * **workflows:** trigger AW Dependabot PR reviewer after PR Validation ([#580](#580)) ([7ab3d16](7ab3d16)) ### 🐛 Bug Fixes * **ci:** correct stale version comment for actions/create-github-app-token ([#506](#506)) ([b2e9a54](b2e9a54)) * **ci:** restore data-pipeline and training broken tests by domain folder restructure ([#547](#547)) ([06d8472](06d8472)) * **docs:** update remaining stale 'Coming soon' labels in docs/README.md ([#507](#507)) ([02439d6](02439d6)) * **docs:** update stale coming soon label for Training section ([#472](#472)) ([46db49b](46db49b)) * **evaluation:** scope SIL AzureML validation code path and script reference ([#387](#387)) ([9f138a9](9f138a9)) * **infrastructure:** OSMO workflow execution, PostgreSQL public access, and quickstart corrections ([#477](#477)) ([9ed2da6](9ed2da6)) * **scripts:** exclude CHANGELOG.md from changed-files msdate check ([#644](#644)) ([8133bdc](8133bdc)) * **workflows:** allow dependabot[bot] to activate AW Dependabot PR Review ([#586](#586)) ([39dc022](39dc022)) * **workflows:** correct branches filter on AW Dependabot PR Review workflow_run trigger ([#584](#584)) ([fe06b52](fe06b52)) * **workflows:** normalize validate.yaml placeholder env/compute values ([#510](#510)) ([340ff44](340ff44)) * **workflows:** recompile aw-dependabot-pr-review lock file ([#576](#576)) ([d77c167](d77c167)) * **workflows:** switch AW Dependabot PR Review to pull_request_target ([#589](#589)) ([3f1edd1](3f1edd1)) ### 📚 Documentation * **docs:** Fix deployment guide links ([#614](#614)) ([0070b04](0070b04)) * document dependency-pinning-artifacts directory purpose ([#508](#508)) ([50e0010](50e0010)) ### 📦 Build System * **training:** standardize on Python 3.12 across manifests, containers, and runtime scripts ([#541](#541)) ([7ad014a](7ad014a)) ### 🔧 Operations * **build:** add Copilot cloud agent setup-steps workflow ([#593](#593)) ([c912668](c912668)) ### 🔧 Miscellaneous * **build:** exclude auto-generated CHANGELOG.md from cspell and seed dictionary ([#582](#582)) ([de1dd57](de1dd57)) * **build:** redesign codecov flags and split pytest CI per component ([#520](#520)) ([357e745](357e745)) * **dataviewer:** bump frontend stack to React 19, Vite 8, Tailwind v4, MSAL 5, ESLint 10 ([#524](#524)) ([50f8ad4](50f8ad4)) * **dataviewer:** repoint stale src/dataviewer references to data-management/viewer ([#504](#504)) ([88fa1b4](88fa1b4)), closes [#503](#503) * **deps-dev:** bump basic-ftp from 5.3.0 to 5.3.1 ([#618](#618)) ([ca10f2a](ca10f2a)) * **deps-dev:** bump globals from 15.15.0 to 17.5.0 in /data-management/viewer/frontend ([#527](#527)) ([0e0b2ae](0e0b2ae)) * **deps-dev:** bump ip-address from 10.1.0 to 10.2.0 ([#616](#616)) ([816c9cf](816c9cf)) * **deps-dev:** bump lint-staged from 16.4.0 to 17.0.2 in the root-npm-dependencies group across 1 directory ([#626](#626)) ([0e2f293](0e2f293)) * **deps-dev:** bump pydantic from 2.13.3 to 2.13.4 in the python-dependencies group across 1 directory ([#629](#629)) ([c24f1c1](c24f1c1)) * **deps-dev:** bump the python-dependencies group across 1 directory with 2 updates ([#514](#514)) ([8410f4b](8410f4b)) * **deps:** bump azure-core from 1.39.0 to 1.40.0 in /evaluation in the inference-dependencies group across 1 directory ([#597](#597)) ([6141db4](6141db4)) * **deps:** bump cryptography from 46.0.6 to 46.0.7 in /data-management/viewer ([#424](#424)) ([5fb6d58](5fb6d58)) * **deps:** bump cryptography from 46.0.6 to 46.0.7 in /data-management/viewer/backend ([#423](#423)) ([b516ad5](b516ad5)) * **deps:** bump lucide-react from 0.469.0 to 1.8.0 in /data-management/viewer/frontend ([#528](#528)) ([1bdfc1e](1bdfc1e)) * **deps:** bump nginx from `8aa63af` to `5616878` in /data-management/viewer/frontend ([#511](#511)) ([9e7e20e](9e7e20e)) * **deps:** bump nginx from 1.27-alpine to 1.29-alpine in /data-management/viewer/frontend ([#484](#484)) ([0e5c3dd](0e5c3dd)) * **deps:** bump node from `435f353` to `e49fd70` in /data-management/viewer/frontend ([#560](#560)) ([2884649](2884649)) * **deps:** bump react-is from 18.3.1 to 19.2.5 in /data-management/viewer/frontend ([#530](#530)) ([d51318c](d51318c)) * **deps:** bump tensordict from 0.11.0 to 0.12.1 in /evaluation in the inference-dependencies group across 1 directory ([#456](#456)) ([b24e733](b24e733)) * **deps:** bump the dataviewer-backend-dependencies group across 1 directory with 2 updates ([#531](#531)) ([171a1da](171a1da)) * **deps:** bump the dataviewer-backend-dependencies group across 1 directory with 5 updates ([#516](#516)) ([4f9a577](4f9a577)) * **deps:** bump the dataviewer-backend-dependencies group across 1 directory with 5 updates ([#602](#602)) ([6c27ab5](6c27ab5)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 2 updates ([#529](#529)) ([8646971](8646971)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 3 updates ([#601](#601)) ([d28fb50](d28fb50)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 3 updates ([#632](#632)) ([4ca5f3e](4ca5f3e)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 5 updates ([#515](#515)) ([109ee81](109ee81)) * **deps:** bump the dataviewer-frontend-patch-minor group across 1 directory with 6 updates ([#630](#630)) ([04d5dfd](04d5dfd)) * **deps:** bump the dataviewer-frontend-patch-minor group across 1 directory with 9 updates ([#563](#563)) ([c08f450](c08f450)) * **deps:** bump the docusaurus-dependencies group across 1 directory with 4 updates ([#627](#627)) ([f5825fc](f5825fc)) * **deps:** bump the docusaurus-dependencies group across 1 directory with 6 updates ([#599](#599)) ([b859344](b859344)) * **deps:** bump the github-actions group across 1 directory with 4 updates ([#459](#459)) ([2609c52](2609c52)) * **deps:** bump the github-actions group across 1 directory with 4 updates ([#517](#517)) ([f54bf5d](f54bf5d)) * **deps:** bump the inference-dependencies group across 1 directory with 11 updates ([#562](#562)) ([087f53a](087f53a)) * **deps:** bump the inference-dependencies group across 1 directory with 2 updates ([#628](#628)) ([4a3be47](4a3be47)) * **deps:** bump the pip group across 2 directories with 1 update ([#494](#494)) ([a14b6b0](a14b6b0)) * **docs:** update stale Python 3.11 references to 3.12 ([#575](#575)) ([6f85c95](6f85c95)) * **scripts:** remove redundant SC1091 disables in OSMO deploy scripts ([#509](#509)) ([ae1cb82](ae1cb82)) ### 🔒 Security * **build:** pin dependencies and hash-verify downloads ([#465](#465)) ([0289f49](0289f49)) * **build:** remediate dependency security advisories ([#479](#479)) ([7196d6d](7196d6d)) * **deps-dev:** bump basic-ftp from 5.2.1 to 5.2.2 ([#454](#454)) ([cb158f1](cb158f1)) * **deps-dev:** bump basic-ftp from 5.2.2 to 5.3.0 ([#495](#495)) ([e983b8b](e983b8b)) * **deps-dev:** bump hypothesis from 6.152.3 to 6.152.4 in the python-dependencies group ([#598](#598)) ([83384d2](83384d2)) * **deps-dev:** bump markdownlint-cli2 from 0.22.0 to 0.22.1 in the root-npm-dependencies group ([#559](#559)) ([32bde35](32bde35)) * **deps-dev:** bump picomatch from 2.3.1 to 2.3.2 in /docs/docusaurus ([#455](#455)) ([66f86ca](66f86ca)) * **deps-dev:** bump postcss from 8.5.10 to 8.5.12 in /data-management/viewer/frontend ([#569](#569)) ([a652dba](a652dba)) * **deps-dev:** bump the python-dependencies group with 2 updates ([#457](#457)) ([749d231](749d231)) * **deps-dev:** bump the python-dependencies group with 2 updates ([#485](#485)) ([71b44fd](71b44fd)) * **deps-dev:** bump the python-dependencies group with 3 updates ([#564](#564)) ([9fc52fd](9fc52fd)) * **deps-dev:** bump typescript from 6.0.2 to 6.0.3 in /docs/docusaurus in the docusaurus-dependencies group ([#513](#513)) ([5694dbc](5694dbc)) * **deps:** bump azureml/openmpi4.1.0-ubuntu22.04 from 20260303.v5 to 20260409.v4 in /evaluation/sil/docker ([#480](#480)) ([25d4df8](25d4df8)) * **deps:** bump cryptography from 46.0.6 to 46.0.7 in /evaluation in the uv group across 1 directory ([#538](#538)) ([92c5b2e](92c5b2e)) * **deps:** bump diffusers from 0.35.2 to 0.38.0 in /training/il/lerobot ([#638](#638)) ([6261d19](6261d19)) * **deps:** bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus ([#469](#469)) ([0458908](0458908)) * **deps:** bump gitpython and mako for lerobot IL training ([#623](#623)) ([9f8022b](9f8022b)) * **deps:** bump node from 24.14.1-slim to 25.9.0-slim in /data-management/viewer/frontend ([#482](#482)) ([1532d09](1532d09)) * **deps:** bump packaging from 26.0 to 26.1 in /evaluation in the inference-dependencies group ([#483](#483)) ([f4afb6c](f4afb6c)) * **deps:** bump pillow from 12.1.1 to 12.2.0 ([#467](#467)) ([39fb663](39fb663)) * **deps:** bump python from 3.11-slim to 3.14-slim in /data-management/viewer/backend ([#481](#481)) ([7af9dfc](7af9dfc)) * **deps:** bump the dataviewer-backend-dependencies group across 1 directory with 15 updates ([#428](#428)) ([e4446a2](e4446a2)) * **deps:** bump the dataviewer-backend-dependencies group in /data-management/viewer/backend with 4 updates ([#487](#487)) ([0f57c5b](0f57c5b)) * **deps:** bump the dataviewer-backend-dependencies group in /data-management/viewer/backend with 8 updates ([#566](#566)) ([d6e7869](d6e7869)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 5 updates ([#464](#464)) ([24c208d](24c208d)) * **deps:** bump the dataviewer-dependencies group in /data-management/viewer with 2 updates ([#486](#486)) ([90149f3](90149f3)) * **deps:** bump the dataviewer-dependencies group in /data-management/viewer with 6 updates ([#565](#565)) ([f0bb36b](f0bb36b)) * **deps:** bump the dataviewer-frontend-patch-minor group across 1 directory with 10 updates ([#613](#613)) ([e481f83](e481f83)) * **deps:** bump the github-actions group across 1 directory with 4 updates ([#534](#534)) ([5478ab6](5478ab6)) * **deps:** bump the github-actions group with 2 updates ([#488](#488)) ([4e6ce98](4e6ce98)) * **deps:** bump the github-actions group with 3 updates ([#567](#567)) ([48c38dc](48c38dc)) * **deps:** bump the github-actions group with 3 updates ([#634](#634)) ([00cfb49](00cfb49)) * **deps:** bump the github-actions group with 6 updates ([#603](#603)) ([73eb79a](73eb79a)) * **deps:** bump the training-dependencies group across 1 directory with 23 updates ([#463](#463)) ([d5a8656](d5a8656)) * **deps:** bump yaml from 2.8.2 to 2.8.3 in /data-management/viewer/frontend ([#453](#453)) ([10449df](10449df)) * pytest harness, dependabot advisories, and OSSF Scorecard remediations ([#501](#501)) ([e8756e8](e8756e8)) * **scripts:** pin and hash-verify all shell script downloads ([#468](#468)) ([0c2bb9c](0c2bb9c)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: physical-ai-toolchain-release[bot] <267194360+physical-ai-toolchain-release[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the dataviewer-dependencies group in /data-management/viewer with 6 updates:
0.136.00.136.10.44.00.46.023.0.124.0.00.15.110.15.121.11.01.12.08.4.408.4.41Updates
fastapifrom 0.136.0 to 0.136.1Release notes
Sourced from fastapi's releases.
Commits
e54e5a8🔖 Release version 0.136.19a8a5fd📝 Update release notes7815a32⬆️ Update Pydantic v2 code to address deprecations (#15101)ef1c927📝 Update release notes38039e1🔨 Tweak translation script (#15174)4fa826c📝 Update release notesc394156⬆ Bump mkdocs-material from 9.7.1 to 9.7.6 (#15408)ae230ad📝 Update release notesd9eb39d⬆ Bump inline-snapshot from 0.31.1 to 0.32.6 (#15409)4f8b5d1📝 Update release notesUpdates
uvicorn[standard]from 0.44.0 to 0.46.0Release notes
Sourced from uvicorn[standard]'s releases.
Changelog
Sourced from uvicorn[standard]'s changelog.
Commits
b224045Version 0.46.0 (#2918)7375b5bUsebytearrayfor incoming WebSocket message buffer in websockets-sansio (#...d438fb1Supportws_ping_intervalandws_ping_timeoutinwsprotoimplementation ...3e6b964Supportws_max_sizeinwsprotoimplementation (#2915)2c423bdVersion 0.45.0 (#2914)7f027f8Revert "Emithttp.disconnecton server shutdown for streaming responses" (#...73a80c3Add--reset-contextvarsflag to isolate ASGI request context (#2912)45c0b56Revert empty context for ASGI runs (#2911)850d926Raise helpfulImportErrorwhen PyYAML is missing for YAML log config (#2906)fdcacb4Acceptlog_levelstrings case-insensitively (#2907)Updates
pyarrowfrom 23.0.1 to 24.0.0Release notes
Sourced from pyarrow's releases.
Commits
31b4b6cMINOR: [Release] Update versions for 24.0.006dbc17MINOR: [Release] Update .deb/.rpm changelogs for 24.0.0a021d80MINOR: [Release] Update CHANGELOG.md for 24.0.02d6b12cGH-49716: [C++] FixedShapeTensorType::Deserialize should strictly validate se...a74cb6aGH-49697: [C++][CI] Check IPC file body bounds are in sync with decoder outco...871a0c6GH-49676: [Python][Packaging] Fix gRPC docker image layer being too big for h...f9203b3GH-49586: [C++][CI] StructToStructSubset test failure with libc++ 22.1.1 (#49...fe298b4GH-49628: [Python][Interchange protocol] Suppress warnings for pandas 4.0.0 a...1f94910GH-49252: [GLib] Deprecate Feather features (#49673)5ba5c3cGH-49671: [CI][Docs] Don't run jobs for push by Dependabot (#49672)Updates
rufffrom 0.15.11 to 0.15.12Release notes
Sourced from ruff's releases.
... (truncated)
Changelog
Sourced from ruff's changelog.
Commits
66f93cfBump 0.15.12 (#24815)476a4d0[ty] Complete support for more detailed diagnostics on possibly unbound error...ed669eaImplement#ruff:file-ignorefile-level suppressions (#23599)e73d952[ty] Include inferred type ininvalid-keyconcise diagnostic for union/inte...80feb29[ty] report only dead annotation-only locals as unused (#24811)0fbf2bcDrop deprecated license classifier (#24808)43b174c[ty] Infer lambda parameter types withCallabletype context (#24317)4f449ae[ty] Add error context for intersection types (#24772)5b4e753[ty] Add support for goto in literal enum member inlay hint (#24792)e7cc762[ty] Add error context for TypedDict assignments (#24790)Updates
huggingface-hubfrom 1.11.0 to 1.12.0Release notes
Sourced from huggingface-hub's releases.
... (truncated)
Commits
16dd546Release: v1.12.043c20f4Release: v1.12.0.rc1a9a4ef8Release: v1.12.0.rc09104623Apply fsspec config in HfFileSystem metaclass (#4062)c3b04aachore: bump doc-builder SHA for main doc build workflow (#4137)871f54e[HfApi] AddmainSizetoExpandDatasetProperty_T(#4136)50444e5[Release] Add social media draft generation to release workflow (#4132)6e9e383[Buckets] Skip local walk for download sync without delete (#4123)f1cd149[CLI] Migrate buckets commands to out singleton (#4111)50013bd[Buckets] Add search param to list_buckets (#4130)Updates
ultralyticsfrom 8.4.40 to 8.4.41Commits
972e135ultralytics 8.4.41Fix SAM3 FP ghost IDs in video tracking (#24249)0bc12fcultralytics 8.4.41Avoid mutable NDJSON dataset cache collisions (#24290)235ebb3Migrate benchmarks CI fromubuntu-latesttocpu-latest(#24286)73fcaecAdd NVIDIA DALI GPU preprocessing guide (#24102)6438ebdRefresh platform docs (#24281)3681717Add fine-tuning guide for YOLO on custom datasets (#24164)8c82434Improve docs platform examples (#24006)de48cc7Add Modal Quickstart Guide (#23414)3d196f0Document cfg arg in configuration reference (#24212)419fbd6Clarify architecture-only yamls and historical framing on model pages (#24233)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions