Skip to content

security(deps): bump the dataviewer-backend-dependencies group in /data-management/viewer/backend with 8 updates #566

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bindsi merged 2 commits into from
Apr 27, 2026
Merged

security(deps): bump the dataviewer-backend-dependencies group in /data-management/viewer/backend with 8 updates #566

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b5a832a
chore(deps): bump the dataviewer-backend-dependencies group
dependabot[bot] Apr 27, 2026
788de5a
Merge branch 'main' into dependabot/uv/data-management/viewer/backend…
bindsi Apr 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions data-management/viewer/backend/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,27 +4,27 @@ version = "0.1.0"
description = "API for LeRobot episode annotation system"
requires-python = ">=3.12"
dependencies = [
"fastapi==0.136.0",
"uvicorn[standard]==0.44.0",
"fastapi==0.136.1",
Comment thread
bindsi marked this conversation as resolved.
"uvicorn[standard]==0.46.0",
Comment thread
bindsi marked this conversation as resolved.
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two minor versions skipped (0.44.0 → 0.46.0)

uvicorn[standard] skips 0.45.0. Notable changes across both versions include:

  • 0.45.0: Reversed http.disconnect emit on shutdown (#2913 revert); added --reset-contextvars flag; proxy-header client-port preservation fix.
  • 0.46.0: WebSocket buffer switched to bytearray; ws_max_size / ws_ping_interval / ws_ping_timeout now supported in wsproto.

The context-vars revert in 0.45.0 could affect request-isolation behaviour in streaming endpoints. Verify streaming / WebSocket handlers after upgrade.

Source: uvicorn release notes

"pydantic==2.13.3",
"python-multipart==0.0.26",
"python-dotenv==1.2.2",
"slowapi==0.1.9",
"aiofiles==25.1.0",
"numpy==2.4.4",
"pyarrow==23.0.1",
"pyarrow==24.0.0",
Comment thread
bindsi marked this conversation as resolved.
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Major version bump — high-risk surface trigger

pyarrow is bumped from 23.0.1 to 24.0.0 (major version). pyarrow is explicitly listed as an ABI-sensitive dependency on the python-runtime surface for this repository.

Apache Arrow major releases commonly include breaking C++ ABI and Python API changes. Review the [Apache Arrow 24 migration guide]((arrow.apache.org/redacted) and verify that:

  • Any code using pyarrow APIs still functions correctly (schema inference, IPC, Parquet read/write).
  • No import-time or serialization errors occur after upgrade.

Validation: Run ruff check and the targeted pytest suite in data-management/viewer/backend/ before merging.

"Pillow==12.2.0",
]

[project.optional-dependencies]
dev = [
"ruff==0.15.11",
"ruff==0.15.12",
"pytest==9.0.3",
"pytest-asyncio==1.3.0",
"pytest-cov==7.1.0",
"httpx==0.28.1",
"hypothesis==6.152.1",
"schemathesis==4.15.2",
"hypothesis==6.152.3",
"schemathesis==4.16.1",
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

schemathesis bumped 4.15.2 → 4.16.1. The lockfile also bumps the transitive dependency jsonschema-rs from 0.45.0 → 0.46.2 — this is a lockfile-only transitive change (no direct manifest pin). No breaking changes are expected for this dev/test dependency, but validate with pytest in tests/.

]
azure = [
"aiohttp==3.13.5",
Expand All @@ -37,7 +37,7 @@ analysis = [
"pandas==3.0.2",
]
huggingface = [
"huggingface-hub==1.11.0",
"huggingface-hub==1.12.0",
Comment thread
bindsi marked this conversation as resolved.
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

huggingface-hub bumped 1.11.0 → 1.12.0 (minor). No security advisories identified in the PR body. Monitor the HuggingFace Hub changelog for any changes to model-download or cache-layout APIs used by the backend.

]
auth = [
"pyjwt[crypto]==2.12.1",
Expand All @@ -49,7 +49,7 @@ export = [
"h5py==3.16.0",
]
yolo = [
"ultralytics==8.4.40",
"ultralytics==8.4.41",
Comment thread
bindsi marked this conversation as resolved.
]

[build-system]
Expand Down
Loading
Loading