security(deps): bump the dataviewer-backend-dependencies group in /data-management/viewer/backend with 8 updates

[dependabot]

Bumps the dataviewer-backend-dependencies group in /data-management/viewer/backend with 8 updates:

Package	From	To
fastapi	0.136.0	0.136.1
uvicorn[standard]	0.44.0	0.46.0
pyarrow	23.0.1	24.0.0
ruff	0.15.11	0.15.12
hypothesis	6.152.1	6.152.3
schemathesis	4.15.2	4.16.1
huggingface-hub	1.11.0	1.12.0
ultralytics	8.4.40	8.4.41

Updates fastapi from 0.136.0 to 0.136.1

Release notes

Sourced from fastapi's releases.

0.136.1

Upgrades

• ⬆️ Update Pydantic v2 code to address deprecations. PR #15101 by @​svlandeg.

Internal

• 🔨 Tweak translation script. PR #15174 by @​YuriiMotov.
• ⬆ Bump mkdocs-material from 9.7.1 to 9.7.6. PR #15408 by @​dependabot[bot].
• ⬆ Bump inline-snapshot from 0.31.1 to 0.32.6. PR #15409 by @​dependabot[bot].
• ⬆ Bump pytest-codspeed from 4.3.0 to 4.4.0. PR #15407 by @​dependabot[bot].
• ⬆ Bump pytest-cov from 7.0.0 to 7.1.0. PR #15406 by @​dependabot[bot].
• ⬆ Bump cloudflare/wrangler-action from 3.14.1 to 3.15.0. PR #15405 by @​dependabot[bot].
• ⬆ Bump mypy from 1.19.1 to 1.20.1. PR #15410 by @​dependabot[bot].
• ⬆ Bump python-dotenv from 1.2.1 to 1.2.2. PR #15400 by @​dependabot[bot].
• ⬆ Bump starlette from 0.52.1 to 1.0.0. PR #15397 by @​dependabot[bot].
• ⬆ Bump pygithub from 2.8.1 to 2.9.1. PR #15396 by @​dependabot[bot].
• ⬆ Bump pyjwt from 2.12.0 to 2.12.1. PR #15393 by @​dependabot[bot].
• ⬆ Bump zizmor from 1.23.1 to 1.24.1. PR #15394 by @​dependabot[bot].
• ⬆ Bump strawberry-graphql from 0.312.3 to 0.314.3. PR #15395 by @​dependabot[bot].
• ⬆ Bump python-multipart from 0.0.22 to 0.0.26. PR #15360 by @​dependabot[bot].
• ⬆ Bump authlib from 1.6.9 to 1.6.11. PR #15373 by @​dependabot[bot].
• ⬆ Bump aiohttp from 3.13.3 to 3.13.4. PR #15282 by @​dependabot[bot].
• ⬆ Bump pygments from 2.19.2 to 2.20.0. PR #15263 by @​dependabot[bot].
• ⬆ Bump pymdown-extensions from 10.20.1 to 10.21.2. PR #15391 by @​YuriiMotov.
• ⬆ Bump pillow from 12.1.1 to 12.2.0. PR #15333 by @​dependabot[bot].
• ⬆ Bump pytest from 9.0.2 to 9.0.3. PR #15334 by @​dependabot[bot].
• ⬆ Bump actions/upload-artifact from 7.0.0 to 7.0.1. PR #15374 by @​dependabot[bot].
• ⬆ Bump actions/cache from 5.0.4 to 5.0.5. PR #15385 by @​dependabot[bot].
• 🔧 Update sponsors: remove Zuplo. PR #15369 by @​tiangolo.
• 🔧 Update sponsors: remove Speakeasy. PR #15368 by @​tiangolo.
• 🔒️ Add zizmor and fix audit findings. PR #15316 by @​YuriiMotov.

Commits

• e54e5a8 🔖 Release version 0.136.1
• 9a8a5fd 📝 Update release notes
• 7815a32 ⬆️ Update Pydantic v2 code to address deprecations (#15101)
• ef1c927 📝 Update release notes
• 38039e1 🔨 Tweak translation script (#15174)
• 4fa826c 📝 Update release notes
• c394156 ⬆ Bump mkdocs-material from 9.7.1 to 9.7.6 (#15408)
• ae230ad 📝 Update release notes
• d9eb39d ⬆ Bump inline-snapshot from 0.31.1 to 0.32.6 (#15409)
• 4f8b5d1 📝 Update release notes
• Additional commits viewable in compare view

Updates uvicorn[standard] from 0.44.0 to 0.46.0

Release notes

Sourced from uvicorn[standard]'s releases.

Version 0.46.0

What's Changed

• Support ws_max_size in wsproto implementation by @​Kludex in Kludex/uvicorn#2915
• Support ws_ping_interval and ws_ping_timeout in wsproto implementation by @​Kludex in Kludex/uvicorn#2916
• Use bytearray for incoming WebSocket message buffer in websockets-sansio by @​Kludex in Kludex/uvicorn#2917

Full Changelog: Kludex/uvicorn@0.45.0...0.46.0

Version 0.45.0

What's Changed

• Preserve forwarded client ports in proxy headers middleware by @​Kludex in Kludex/uvicorn#2903
• Accept os.PathLike for log_config by @​Kludex in Kludex/uvicorn#2905
• Accept log_level strings case-insensitively by @​Kludex in Kludex/uvicorn#2907
• Raise helpful ImportError when PyYAML is missing for YAML log config by @​Kludex in Kludex/uvicorn#2906
• Revert empty context for ASGI runs by @​Kludex in Kludex/uvicorn#2911
• Add --reset-contextvars flag to isolate ASGI request context by @​Kludex in Kludex/uvicorn#2912
• Revert "Emit http.disconnect on server shutdown for streaming responses" (#2829) by @​Kludex in Kludex/uvicorn#2913

New Contributors

• @​Krishnachaitanyakc made their first contribution in Kludex/uvicorn#2870

Full Changelog: Kludex/uvicorn@0.44.0...0.45.0

Changelog

Sourced from uvicorn[standard]'s changelog.

0.46.0 (April 23, 2026)

Added

• Support ws_max_size in wsproto implementation (#2915)
• Support ws_ping_interval and ws_ping_timeout in wsproto implementation (#2916)

Changed

• Use bytearray for incoming WebSocket message buffer in websockets-sansio (#2917)

0.45.0 (April 21, 2026)

Added

• Add --reset-contextvars flag to isolate ASGI request context (#2912)
• Accept os.PathLike for log_config (#2905)
• Accept log_level strings case-insensitively (#2907)

Changed

• Revert "Emit http.disconnect on server shutdown for streaming responses" (#2913)
• Revert "Explicitly start ASGI run with empty context" (#2911)

Fixed

• Preserve forwarded client ports in proxy headers middleware (#2903)
• Raise helpful ImportError when PyYAML is missing for YAML log config (#2906)

Commits

• b224045 Version 0.46.0 (#2918)
• 7375b5b Use bytearray for incoming WebSocket message buffer in websockets-sansio (#...
• d438fb1 Support ws_ping_interval and ws_ping_timeout in wsproto implementation ...
• 3e6b964 Support ws_max_size in wsproto implementation (#2915)
• 2c423bd Version 0.45.0 (#2914)
• 7f027f8 Revert "Emit http.disconnect on server shutdown for streaming responses" (#...
• 73a80c3 Add --reset-contextvars flag to isolate ASGI request context (#2912)
• 45c0b56 Revert empty context for ASGI runs (#2911)
• 850d926 Raise helpful ImportError when PyYAML is missing for YAML log config (#2906)
• fdcacb4 Accept log_level strings case-insensitively (#2907)
• Additional commits viewable in compare view

Updates pyarrow from 23.0.1 to 24.0.0

Release notes

Sourced from pyarrow's releases.

Apache Arrow 24.0.0

Release Notes URL: https://arrow.apache.org/release/24.0.0.html

Apache Arrow 24.0.0 RC0

Release Notes: Release Candidate: 24.0.0 RC0

Commits

• 31b4b6c MINOR: [Release] Update versions for 24.0.0
• 06dbc17 MINOR: [Release] Update .deb/.rpm changelogs for 24.0.0
• a021d80 MINOR: [Release] Update CHANGELOG.md for 24.0.0
• 2d6b12c GH-49716: [C++] FixedShapeTensorType::Deserialize should strictly validate se...
• a74cb6a GH-49697: [C++][CI] Check IPC file body bounds are in sync with decoder outco...
• 871a0c6 GH-49676: [Python][Packaging] Fix gRPC docker image layer being too big for h...
• f9203b3 GH-49586: [C++][CI] StructToStructSubset test failure with libc++ 22.1.1 (#49...
• fe298b4 GH-49628: [Python][Interchange protocol] Suppress warnings for pandas 4.0.0 a...
• 1f94910 GH-49252: [GLib] Deprecate Feather features (#49673)
• 5ba5c3c GH-49671: [CI][Docs] Don't run jobs for push by Dependabot (#49672)
• Additional commits viewable in compare view

Updates ruff from 0.15.11 to 0.15.12

Release notes

Sourced from ruff's releases.

0.15.12

Release Notes

Released on 2026-04-24.

Preview features

• Implement #ruff:file-ignore file-level suppressions (#23599)
• Implement #ruff:ignore logical-line suppressions (#23404)
• Revert preview changes to displayed diagnostic severity in LSP (#24789)
• [airflow] Implement task-branch-as-short-circuit (AIR004) (#23579)
• [flake8-bugbear] Fix break/continue handling in loop-iterator-mutation (B909) (#24440)
• [pylint] Fix PLC2701 for type parameter scopes (#24576)

Rule changes

• [pandas-vet] Suggest .array as well in PD011 (#24805)

CLI

• Respect default Unix permissions for cache files (#24794)

Documentation

• [pylint] Fix PLR0124 description not to claim self-comparison always returns the same value (#24749)
• [pyupgrade] Expand docs on reusable TypeVars and scoping (UP046) (#24153)
• Improve rules table accessibility (#24711)

Contributors

• @​dylwil3
• @​AlexWaygood
• @​woodruffw
• @​avasis-ai
• @​Dev-iL
• @​denyszhak
• @​ShipItAndPray
• @​anishgirianish
• @​augustelalande
• @​amyreese
• @​majiayu000

Install ruff 0.15.12

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ruff/releases/download/0.15.12/ruff-installer.sh | sh

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.12

Released on 2026-04-24.

Preview features

• Implement #ruff:file-ignore file-level suppressions (#23599)
• Implement #ruff:ignore logical-line suppressions (#23404)
• Revert preview changes to displayed diagnostic severity in LSP (#24789)
• [airflow] Implement task-branch-as-short-circuit (AIR004) (#23579)
• [flake8-bugbear] Fix break/continue handling in loop-iterator-mutation (B909) (#24440)
• [pylint] Fix PLC2701 for type parameter scopes (#24576)

Rule changes

• [pandas-vet] Suggest .array as well in PD011 (#24805)

CLI

• Respect default Unix permissions for cache files (#24794)

Documentation

• [pylint] Fix PLR0124 description not to claim self-comparison always returns the same value (#24749)
• [pyupgrade] Expand docs on reusable TypeVars and scoping (UP046) (#24153)
• Improve rules table accessibility (#24711)

Contributors

• @​dylwil3
• @​AlexWaygood
• @​woodruffw
• @​avasis-ai
• @​Dev-iL
• @​denyszhak
• @​ShipItAndPray
• @​anishgirianish
• @​augustelalande
• @​amyreese
• @​majiayu000

Commits

• 66f93cf Bump 0.15.12 (#24815)
• 476a4d0 [ty] Complete support for more detailed diagnostics on possibly unbound error...
• ed669ea Implement #ruff:file-ignore file-level suppressions (#23599)
• e73d952 [ty] Include inferred type in invalid-key concise diagnostic for union/inte...
• 80feb29 [ty] report only dead annotation-only locals as unused (#24811)
• 0fbf2bc Drop deprecated license classifier (#24808)
• 43b174c [ty] Infer lambda parameter types with Callable type context (#24317)
• 4f449ae [ty] Add error context for intersection types (#24772)
• 5b4e753 [ty] Add support for goto in literal enum member inlay hint (#24792)
• e7cc762 [ty] Add error context for TypedDict assignments (#24790)
• Additional commits viewable in compare view

Updates hypothesis from 6.152.1 to 6.152.3

Release notes

Sourced from hypothesis's releases.

Hypothesis for Python - version 6.152.3

The "hypothesis-urandom" backend now reads from "/dev/urandom" with buffering disabled, which improves the control of those hooking "/dev/urandom" to change or read Hypothesis's random decisions.

The canonical version of these notes (with links) is on readthedocs.

Hypothesis for Python - version 6.152.2

This release further improves printing of generated values, building on the changes in version 6.151.11.

Principle changes:

• In many cases where we would have printed a complex expression producing a value, we now print the repr (or a pretty-printed version of it).

• Additionally, in some cases where we would print a complex expression that involved a lambda, we are now able to simplify that expression into a more readable one.

The canonical version of these notes (with links) is on readthedocs.

Commits

• 609de04 Bump hypothesis-python version to 6.152.3 and update changelog
• 902f1ba Merge pull request #4720 from Liam-DeVoe/urandom-disable-buffering
• da81118 claude: open /dev/urandom with buffering=0 in URandomProvider
• 80fada3 Merge pull request #4714 from HypothesisWorks/DRMacIver/uv
• 634e2be Let tox auto-provision tox-uv instead of pinning it in tools.txt
• 5265564 Seed pip into tox-uv envs
• d6caeb8 Use uv instead of pyenv for build-time Python installs and tox
• c727ead Bump hypothesis-python version to 6.152.2 and update changelog
• 36d74b7 Merge pull request #4711 from HypothesisWorks/DRMacIver/is-code-owner
• bbc8963 Merge pull request #4712 from HypothesisWorks/DRMacIver/fix-build
• Additional commits viewable in compare view

Updates schemathesis from 4.15.2 to 4.16.1

Release notes

Sourced from schemathesis's releases.

Release 4.16.1

🐛 Fixed

• auth API on LazySchema to match BaseSchema. #3797

Release 4.16.0

🚀 Added

• schemathesis.openapi.require_security_scheme() for scoping auth providers to specific OpenAPI security schemes. #3745

🐛 Fixed

• Query parameters not serialized when style/explode are omitted from the spec, ignoring OpenAPI 3.0 defaults.
• Use the matching registered serializer for multipart fields with encoding.contentType. #3785
• before_call hook setting a missing required header in the coverage phase had no effect. #3784
• Request timeouts reported as a check failure when a replay made them flaky.

positive_data_acceptance false positives

• example values violating constraints (examples phase):

  • When an object schema-level example has a property violating a nested format constraint (e.g. date-time without timezone).
  • When a parameter-level example value violates its declared schema type.
  • When a schema-level parameter example violates the parameter's own constraints (e.g. pattern).
  • When a response-derived parameter example violates the parameter's schema constraints.
  • When a response-derived parameter example violates the parameter's format constraint.
  • When a property example violates its field's own type (also applies to the coverage phase).
  • For content-encoded header parameters with object examples.
  • For property examples violating anyOf/oneOf constraints via bundled $refs.
  • For array body properties with minItems > 1 and object items.
  • When assembled body violates the schema (e.g. allOf with additionalProperties: false).
  • When a required property has an unsatisfiable schema.

• Composition (allOf / oneOf / anyOf / $ref) in the coverage phase:

  • For oneOf branches with nested multi-$ref allOf.
  • For oneOf body schemas where generated values satisfy multiple branches simultaneously.
  • For oneOf body schemas where a branch requires fields only defined in the parent schema.
  • When an anyOf branch has const: null but a sibling type constraint excludes null.
  • When a multi-level allOf chain causes required properties from a base schema to be generated as null.
  • For body schemas with $ref + additionalProperties: false and pattern/minLength/maxLength constraints.

• enum vs sibling constraints (coverage phase):

  • For required array properties with an unsatisfiable enum constraint.
  • For body properties where all enum values violate a sibling constraint (e.g. maxLength).
  • When an enum contains values violating the declared type (e.g. YAML-parsed false for type: string).
  • When enum contains values violating the declared type in template body generation.

• Structural required / properties mismatches:

  • When a nested required field is unsatisfiable, making the parent object invalid (coverage phase).

... (truncated)

Changelog

Sourced from schemathesis's changelog.

4.16.1 - 2026-04-26

🐛 Fixed

• auth API on LazySchema to match BaseSchema. #3797

4.16.0 - 2026-04-26

🚀 Added

• schemathesis.openapi.require_security_scheme() for scoping auth providers to specific OpenAPI security schemes. #3745

🐛 Fixed

• Query parameters not serialized when style/explode are omitted from the spec, ignoring OpenAPI 3.0 defaults.
• Use the matching registered serializer for multipart fields with encoding.contentType. #3785
• before_call hook setting a missing required header in the coverage phase had no effect. #3784
• Request timeouts reported as a check failure when a replay made them flaky.

positive_data_acceptance false positives

• example values violating constraints (examples phase):

  • When an object schema-level example has a property violating a nested format constraint (e.g. date-time without timezone).
  • When a parameter-level example value violates its declared schema type.
  • When a schema-level parameter example violates the parameter's own constraints (e.g. pattern).
  • When a response-derived parameter example violates the parameter's schema constraints.
  • When a response-derived parameter example violates the parameter's format constraint.
  • When a property example violates its field's own type (also applies to the coverage phase).
  • For content-encoded header parameters with object examples.
  • For property examples violating anyOf/oneOf constraints via bundled $refs.
  • For array body properties with minItems > 1 and object items.
  • When assembled body violates the schema (e.g. allOf with additionalProperties: false).
  • When a required property has an unsatisfiable schema.

• Composition (allOf / oneOf / anyOf / $ref) in the coverage phase:

  • For oneOf branches with nested multi-$ref allOf.
  • For oneOf body schemas where generated values satisfy multiple branches simultaneously.
  • For oneOf body schemas where a branch requires fields only defined in the parent schema.
  • When an anyOf branch has const: null but a sibling type constraint excludes null.
  • When a multi-level allOf chain causes required properties from a base schema to be generated as null.
  • For body schemas with $ref + additionalProperties: false and pattern/minLength/maxLength constraints.

• enum vs sibling constraints (coverage phase):

  • For required array properties with an unsatisfiable enum constraint.
  • For body properties where all enum values violate a sibling constraint (e.g. maxLength).
  • When an enum contains values violating the declared type (e.g. YAML-parsed false for type: string).
  • When enum contains values violating the declared type in template body generation.

• Structural required / properties mismatches:

  • When a nested required field is unsatisfiable, making the parent object invalid (coverage phase).

... (truncated)

Commits

• 99fb9b6 chore: Release 4.16.1
• f0b7e3e fix: auth API on LazySchema to match BaseSchema
• e23062c docs: Fix selective auth example
• b1ec7b0 chore: Update pre-commit
• b314cb4 build: Remove unneeded files from source distribution
• 2edad15 chore: Release 4.16.0
• 07d749e fix: Query parameters not serialized when style/explode are omitted from ...
• 71a1b8e test: Add more tests
• 5b6308c fix: Request timeouts reported as a check failure when a replay made them flaky
• a37cd2c fix: False positive in negative_data_rejection for `application/x-www-form-...
• Additional commits viewable in compare view

Updates huggingface-hub from 1.11.0 to 1.12.0

Release notes

Sourced from huggingface-hub's releases.

[v1.12.0] Unified CLI output, bucket search, and more

🖥️ Unified output format for hf buckets commands

All hf buckets commands now use the unified --format [auto|human|agent|json|quiet] flag and the out singleton for consistent, scriptable output. The previous --quiet and --format table|json flags have been replaced by a single --format option that works across create, list, info, delete, rm, move, and cp. Success messages use out.result(), detail views use out.dict(), and listings use out.table() with proper empty-results handling — making the buckets CLI consistent with the rest of the hf command suite.

# Quiet mode: print only bucket IDs
hf buckets list --format quiet
JSON output for scripting
hf buckets create my-bucket --format json
Agent-friendly structured output
hf buckets info username/my-bucket --format agent

• [CLI] Migrate buckets commands to out singleton by @​hanouticelina in #4111

📚 Documentation: Buckets guide · CLI guide

🪣 Search buckets by name

You can now filter buckets by name when listing them, both from the Python API and the CLI. Pass search="checkpoint" to list_buckets() or --search "checkpoint" to hf buckets list to find buckets matching a name pattern, without having to list and filter client-side.

# Filter buckets by name
hf buckets list --search "checkpoint"

# Filter buckets by name in Python
for bucket in list_buckets(search="checkpoint"):
    print(bucket.id)

• [Buckets] Add search param to list_buckets by @​alexpouliquen in #4130

📚 Documentation: Buckets guide · CLI guide

🖥️ CLI

• [CLI] spaces hot-reload: misc improvements by @​cbensimon in #4049
• [CLI] Detect pi agent by @​hanouticelina in #4125

🐛 Bug and typo fixes

• Apply fsspec config in HfFileSystem metaclass by @​joaquinhuigomez in #4062

🔧 Other QoL Improvements

... (truncated)

Commits

• 16dd546 Release: v1.12.0
• 43c20f4 Release: v1.12.0.rc1
• a9a4ef8 Release: v1.12.0.rc0
• 9104623 Apply fsspec config in HfFileSystem metaclass (#4062)
• c3b04aa chore: bump doc-builder SHA for main doc build workflow (#4137)
• 871f54e [HfApi] Add mainSize to ExpandDatasetProperty_T (#4136)
• 50444e5 [Release] Add social media draft generation to release workflow (#4132)
• 6e9e383 [Buckets] Skip local walk for download sync without delete (#4123)
• f1cd149 [CLI] Migrate buckets commands to out singleton (#4111)
• 50013bd [Buckets] Add search param to list_buckets (#4130)
• Additional commits viewable in compare view

Updates ultralytics from 8.4.40 to 8.4.41

Commits

• 972e135 ultralytics 8.4.41 Fix SAM3 FP ghost IDs in video tracking (#24249)
• 0bc12fc ultralytics 8.4.41 Avoid mutable NDJSON dataset cache collisions (#24290)
• 235ebb3 Migrate benchmarks CI from ubuntu-latest to cpu-latest (#24286)
• 73fcaec Add NVIDIA DALI GPU preprocessing guide (#24102)
• 6438ebd Refresh platform docs (#24281)
• 3681717 Add fine-tuning guide for YOLO on custom datasets (#24164)
• 8c82434 Improve docs platform examples (#24006)
• de48cc7 Add Modal Quickstart Guide (#23414)
• 3d196f0 Document cfg arg in configuration reference (#24212)
• 419fbd6 Clarify architecture-only yamls and historical framing on model pages (#24233)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 8 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 788de5a.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

data-management/viewer/backend/uv.lock

Package	Version	License	Issue Type
fastapi	0.136.1	Null	Unknown License
hypothesis	6.152.3	Null	Unknown License
jsonschema-rs	0.46.2	Null	Unknown License
pyarrow	24.0.0	Null	Unknown License
ruff	0.15.12	Null	Unknown License
schemathesis	4.16.1	Null	Unknown License
ultralytics	8.4.41	Null	Unknown License
uvicorn	0.46.0	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
pip/fastapi	0.136.1	Unknown	Unknown
pip/huggingface-hub	1.12.0	🟢 6.2	Details Check Score Reason Code-Review 🟢 9 Found 27/29 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy ⚠️ 0 security policy file not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
pip/hypothesis	6.152.3	Unknown	Unknown
pip/jsonschema-rs	0.46.2	Unknown	Unknown
pip/pyarrow	24.0.0	Unknown	Unknown
pip/ruff	0.15.12	Unknown	Unknown
pip/schemathesis	4.16.1	Unknown	Unknown
pip/ultralytics	8.4.41	Unknown	Unknown
pip/uvicorn	0.46.0	Unknown	Unknown

Scanned Files

• data-management/viewer/backend/uv.lock

[github-actions]

✅ AW Dependabot PR Review completed successfully!

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.56%. Comparing base (a652dba) to head (788de5a).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #566      +/-   ##
==========================================
+ Coverage   63.91%   66.56%   +2.65%     
==========================================
  Files         250      262      +12     
  Lines       15409    16639    +1230     
  Branches     2122     2260     +138     
==========================================
+ Hits         9848    11076    +1228     
  Misses       5274     5274              
- Partials      287      289       +2     

Flag	Coverage Δ		*Carryforward flag
pester	83.13% <ø> (ø)		Carriedforward from b5a832a
pytest-data-pipeline	100.00% <ø> (ø)		Carriedforward from b5a832a
pytest-dataviewer	65.12% <ø> (ø)
pytest-dm-tools	100.00% <ø> (ø)		Carriedforward from b5a832a
pytest-evaluation	99.83% <ø> (?)
pytest-fuzz	4.97% <ø> (ø)		Carriedforward from b5a832a
pytest-inference	0.00% <ø> (ø)		Carriedforward from b5a832a
pytest-training	82.14% <ø> (ø)		Carriedforward from b5a832a
vitest	51.08% <ø> (ø)		Carriedforward from b5a832a

*This pull request uses carry forward flags. Click here to find out more.
see 12 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

⚠️ Maintainer review recommended

Advisory Review Summary

Surfaces touched: python-runtime (uv ecosystem under data-management/viewer/backend/)
Manifests: data-management/viewer/backend/pyproject.toml (manifest) + data-management/viewer/backend/uv.lock (companion lockfile — not a transitive-only pin)

Package	From	To	Severity	Surface
fastapi	0.136.0	0.136.1	None identified	python-runtime
uvicorn[standard]	0.44.0	0.46.0	None identified	python-runtime
pyarrow	23.0.1	24.0.0	⚠️ High-risk (major bump)	python-runtime
ruff	0.15.11	0.15.12	None identified	python-runtime (dev)
hypothesis	6.152.1	6.152.3	None identified	python-runtime (dev)
schemathesis	4.15.2	4.16.1	None identified	python-runtime (dev)
huggingface-hub	1.11.0	1.12.0	None identified	python-runtime (optional)
ultralytics	8.4.40	8.4.41	None identified	python-runtime (optional)

---

fastapi

• No advisory identifiers in the PR body; no GHSA/CVE found.
• v0.136.1: Addresses Pydantic v2 deprecations in FastAPI's internal model handling (fastapi/fastapi#15101); internal tooling updates only.
• Source: https://github.com/fastapi/fastapi/releases/tag/0.136.1

uvicorn[standard]

• No advisory identifiers; no GHSA/CVE found.
• v0.46.0: WebSocket ws_max_size, ws_ping_interval, ws_ping_timeout support in wsproto implementation.
• v0.45.0: Proxy headers middleware now preserves forwarded client ports; new --reset-contextvars flag; case-insensitive log_level strings; PyYAML-absent ImportError clarity.
• Repo-specific note: The forwarded-port change in v0.45.0 may interact with slowapi rate-limiting if client identity is derived from proxy headers. Confirm key functions remain correct.
• Source: Kludex/uvicorn@0.44.0...0.46.0

pyarrow

• No explicit GHSA/CVE identifier cited in the PR body. Advisory enrichment via OSV/NVD could not be completed due to network restrictions in this environment; maintainers should independently verify at (osv.dev/redacted) and (arrow.apache.org/redacted)
• v24.0.0 release notes: Full details at (arrow.apache.org/redacted) Commit range: apache/arrow@apache-arrow-23.0.1...apache-arrow-24.0.0
• ⚠️ High-risk trigger: pyarrow is in the python-runtime ABI-sensitivity inventory for this repo. A major version increment (23 → 24) in Apache Arrow can introduce breaking Parquet/IPC serialization changes, C++ extension ABI shifts, and removed deprecated APIs. The data-viewer backend uses pyarrow as a runtime dependency.
• Validation advice: Run ruff check and pytest tests/ in data-management/viewer/backend; validate that Parquet files produced by v23 consumers are still readable under v24.

ruff

• Dev-only dependency ([project.optional-dependencies].dev). No advisory identifiers.
• v0.15.12 (2026-04-24): New preview-mode #ruff:file-ignore and #ruff:ignore suppressions; pandas-vet and pylint rule updates; cache file permission fix.
• Source: https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md#01512

hypothesis

• Dev-only dependency. No advisory identifiers.
• Patch bump (6.152.1 → 6.152.3); low risk. Changelog: HypothesisWorks/hypothesis@hypothesis-python-6.152.1...hypothesis-python-6.152.3

schemathesis

• Dev-only dependency. No advisory identifiers.
• Minor bump (4.15.2 → 4.16.1); low risk. Release notes: https://github.com/schemathesis/schemathesis/releases/tag/v4.16.1

huggingface-hub

• Optional dependency ([project.optional-dependencies].huggingface). No advisory identifiers.
• Minor bump (1.11.0 → 1.12.0); low risk. Release notes: https://github.com/huggingface/huggingface_hub/releases/tag/v1.12.0

ultralytics

• Optional dependency ([project.optional-dependencies].yolo). No advisory identifiers.
• Patch bump (8.4.40 → 8.4.41); low risk. Release notes: https://github.com/ultralytics/ultralytics/releases/tag/v8.4.41

---

Advisory verdict: COMMENT — pyarrow crosses a major version boundary (23 → 24), triggering the python-runtime high-risk flag; maintainers should validate ABI and Parquet/IPC data format compatibility before merging. All other seven packages are patch or minor bumps with no advisory identifiers identified.

Note

🔒 Integrity filter blocked 1 item

The following item was blocked because it doesn't meet the GitHub integrity level.

• #566 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by AW Dependabot PR Review for issue #566 · ● 1.5M

[github-actions]

✅ AW Dependabot PR Review completed successfully!

[github-actions]

⚠️ Maintainer review recommended

One high-risk signal fires: pyarrow major version bump (23.0.1 → 24.0.0) on the python-runtime surface — a surface that explicitly flags pyarrow as ABI-sensitive.

---

Advisory Review Summary

Ecosystems and surfaces touched:

• Ecosystem: pip / uv
• Surface: python-runtime — data-management/viewer/backend/
• Manifests changed: data-management/viewer/backend/pyproject.toml, data-management/viewer/backend/uv.lock

No explicit GHSA or CVE identifiers were found in the Dependabot PR body. The security(deps): title prefix indicates Dependabot classified this update as security-relevant, but no advisory IDs were attached. External advisory APIs were unreachable from the review environment; all risk assessments below are based on version-range and surface analysis only.

---

Package Table

Package	From	To	Severity	Surface
pyarrow	23.0.1	24.0.0	⚠️ High-risk (major bump)	python-runtime
uvicorn[standard]	0.44.0	0.46.0	Low	python-runtime
fastapi	0.136.0	0.136.1	Low	python-runtime
schemathesis	4.15.2	4.16.1	Low	python-runtime
huggingface-hub	1.11.0	1.12.0	Low	python-runtime
ruff	0.15.11	0.15.12	None	python-runtime (dev)
hypothesis	6.152.1	6.152.3	None	python-runtime (dev)
ultralytics	8.4.40	8.4.41	None	python-runtime

---

pyarrow

• Bump: 23.0.1 → 24.0.0 (major version).
• Surface trigger: pyarrow is explicitly listed as high-risk on the python-runtime surface due to Isaac Sim / CUDA ABI sensitivity and frequent API changes across major versions.
• Risk: Apache Arrow major releases routinely include C++ ABI and Python API changes (schema inference, IPC, Parquet serialisation). Code paths that use pyarrow.Table, pyarrow.Schema, or pyarrow.parquet should be validated.
• Validation advice: Run ruff check and the targeted pytest suite in data-management/viewer/backend/ before merging.
• Source: Apache Arrow releases — no advisory ID in PR body.

uvicorn[standard]

• Bump: 0.44.0 → 0.46.0 (skips one minor release).
• Release highlights:
  • 0.45.0: Reverted http.disconnect emit on shutdown; new --reset-contextvars flag; proxy-header client-port fix.
  • 0.46.0: WebSocket buffer now uses bytearray; ws_max_size / ping interval/timeout added for wsproto.
• Risk: The context-vars revert could affect request-isolation in streaming endpoints. Low overall risk.
• Source: uvicorn release notes

fastapi

• Bump: 0.136.0 → 0.136.1 (patch).
• Release highlights: Updates Pydantic v2 code to address deprecations (#15101). Internal/doc changes only.
• Risk: Negligible. Patch-only, no API changes.
• Source: fastapi releases

schemathesis

• Bump: 4.15.2 → 4.16.1 (minor).
• Risk: Dev/test dependency only. No production impact.
• Transitive lockfile note: jsonschema-rs is bumped 0.45.0 → 0.46.2 in uv.lock as a transitive dependency of schemathesis. This is a lockfile-only change with no direct manifest pin.

huggingface-hub

• Bump: 1.11.0 → 1.12.0 (minor).
• Risk: Low. Monitor for any cache-layout or download-API changes if the backend uses model hub endpoints.
• Source: huggingface_hub releases

ruff

• Bump: 0.15.11 → 0.15.12 (patch). Dev linting tool only. No runtime impact.

hypothesis

• Bump: 6.152.1 → 6.152.3 (patch). Dev/test dependency only. No runtime impact.

ultralytics

• Bump: 8.4.40 → 8.4.41 (patch). Minimal risk; patch-level update.

---

Transitive-only pin note

jsonschema-rs bumps 0.45.0 → 0.46.2 in uv.lock without a corresponding manifest change — this is a transitive-only lockfile pin pulled in by schemathesis. No direct action required.

---

Advisory verdict: COMMENT — pyarrow crosses a major version boundary on the python-runtime high-risk surface; maintainer validation via pytest in data-management/viewer/backend/ is recommended before merge.

Note

🔒 Integrity filter blocked 1 item

The following item was blocked because it doesn't meet the GitHub integrity level.

• #566 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by AW Dependabot PR Review for issue #566 · ● 809.7K

[github-actions]

Two minor versions skipped (0.44.0 → 0.46.0)

uvicorn[standard] skips 0.45.0. Notable changes across both versions include:

• 0.45.0: Reversed http.disconnect emit on shutdown (#2913 revert); added --reset-contextvars flag; proxy-header client-port preservation fix.
• 0.46.0: WebSocket buffer switched to bytearray; ws_max_size / ws_ping_interval / ws_ping_timeout now supported in wsproto.

The context-vars revert in 0.45.0 could affect request-isolation behaviour in streaming endpoints. Verify streaming / WebSocket handlers after upgrade.

Source: uvicorn release notes

[github-actions]

schemathesis bumped 4.15.2 → 4.16.1. The lockfile also bumps the transitive dependency jsonschema-rs from 0.45.0 → 0.46.2 — this is a lockfile-only transitive change (no direct manifest pin). No breaking changes are expected for this dev/test dependency, but validate with pytest in tests/.

[github-actions]

huggingface-hub bumped 1.11.0 → 1.12.0 (minor). No security advisories identified in the PR body. Monitor the HuggingFace Hub changelog for any changes to model-download or cache-layout APIs used by the backend.

[github-actions]

⚠️ Major version bump — high-risk surface trigger

pyarrow is bumped from 23.0.1 to 24.0.0 (major version). pyarrow is explicitly listed as an ABI-sensitive dependency on the python-runtime surface for this repository.

Apache Arrow major releases commonly include breaking C++ ABI and Python API changes. Review the [Apache Arrow 24 migration guide]((arrow.apache.org/redacted) and verify that:

• Any code using pyarrow APIs still functions correctly (schema inference, IPC, Parquet read/write).
• No import-time or serialization errors occur after upgrade.

Validation: Run ruff check and the targeted pytest suite in data-management/viewer/backend/ before merging.