security(deps): bump the training-dependencies group across 1 directory with 69 updates

[dependabot]

Bumps the training-dependencies group with 69 updates in the /training/rl directory:

Package	From	To
numpy	1.26.4	2.4.4
marshmallow	3.26.2	4.3.0
packaging	26.1	26.2
cryptography	46.0.7	47.0.0
rsl-rl-lib	5.0.1	5.2.0
tensordict	0.12.1	0.12.2
azure-storage-file-datalake	12.22.0	12.23.0
cachetools	6.2.6	7.0.6
certifi	2026.2.25	2026.4.22
click	8.3.2	8.3.3
cuda-toolkit	13.0.2	13.2.1
databricks-sdk	0.102.0	0.105.0
farama-notifications	0.0.4	0.0.6
fastapi	0.135.3	0.136.1
filelock	3.28.0	3.29.0
gitpython	3.1.46	3.1.47
greenlet	3.4.0	3.5.0
gunicorn	23.0.0	25.3.0
gymnasium	1.2.3	1.3.0
huey	2.6.0	3.0.0
idna	3.11	3.13
importlib-metadata	8.7.1	9.0.0
matplotlib	3.10.8	3.10.9
mpmath	1.3.0	1.4.1
nvidia-cublas	13.1.0.3	13.4.0.1
nvidia-cuda-cupti	13.0.85	13.2.75
nvidia-cuda-nvrtc	13.0.88	13.2.78
nvidia-cuda-runtime	13.0.96	13.2.75
nvidia-cudnn-cu13	9.19.0.56	9.21.1.3
nvidia-cufft	12.0.0.61	12.2.0.46
nvidia-cufile	1.15.1.6	1.17.1.22
nvidia-curand	10.4.0.35	10.4.2.55
nvidia-cusolver	12.0.4.66	12.2.0.1
nvidia-cusparse	12.6.3.3	12.7.10.1
nvidia-cusparselt-cu13	0.8.0	0.9.0
nvidia-nccl-cu13	2.28.9	2.30.4
nvidia-nvjitlink	13.0.88	13.2.78
nvidia-nvshmem-cu13	3.4.5	3.6.5
nvidia-nvtx	13.0.85	13.2.75
onnx-ir	0.2.0	0.2.1
onnxscript	0.6.2	0.7.0
opentelemetry-api	1.40.0	1.41.1
opentelemetry-instrumentation	0.61b0	0.62b1
opentelemetry-instrumentation-asgi	0.61b0	0.62b1
opentelemetry-instrumentation-dbapi	0.61b0	0.62b1
opentelemetry-instrumentation-django	0.61b0	0.62b1
opentelemetry-instrumentation-fastapi	0.61b0	0.62b1
opentelemetry-instrumentation-flask	0.61b0	0.62b1
opentelemetry-instrumentation-logging	0.61b0	0.62b1
opentelemetry-instrumentation-psycopg2	0.61b0	0.62b1
opentelemetry-instrumentation-requests	0.61b0	0.62b1
opentelemetry-instrumentation-urllib	0.61b0	0.62b1
opentelemetry-instrumentation-urllib3	0.61b0	0.62b1
opentelemetry-instrumentation-wsgi	0.61b0	0.62b1
opentelemetry-proto	1.41.0	1.41.1
opentelemetry-sdk	1.40.0	1.41.1
opentelemetry-semantic-conventions	0.61b0	0.62b1
opentelemetry-util-http	0.61b0	0.62b1
pandas	2.3.3	3.0.2
protobuf	6.33.6	7.34.1
pyarrow	22.0.0	24.0.0
pydantic	2.13.1	2.13.3
pydantic-core	2.46.1	2.46.3
pytz	2025.2	2026.1.post1
setuptools	81.0.0	82.0.1
skops	0.13.0	0.14.0
tzdata	2026.1	2026.2
uvicorn	0.44.0	0.46.0
wrapt	1.17.3	2.1.2

Updates numpy from 1.26.4 to 2.4.4

Release notes

Sourced from numpy's releases.

2.4.4 (Mar 29, 2026)

NumPy 2.4.4 Release Notes

The NumPy 2.4.4 is a patch release that fixes bugs discovered after the 2.4.3 release. It should finally close issue #30816, the OpenBLAS threading problem on ARM.

This release supports Python versions 3.11-3.14

Contributors

A total of 8 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• Charles Harris
• Daniel Haag +
• Denis Prokopenko +
• Harshith J +
• Koki Watanabe
• Marten van Kerkwijk
• Matti Picus
• Nathan Goldbaum

Pull requests merged

A total of 7 pull requests were merged for this release.

• #30978: MAINT: Prepare 2.4.x for further development
• #31049: BUG: Add test to reproduce problem described in #30816 (#30818)
• #31052: BUG: fix FNV-1a 64-bit selection by using NPY_SIZEOF_UINTP (#31035)
• #31053: BUG: avoid warning on ufunc with where=True and no output
• #31058: DOC: document caveats of ndarray.resize on 3.14 and newer
• #31079: TST: fix POWER VSX feature mapping (#30801)
• #31084: MAINT: numpy.i: Replace deprecated sprintf with snprintf...

2.4.3 (Mar 9, 2026)

NumPy 2.4.3 Release Notes

The NumPy 2.4.3 is a patch release that fixes bugs discovered after the 2.4.2 release. The most user visible fix may be a threading fix for OpenBLAS on ARM, closing issue #30816.

This release supports Python versions 3.11-3.14

Contributors

A total of 11 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• Antareep Sarkar +

... (truncated)

Changelog

Sourced from numpy's changelog.

This is a walkthrough of the NumPy 2.4.0 release on Linux, which will be the first feature release using the numpy/numpy-release <https://github.com/numpy/numpy-release>__ repository.

The commands can be copied into the command line, but be sure to replace 2.4.0 with the correct version. This should be read together with the :ref:general release guide <prepare_release>.

Facility preparation

Before beginning to make a release, use the requirements/*_requirements.txt files to ensure that you have the needed software. Most software can be installed with pip, but some will require apt-get, dnf, or whatever your system uses for software. You will also need a GitHub personal access token (PAT) to push the documentation. There are a few ways to streamline things:

• Git can be set up to use a keyring to store your GitHub personal access token. Search online for the details.

Prior to release

Add/drop Python versions

When adding or dropping Python versions, multiple config and CI files need to be edited in addition to changing the minimum version in pyproject.toml. Make these changes in an ordinary PR against main and backport if necessary. We currently release wheels for new Python versions after the first Python RC once manylinux and cibuildwheel support that new Python version.

Backport pull requests

Changes that have been marked for this release must be backported to the maintenance/2.4.x branch.

Update 2.4.0 milestones

Look at the issues/prs with 2.4.0 milestones and either push them off to a later version, or maybe remove the milestone. You may need to add a milestone.

Check the numpy-release repo

... (truncated)

Commits

• be93fe2 Merge pull request #31090 from charris/prepare-2.4.4
• f5245dc REL: Prepare for the NumPy 2.4.4 release
• 02e838b Merge pull request #31084 from charris/backport-31056
• fa74b2d MAINT: numpy.i: Replace deprecated sprintf with snprintf (#31056)
• 533a6db Merge pull request #31079 from charris/backport-20801
• 9e496cb TST: fix POWER VSX feature mapping (#30801)
• 8052c4b Merge pull request #31058 from charris/backport-31021
• 7f13b5a MAINT: Skip test on PyPy.
• 4c5fdd6 MAINT: Remove unused import of tracemalloc.
• a3ca5ed Update numpy/_core/src/multiarray/shape.c
• Additional commits viewable in compare view

Updates marshmallow from 3.26.2 to 4.3.0

Changelog

Sourced from marshmallow's changelog.

4.3.0 (2026-04-03)

Features:

• Add pre_load and post_load parameters to marshmallow.fields.Field for field-level pre- and post-processing (:issue:2787).
• Typing: improvements to marshmallow.validate (:pr:2940).

4.2.4 (2026-04-02)

Bug fixes:

• marshmallow.validate.URL and marshmallow.validate.Email accept Internationalized Domain Names (IDNs) (:issue:2821, :issue:2936). marshmallow.validate.Email also correctly rejects IDN domains with leading/trailing hyphens. Thanks :user:touhidurrr for the report.
• Typing: Fix typing of nested in marshmallow.fields.Nested (:pr:2935).

4.2.3 (2026-03-25)

Bug fixes:

• Make marshmallow.fields.Number and marshmallow.fields.Mapping abstract base classes to prevent using them within Schemas (:issue:2924). Thanks :user:MartingaleCoda for reporting.
• Allow required to be set on marshmallow.fields.Contant (:issue:2900). Thanks :user:nosnickid for the report and :user:worksbyfriday for the PR.
• Fix marshmallow.validate.OneOf emitting extra pairs when labels outnumber choices (:issue:2869). Thanks: user:T90REAL for the report and :user:rstar327 for the PR.
• Fix behavior when passing a dot-delimited attribute name to partial for a key with data_key set (:pr:2903). Thanks :user:bysiber for the PR.
• Fix Enum field by-name lookup to only return actual members (:pr:2902). Thanks :user:bysiber for the PR.
• marshmallow.fields.DateTime with format="timestamp_ms" properly rejects bool values (:pr:2904). Thanks :user:bysiber for the PR.
• Fix typing of error_messages argument to marshmallow.fields.Field (:pr:1636). Thanks :user:repole for reporting and :user:dhruvildarji for the PR.

Other changes:

• Add ipaddress.* to marshmallow.Schema.TYPE_MAPPING (:issue:1695). Thanks :user:liberforce for the suggestion and :user:dhruvildarji for the PR.

4.2.2 (2026-02-04)

Bug fixes:

• Fix behavior of fields.Contant(None) (:issue:2868).

... (truncated)

Commits

• b596fdb Bump version and update changelog
• 256f0aa Add pre/post_load parameters to Field (#2799)
• c847ad4 Typing improvements to marshmallow.validate (#2940)
• eb86322 Remove redundant docs job (#2939)
• a44ad62 Avoid infinite recursion in nesting docs (#2938)
• 3360e34 Bump version and update changelog
• 7b9ce45 Fix changelog typos and update releasing docs
• f07eadc Fix validate.Email to accept IDNs (#2937)
• 4acb783 Fix Unreachable Warning (#2935)
• 3492fae Remove redundant python-version (#2932)
• Additional commits viewable in compare view

Updates packaging from 26.1 to 26.2

Release notes

Sourced from packaging's releases.

26.2

What's Changed

Fixes:

• Fix incorrect sysconfig var name for pyemscripten by @​ryanking13 in pypa/packaging#1160
• Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe and backward-compatible with pickles created in 25.0-26.1 (including references to the removed packaging._structures module) by @​eachimei and @​henryiii in pypa/packaging#1163, pypa/packaging#1168, pypa/packaging#1170, and pypa/packaging#1171
• fix: re-export ExceptionGroup for now by @​henryiii in pypa/packaging#1164

Documentation:

• docs: add errors section and fix missing details by @​henryiii in pypa/packaging#1159
• docs(dev): document property-based test suite by @​r266-tech in pypa/packaging#1167
• Fix typo in DirectUrl documentation by @​sbidoul in pypa/packaging#1169
• docs(specifiers): add is_unsatisfiable() usage example by @​r266-tech in pypa/packaging#1166

Internal:

• Enable the auditor persona on zizmor by @​henryiii in pypa/packaging#1158
• Test new pickle guarantees by @​henryiii in pypa/packaging#1174
• Use native uv integration in rtd by @​henryiii in pypa/packaging#1175

New Contributors

• @​ryanking13 made their first contribution in pypa/packaging#1160
• @​eachimei made their first contribution in pypa/packaging#1163

Full Changelog: pypa/packaging@26.1...26.2

Changelog

Sourced from packaging's changelog.

26.2 - 2026-04-24

Fixes:

Fix incorrect sysconfig var name for pyemscripten in (:pull:1160)
Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe

and backward-compatible with pickles created in 25.0-26.1 (including references to the removed

packaging._structures module) (:pull:1163, :pull:1168, :pull:1170, :pull:1171)
Re-export ExceptionGroup in metadata for now in (:pull:1164)

Documentation:

Add errors section and fix missing details in (:pull:1159)
Document our property-based test suite in (:pull:1167)
Fix a DirectUrl typo in (:pull:1167)
Add example of is_unsatisfiable in (:pull:1166)

Internal:

Enable the auditor persona on zizmor in (:pull:1158)
Test new pickle guarantees in (:pull:1174)
Use new native ReadTheDocs uv integration in (:pull:1175)

Commits

• 84a87ee Bump for release
• 4a616b6 docs: a few more updates to prepare for 26.2 (#1176)
• 9de6f44 ci: use native uv integration in rtd (#1175)
• bc76e14 chore: update changelog for 26.2 (#1161)
• 3f00091 tests: add a pickle check (#1174)
• 48a8a06 fix: make Requirements/Markers pickle-safe (#1171)
• 823b44e fix: make Tags pickle-safe (#1170)
• 4bed32d fix: make Specifier / SpecifierSet pickle-safe (#1168)
• 963118e fix: re-export ExceptionGroup for now (#1164)
• 66e34a8 docs(specifiers): add is_unsatisfiable() usage example (#1166)
• Additional commits viewable in compare view

Updates cryptography from 46.0.7 to 47.0.0

Changelog

Sourced from cryptography's changelog.

47.0.0 - 2026-04-24

* Support for Python 3.8 is deprecated and will be removed in the next
  ``cryptography`` release.
* **BACKWARDS INCOMPATIBLE:** Support for binary elliptic curves
  (``SECT*`` classes) has been removed. These curves are rarely used and
  have additional security considerations that make them undesirable.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been removed.
  OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC
  continue to be supported.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 4.1.
* **BACKWARDS INCOMPATIBLE:** Loading keys with unsupported algorithms or
  keys with unsupported explicit curve encodings now raises
  :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of
  ``ValueError``. This change affects
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`,
  and :meth:`~cryptography.x509.Certificate.public_key` when called on
  certificates with unsupported public key algorithms.
* **BACKWARDS INCOMPATIBLE:** When parsing elliptic curve private keys, we now
  reject keys that incorrectly encode a private key of the wrong length because
  such keys are impossible to process in a constant-time manner. We do not
  believe keys with this problem are in wide use, however we may revert this
  change based on the feedback we receive.
* Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to
  :class:`~cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES`. In a
  future release, only 192-bit (24-byte) keys will be accepted. Users should
  expand shorter keys themselves (e.g., for single DES: ``key + key + key``,
  for two-key: ``key + key[:8]``).
* Updated the minimum supported Rust version (MSRV) to 1.83.0, from 1.74.0.
* Support for ``x86_64`` macOS (including publishing wheels) is deprecated
  and will be removed in the next release. We will switch to publishing an
  ``arm64`` only wheel for macOS.
* Support for 32-bit Windows (including publishing wheels) is deprecated
  and will be removed in the next release. Users should move to a 64-bit
  Python installation.
* ``public_bytes`` and ``private_bytes`` methods on keys now raise
  ``TypeError`` (instead of ``ValueError``) if an invalid encoding is provided
  for the given ``format``.
* Moved :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB`,
  :class:`~cryptography.hazmat.decrepit.ciphers.modes.OFB`, and
  :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB8` into
  :doc:`/hazmat/decrepit/index` and deprecated them in the ``modes`` module.
  They will be removed from the ``modes`` module in 49.0.0.
* Moved :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Camellia`
  into  :doc:`/hazmat/decrepit/index` and deprecated it in the ``cipher`` module.
  It will be removed from the ``cipher`` module in 49.0.0.
</tr></table> 

... (truncated)

Commits

• 59c5f5e bump for 47.0.0 release (#14730)
• 9025578 Add MLKEM1024-P384 hybrid KEM support in HPKE (#14722)
• ef66de4 Recommend Argon2id over PBKDF2HMAC as KDF (#14724)
• d996a37 Add ubuntu-resolute to CI workflow (#14729)
• e86da41 chore(deps): bump libc from 0.2.185 to 0.2.186 (#14725)
• 1c33c9a Bump downstream dependencies in CI (#14728)
• 67fb6be Bump x509-limbo and/or wycheproof in CI (#14727)
• 6cb20b3 Bump BoringSSL, OpenSSL, AWS-LC in CI (#14726)
• d6f372d Update supported OpenSSL versions in installation docs (#14721)
• ebd2619 openssl 3.3 is out of upstream support (#14720)
• Additional commits viewable in compare view

Updates rsl-rl-lib from 5.0.1 to 5.2.0

Release notes

Sourced from rsl-rl-lib's releases.

v5.2.0

Overview

This release adds the option to keep a fixed standard deviation for the Gaussian distribution, and adds standard deviation clamping to all distributions.

Full Changelog: leggedrobotics/rsl_rl@5.1.0...v5.2.0

Added

• Adds clip and constant std functionalities to Gaussian Distribution by @​epalmaEth in leggedrobotics/rsl_rl#201

New Contributors

• @​epalmaEth made their first contribution in leggedrobotics/rsl_rl#201

v5.1.0

Overview

This release introduces model compilation via torch.compile, which can speed up training especially for large networks like CNNs. For example, the Isaac-Dexsuite-Kuka-Allegro-Lift-v0 task in Isaac Lab trains 1.3x faster with the compilation mode default. For simple networks like MLPs no speed up is expected. The release also includes a clean up of PPO, moving a large part of the extension logic to their respective files rnd.py and symmetry.py.

Full Changelog: leggedrobotics/rsl_rl@v5.0.1...5.1.0

Added

• Adds Torch compile for PPO and Distillation by @​ClemensSchwarke and @​adenzler-nvidia in leggedrobotics/rsl_rl#199
• Cleans up PPO by moving extension logic to the extension files by @​ClemensSchwarke in leggedrobotics/rsl_rl#200

New Contributors

• @​adenzler-nvidia made their first contribution in leggedrobotics/rsl_rl#199

Commits

• 8068577 Add clip and constant std functionalities to Gaussian Distribution (#201)
• 64f8ee4 Bump version to 5.1.0
• 1e77222 Clean up PPO by moving extension logic to the extension files (#200)
• 0234a93 Add Torch compile for PPO and Distillation (#199)
• c7beb6f minor docs fixes
• See full diff in compare view

Updates tensordict from 0.12.1 to 0.12.2

Release notes

Sourced from tensordict's releases.

TensorDict v0.12.2

Patch release with a bug fix for consolidated nested tensors.

Bug Fixes

• Fix _ragged_idx loss during consolidation of nested tensors, which caused numerical incorrectness when the nested tensor had more than 2 dimensions and ragged_idx != 1 (#1675)

Installation

pip install tensordict==0.12.2

Full Changelog: pytorch/tensordict@v0.12.1...v0.12.2

Commits

• 8ee33fa [Release] Bump version to 0.12.2
• dcb6ddd [BugFix] fix ragged_idx of consolidated tensor (#1675)
• 85ea4e7 [CI] Temporarily use vmoens/test-infra fork for macOS builds
• See full diff in compare view

Updates azure-storage-file-datalake from 12.22.0 to 12.23.0

Commits

• b3301ac STG 100 GA Release Date for 2026-01-06
• beb8dfa [Storage][STG 100] Prepare branch for GA + cherry-pick block size change (#44...
• 6c9b459 Increment package version after release of azure-monitor-opentelemetry-export...
• b9dcce8 Bump cspell from 9.3.2 to 9.4.0 in /eng/common/spelling (#44264)
• 04be001 [py sdk - TA] add 2025-11-01 to Readme (#44259)
• 31e2155 adding more agent creation traces (#44263)
• 2f728ba Use azpysdk Bandit Check in CI (#44214)
• 771fa84 Fix unhelpful error when no stress packages are found (#43538)
• 8646fbe Sync eng/common directory with azure-sdk-tools for PR 13142 (#44244)
• 874cfcf [Storage] Update Swagger and Release Date (#44243)
• Additional commits viewable in compare view

Updates cachetools from 6.2.6 to 7.0.6

Changelog

Sourced from cachetools's changelog.

v7.0.6 (2026-04-20)

• Minor code improvements.

• Update project URLs.

• Update CI environment.

v7.0.5 (2026-03-09)

• Minor @cachedmethod performance improvements.

v7.0.4 (2026-03-08)

• Fix and properly document @cachedmethod.cache_key behavior.

• Minor documentation improvements.

v7.0.3 (2026-03-05)

• Fix DeprecationWarning when creating an autospec mock with @cachedmethod decorations.

v7.0.2 (2026-03-02)

• Provide more efficient clear() implementation for all support Cache classes (courtesy Josep Pon Farreny).

v7.0.1 (2026-02-10)

• Various test improvements.

• Update Copilot Instructions.

v7.0.0 (2026-02-01)

• Require Python 3.10 or later (breaking change).

... (truncated)

Commits

• 28d4506 Release v7.0.6.
• 51921a4 Remove _TimedCache default timer to simplify type stubs.
• a4249f6 Bump codecov/codecov-action from 5.5.2 to 6.0.0 (#392)
• aa87283 feat: update project URLs in pyproject.toml to show on pypi.org (#390)
• 5dce86f Release v7.0.5.
• af5e688 Minor @​cachedmethod performance improvements.
• 0ca75e6 Relase v7.0.4.
• 5b1fa39 Prepare v7.0.4.
• 18e5930 Fix #218: Fix and properly document @​cachedmethod.cache_key handling.
• 98ec79f Drop "class method" from @​cachedmethod docstring.
• Additional commits viewable in compare view

Updates certifi from 2026.2.25 to 2026.4.22

Commits

• 5dddfb0 2026.04.22 (#410)
• f99eccd Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#404)
• 918bed0 Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#405)
• 0a49067 Bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#403)
• acf6ce8 Bump actions/download-artifact from 8.0.0 to 8.0.1 (#398)
• feb0ed2 Bump actions/download-artifact from 7.0.0 to 8.0.0 (#397)
• d9c11a5 Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#396)
• See full diff in compare view

Updates click from 8.3.2 to 8.3.3

Release notes

Sourced from click's releases.

8.3.3

This is the Click 8.3.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.3/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-3 Milestone: https://github.com/pallets/click/milestone/30

• Use :func:shlex.split to split pager and editor commands into argv lists for :class:subprocess.Popen, removing shell=True. #1026 #1477 #2775
• Fix TypeError when rendering help for an option whose default value is an object that doesn't support equality comparison with strings, such as semver.Version. #3298 #3299
• Fix pager test pollution under parallel execution by using pytest's tmp_path fixture instead of a shared temporary file path. #3238
• Treat Sentinel.UNSET values in a default_map as absent, so they fall through to the next default source instead of being used as the value. #3224 #3240
• Patch pdb.Pdb in CliRunner isolation so pdb.set_trace(), breakpoint(), and debuggers subclassing pdb.Pdb (ipdb, pdbpp) can interact with the real terminal instead of the captured I/O streams. #654 #824 #843 #951 #3235
• Add optional randomized parallel test execution using pytest-randomly and pytest-xdist to detect test pollution and race conditions. #3151
• Add contributor documentation for running stress tests, randomized parallel tests, and Flask smoke tests. #3151 #3177
• Show custom show_default string in prompts, matching the existing help text behavior. #2836 #2837 #3165 #3262 #3280 #3328
• Fix default=True with boolean flag_value always returning the flag_value instead of True. The default=True to flag_value substitution now only applies to non-boolean flags, where True acts as a sentinel meaning "activate this flag by default". For boolean flags, default=True is returned as a literal value. #3111 #3239
• Mark make_default_short_help as private API. #3189 #3250
• CliRunner's redirected streams now expose the original file descriptor via fileno(), so that faulthandler, subprocess, and other C-level consumers no longer crash with io.UnsupportedOperation. #2865
• Change :class:ParameterSource to an :class:~enum.IntEnum and reorder its members from most to least explicit, so values can be compared to check whether a parameter was explicitly provided. #2879 #3248

Changelog

Sourced from click's changelog.

Version 8.3.3

Released 2026-04-20

• Use :func:shlex.split to split pager and editor commands into argv lists for :class:subprocess.Popen, removing shell=True. :issue:1026 :pr:1477 :pr:2775
• Fix TypeError when rendering help for an option whose default value is an object that doesn't support equality comparison with strings, such as semver.Version. :issue:3298 :pr:3299
• Fix pager test pollution under parallel execution by using pytest's tmp_path fixture instead of a shared temporary file path. :pr:3238
• Treat Sentinel.UNSET values in a default_map as absent, so they fall through to the next default source instead of being used as the value. :issue:3224 :pr:3240
• Patch pdb.Pdb in CliRunner isolation so pdb.set_trace(), breakpoint(), and debuggers subclassing pdb.Pdb (ipdb, pdbpp) can interact with the real terminal instead of the captured I/O streams. :issue:654 :issue:824 :issue:843 :pr:951 :pr:3235
• Add optional randomized parallel test execution using pytest-randomly and pytest-xdist to detect test pollution and race conditions. :pr:3151
• Add contributor documentation for running stress tests, randomized parallel tests, and Flask smoke tests. :pr:3151 :pr:3177
• Show custom show_default string in prompts, matching the existing help text behavior. :issue:2836 :pr:2837 :pr:3165 :pr:3262 :pr:3280 :pr:3328
• Fix default=True with boolean flag_value always returning the flag_value instead of True. The default=True to flag_value substitution now only applies to non-boolean flags, where True acts as a sentinel meaning "activate this flag by default". For boolean flags, default=True is returned as a literal value. :issue:3111 :pr:3239
• Mark make_default_short_help as private API. :issue:3189 :pr:3250
• CliRunner's redirected streams now expose the original file descriptor via fileno(), so that faulthandler, subprocess, and other C-level consumers no longer crash with io.UnsupportedOperation. :issue:2865
• Change :class:ParameterSource to an :class:~enum.IntEnum and reorder its members from most to least explicit, so values can be compared to check whether a parameter was explicitly provided. :issue:2879 :pr:3248

Commits

• c06d2d0 Release 8.3.3
• f1f191e Apply format guidelines to commits since latest 8.3.2 release (#3343)
• bb59ba0 Apply format guidelines to commits since latest 8.3.2 release
• 4a35225 Reduce blast-radius of UNSET in default_map (#3240)
• c07bb93 Merge branch 'stable' into unset-in-default-map
• c7e1ba8 Reorder ParameterSource (#3248)
• 76552ff Show default string in prompt (#3328)
• ac5cec5 Reorder ParameterSource from most to least explicit
• 8c452e0 Merge branch 'stable' into show-default-string-in-prompt
• 8c95c73 Reconcile default value passing and default activation (#3239)
• Additional commits viewable in compare view

Updates cuda-toolkit from 13.0.2 to 13.2.1

Updates databricks-sdk from 0.102.0 to 0.105.0

Release notes

Sourced from databricks-sdk's releases.

v0.105.0

No release notes provided.

v0.104.0

Bug Fixes

• Add X-Databricks-Org-Id header to WorkspaceExt.upload() and WorkspaceExt.download() for SPOG host compatibility.
• WorkspaceClient.get_workspace_id() now returns Config.workspace_id directly when set, instead of calling /api/2.0/preview/scim/v2/Me. This removes an API round-trip on every call where the workspace ID is already known (profile, ?o= query param, env var, or host metadata) and fixes a failure on SPOG hosts where the unauthenticated probe request was rejected with Unable to load OAuth Config.
• Add X-Databricks-Org-Id header to SharesExt.list() for SPOG host compatibility.

Internal Changes

• Expanded AI agent detection: added Goose, Amp, Augment, Copilot (VS Code), Kiro, Windsurf. Honors the AGENT=<name> standard (resolves to a known product if the value matches one, otherwise unknown). Presence-only env var matchers now treat an empty string as "set" for parity with the Go and Java SDKs. Explicit agent env vars (e.g. CLAUDECODE, GOOSE_TERMINAL) always take precedence over the generic AGENT=<name> signal. When multiple agent env vars are present (e.g. a Cursor CLI subagent invoked from Claude Code), the user-agent reports agent/multiple.

v0.103.0

New Features and Improvements

• Add support for unified hosts. A single configuration profile can now be used for both account-level and workspace-level operations when the host supports it and both account_id and workspace_id are available. The experimental_is_unified_host flag has been removed; unified host detection is now automatic.
• Accept DATABRICKS_OIDC_TOKEN_FILEPATH environment variable for consistency with other Databricks SDKs (Go, CLI, Terraform). The previous DATABRICKS_OIDC_TOKEN_FILE is still supported as an alias.

Breaking Changes

• Drop support for Python 3.8 and 3.9. The minimum supported Python version is now 3.10, in line with the oldest supported Databricks Runtime LTS (DBR 13.3).

Internal Changes

• Replace the async-disabling mechanism on token refresh failure with a 1-minute retry backoff. Previously, a single failed async refresh would disable proactive token renewal until the token expired. Now, the SDK waits a short cooldown period and retries, improving resilience to transient errors.
• Extract _resolve_profile to simplify config file loading and improve __settings__ error messages.
• Resolve token_audience from the token_federation_default_oidc_audiences field in the host metadata discovery endpoint, removing the need for explicit audience configuration.

API Changes

• Add create_catalog(), create_synced_table(), delete_catalog(), delete_synced_table(), get_catalog() and get_synced_table() methods for w.postgres workspace-level service.
• Add effective_file_event_queue field for databricks.sdk.service.catalog.CreateExternalLocation.
• Add effective_file_event_queue field for databricks.sdk.service.catalog.ExternalLocationInfo.
• Add effective_file_event_queue field for databricks.sdk.service.catalog.UpdateExternalLocation.
• Add column_selection field for databricks.sdk.service.ml.Function.
• Add cascade field for databricks.sdk.service.pipelines.DeletePipelineRequest.
• Add default_branch field for databricks.sdk.service.postgres.ProjectSpec.
• Add default_branch field for databricks.sdk.service.postgres.ProjectStatus.
• Add ingress and ingress_dry_run fields for databricks.sdk.service.settings.AccountNetworkPolicy.
• Add delete_app_thumbnail() and update_app_thumbnail() methods for w.apps workspace-level service.
• Add create_message_comment(), list_conversation_comments() and list_message_comments() methods for w.genie workspace-level service.
• Add apply_environment() method for w.pipelines workspace-level service.
• Add name and permission fields for databricks.sdk.service.apps.AppResourceApp.
• Add managed_encryption_settings field for databricks.sdk.service.catalog.CatalogInfo.
• Add managed_encryption_settings field for databricks.sdk.service.catalog.CreateCatalog.
• Add managed_encryption_settings field for databricks.sdk.service.catalog.UpdateCatalog.
• Add comment field for databricks.sdk.service.dashboards.GenieFeedback.
• Add thoughts field for databricks.sdk.service.dashboards.GenieQueryAttachment.
• Add comment field for databricks.sdk.service.dashboards.GenieSendMessageFeedbackRequest.
• Add request_source field for databricks.sdk.service.ml.DataSource.
• Add is_online field for databricks.sdk.service.ml.MaterializedFeature.
• Add connector_options field for databricks.sdk.service.pipelines.SchemaSpec.

... (truncated)

Changelog

Sourced from databricks-sdk's changelog.

Release v0.105.0 (2026-04-23)

API Changes

• Add databricks.sdk.service.supervisoragents package.
• Add w.secrets_uc workspace-level service.
• Add

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 63 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 8df03b8.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

training/rl/pyproject.toml

Package	Version	License	Issue Type
cryptography	47.0.0	Null	Unknown License
marshmallow	4.3.0	Null	Unknown License
packaging	26.2	Null	Unknown License
rsl-rl-lib	5.2.0	Null	Unknown License
tensordict	0.12.2	Null	Unknown License

training/rl/requirements.txt

Package	Version	License	Issue Type
cachetools	7.0.6	Null	Unknown License
click	8.3.3	Null	Unknown License
cryptography	47.0.0	Null	Unknown License
cuda-toolkit	13.2.1	Null	Unknown License
databricks-sdk	0.105.0	Null	Unknown License
fastapi	0.136.1	Null	Unknown License
filelock	3.29.0	Null	Unknown License
greenlet	3.5.0	Null	Unknown License
gunicorn	25.3.0	Null	Unknown License
gymnasium	1.3.0	Null	Unknown License
huey	3.0.0	Null	Unknown License
idna	3.13	Null	Unknown License
marshmallow	4.3.0	Null	Unknown License
matplotlib	3.10.9	Null	Unknown License
mpmath	1.4.1	Null	Unknown License
nvidia-cublas	13.4.0.1	Null	Unknown License
nvidia-cuda-cupti	13.2.75	Null	Unknown License
nvidia-cuda-nvrtc	13.2.78	Null	Unknown License
nvidia-cuda-runtime	13.2.75	Null	Unknown License
nvidia-cudnn-cu13	9.21.1.3	Null	Unknown License
nvidia-cufft	12.2.0.46	Null	Unknown License
nvidia-cufile	1.17.1.22	Null	Unknown License
nvidia-curand	10.4.2.55	Null	Unknown License
nvidia-cusolver	12.2.0.1	Null	Unknown License
nvidia-cusparse	12.7.10.1	Null	Unknown License
nvidia-cusparselt-cu13	0.9.0	Null	Unknown License
nvidia-nccl-cu13	2.30.4	Null	Unknown License
nvidia-nvjitlink	13.2.78	Null	Unknown License
nvidia-nvshmem-cu13	3.6.5	Null	Unknown License
nvidia-nvtx	13.2.75	Null	Unknown License
onnx-ir	0.2.1	Null	Unknown License
onnxscript	0.7.0	Null	Unknown License
opentelemetry-api	1.41.1	Null	Unknown License
opentelemetry-instrumentation	0.62b1	Null	Unknown License
opentelemetry-instrumentation-asgi	0.62b1	Null	Unknown License
opentelemetry-instrumentation-dbapi	0.62b1	Null	Unknown License
opentelemetry-instrumentation-django	0.62b1	Null	Unknown License
opentelemetry-instrumentation-fastapi	0.62b1	Null	Unknown License
opentelemetry-instrumentation-flask	0.62b1	Null	Unknown License
opentelemetry-instrumentation-logging	0.62b1	Null	Unknown License
opentelemetry-instrumentation-psycopg2	0.62b1	Null	Unknown License
opentelemetry-instrumentation-requests	0.62b1	Null	Unknown License
opentelemetry-instrumentation-urllib	0.62b1	Null	Unknown License
opentelemetry-instrumentation-urllib3	0.62b1	Null	Unknown License
opentelemetry-instrumentation-wsgi	0.62b1	Null	Unknown License
opentelemetry-proto	1.41.1	Null	Unknown License
opentelemetry-sdk	1.41.1	Null	Unknown License
opentelemetry-semantic-conventions	0.62b1	Null	Unknown License
opentelemetry-util-http	0.62b1	Null	Unknown License
packaging	26.2	Null	Unknown License
pyarrow	24.0.0	Null	Unknown License
pydantic	2.13.3	Null	Unknown License
rsl-rl-lib	5.2.0	Null	Unknown License
skops	0.14.0	Null	Unknown License
tensordict	0.12.2	Null	Unknown License
uvicorn	0.46.0	Null	Unknown License
certifi	2026.4.22	Null	Unknown License
tzdata	2026.2	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
pip/cryptography	47.0.0	Unknown	Unknown
pip/marshmallow	4.3.0	Unknown	Unknown
pip/numpy	2.4.4	Unknown	Unknown
pip/packaging	26.2	Unknown	Unknown
pip/rsl-rl-lib	5.2.0	Unknown	Unknown
pip/tensordict	0.12.2	Unknown	Unknown
pip/azure-storage-file-datalake	12.23.0	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed CII-Best-Practices 🟢 5 badge detected: Passing Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 8 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed
pip/cachetools	7.0.6	Unknown	Unknown
pip/certifi	2026.4.22	🟢 6.6	Details Check Score Reason Maintained 🟢 10 10 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 5 Found 1/2 approved changesets -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/click	8.3.3	Unknown	Unknown
pip/cryptography	47.0.0	Unknown	Unknown
pip/cuda-toolkit	13.2.1	Unknown	Unknown
pip/databricks-sdk	0.105.0	Unknown	Unknown
pip/farama-notifications	0.0.6	Unknown	Unknown
pip/fastapi	0.136.1	Unknown	Unknown
pip/filelock	3.29.0	Unknown	Unknown
pip/gitpython	3.1.47	🟢 7.7	Details Check Score Reason Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 6 Found 4/6 approved changesets -- score normalized to 6 Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits
pip/greenlet	3.5.0	Unknown	Unknown
pip/gunicorn	25.3.0	Unknown	Unknown
pip/gymnasium	1.3.0	Unknown	Unknown
pip/huey	3.0.0	Unknown	Unknown
pip/idna	3.13	Unknown	Unknown
pip/importlib-metadata	9.0.0	Unknown	Unknown
pip/marshmallow	4.3.0	Unknown	Unknown
pip/matplotlib	3.10.9	Unknown	Unknown
pip/mpmath	1.4.1	Unknown	Unknown
pip/numpy	2.4.4	Unknown	Unknown
pip/nvidia-cublas	13.4.0.1	Unknown	Unknown
pip/nvidia-cuda-cupti	13.2.75	Unknown	Unknown
pip/nvidia-cuda-nvrtc	13.2.78	Unknown	Unknown
pip/nvidia-cuda-runtime	13.2.75	Unknown	Unknown
pip/nvidia-cudnn-cu13	9.21.1.3	Unknown	Unknown
pip/nvidia-cufft	12.2.0.46	Unknown	Unknown
pip/nvidia-cufile	1.17.1.22	Unknown	Unknown
pip/nvidia-curand	10.4.2.55	Unknown	Unknown
pip/nvidia-cusolver	12.2.0.1	Unknown	Unknown
pip/nvidia-cusparse	12.7.10.1	Unknown	Unknown
pip/nvidia-cusparselt-cu13	0.9.0	Unknown	Unknown
pip/nvidia-nccl-cu13	2.30.4	Unknown	Unknown
pip/nvidia-nvjitlink	13.2.78	Unknown	Unknown
pip/nvidia-nvshmem-cu13	3.6.5	Unknown	Unknown
pip/nvidia-nvtx	13.2.75	Unknown	Unknown
pip/onnx-ir	0.2.1	Unknown	Unknown
pip/onnxscript	0.7.0	Unknown	Unknown
pip/opentelemetry-api	1.41.1	Unknown	Unknown
pip/opentelemetry-instrumentation	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-asgi	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-dbapi	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-django	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-fastapi	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-flask	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-logging	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-psycopg2	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-requests	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-urllib	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-urllib3	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-wsgi	0.62b1	Unknown	Unknown
pip/opentelemetry-proto	1.41.1	Unknown	Unknown
pip/opentelemetry-sdk	1.41.1	Unknown	Unknown
pip/opentelemetry-semantic-conventions	0.62b1	Unknown	Unknown
pip/opentelemetry-util-http	0.62b1	Unknown	Unknown
pip/packaging	26.2	Unknown	Unknown
pip/pandas	3.0.2	Unknown	Unknown
pip/protobuf	7.34.1	Unknown	Unknown
pip/pyarrow	24.0.0	Unknown	Unknown
pip/pydantic	2.13.3	Unknown	Unknown
pip/pydantic-core	2.46.3	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/pytz	2026.1.post1	Unknown	Unknown
pip/rsl-rl-lib	5.2.0	Unknown	Unknown
pip/setuptools	82.0.1	Unknown	Unknown
pip/skops	0.14.0	Unknown	Unknown
pip/tensordict	0.12.2	Unknown	Unknown
pip/tzdata	2026.2	🟢 5.4	Details Check Score Reason Code-Review 🟢 7 Found 16/22 approved changesets -- score normalized to 7 Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/uvicorn	0.46.0	Unknown	Unknown
pip/wrapt	2.1.2	Unknown	Unknown

Scanned Files

• training/rl/pyproject.toml
• training/rl/requirements.txt

[github-actions]

✅ AW Dependabot PR Review completed successfully!

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.56%. Comparing base (d77c167) to head (8df03b8).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #577      +/-   ##
==========================================
+ Coverage   63.91%   66.56%   +2.65%     
==========================================
  Files         250      262      +12     
  Lines       15409    16639    +1230     
  Branches     2163     2301     +138     
==========================================
+ Hits         9848    11076    +1228     
  Misses       5274     5274              
- Partials      287      289       +2     

Flag	Coverage Δ		*Carryforward flag
pester	83.13% <ø> (ø)		Carriedforward from d77c167
pytest-data-pipeline	100.00% <ø> (ø)		Carriedforward from d77c167
pytest-dataviewer	65.12% <ø> (ø)		Carriedforward from d77c167
pytest-dm-tools	100.00% <ø> (ø)		Carriedforward from d77c167
pytest-evaluation	99.83% <ø> (?)
pytest-fuzz	4.97% <ø> (ø)
pytest-inference	0.00% <ø> (ø)		Carriedforward from d77c167
pytest-training	82.14% <ø> (ø)
vitest	51.08% <ø> (ø)		Carriedforward from d77c167

*This pull request uses carry forward flags. Click here to find out more.
see 12 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

⚠️ Maintainer review recommended

Advisory Review Summary

PR: security(deps): bump the training-dependencies group across 1 directory with 69 updates
Ecosystem: uv / pip — /training/rl
Manifests touched: training/rl/pyproject.toml (direct deps), training/rl/requirements.txt (lockfile)

Surfaces affected:

• training-rl-abi — numpy major bump violates Isaac Sim hard pin (HIGH RISK)
• python-runtime (training) — pandas, pyarrow, marshmallow, protobuf major bumps (MEDIUM RISK)

Package	From	To	Severity	Surface
numpy	1.26.4	2.4.4	🔴 High	training-rl-abi
marshmallow	3.26.2	4.3.0	🟡 Medium	python-runtime
cryptography	46.0.7	47.0.0	🟡 Medium	python-runtime
pandas	2.3.3	3.0.2	🟡 Medium	python-runtime
pyarrow	22.0.0	24.0.0	🟡 Medium	python-runtime
protobuf	6.33.6	7.34.1	🟡 Medium	python-runtime
wrapt	1.17.3	2.1.2	🟠 Medium-High	python-runtime
gunicorn	23.0.0	25.3.0	🟡 Medium	python-runtime
huey	2.6.0	3.0.0	🟡 Medium	python-runtime
importlib-metadata	8.7.1	9.0.0	🟡 Medium	python-runtime
cachetools	6.2.6	7.0.6	🟢 Low	python-runtime
gymnasium	1.2.3	1.3.0	🟢 Low	python-runtime
rsl-rl-lib	5.0.1	5.2.0	🟢 Low	python-runtime
tensordict	0.12.1	0.12.2	🟢 Low	python-runtime
certifi	2026.2.25	2026.4.22	🟢 Low	python-runtime
52 other packages	—	—	🟢 Low	python-runtime

---

numpy

Surface: training-rl-abi — HIGH RISK trigger fired

numpy==2.4.4 is a major version bump (1.26.4 → 2.4.4) that directly violates the hard runtime pin in training/rl/scripts/train.sh:

uv pip install --upgrade "numpy>=1.26.0,<2.0.0"

This pin exists for Isaac Sim 4.x ABI compatibility. Isaac Sim bundles native C extensions compiled against numpy 1.x ABI (NPY_1_7_API_VERSION). Loading numpy 2.x in the same process causes symbol resolution failures or silent numerical corruption.

The conflict manifests at runtime because train.sh:

1. First installs numpy<2.0.0 (1.x)
2. Then runs uv pip install --no-deps -r requirements.txt which installs numpy==2.4.4 (2.x), overriding step 1

No GHSA/CVE advisory IDs were present in the PR body for this package — this is a routine upstream release bump, not a security fix.

Required action: Verify Isaac Sim 4.x (Isaac Lab 2.3.2 container at nvcr.io/nvidia/isaac-lab:2.3.2) is compatible with numpy 2.x before merging. If not, exclude numpy from this grouped update and update the train.sh pin separately after validation on GPU nodes.

Validation Results

⚠️ Validation skipped: Python/uv toolchain unavailable in the review runner environment. Manual validation recommended.

Required validation: GPU smoke-test RL training with nvcr.io/nvidia/isaac-lab:2.3.2 container after updating train.sh pin.

---

marshmallow

Surface: python-runtime — direct dependency

marshmallow==4.3.0 is a major bump from 3.26.2. The marshmallow 4.0 release introduced breaking changes to schema field validators, Meta options, and dump/load return types. This dependency is used by azure-ai-ml for ML job schema serialization.

No GHSA/CVE advisories identified for this bump. Source: [marshmallow changelog]((marshmallow.readthedocs.io/redacted)

---

cryptography

Surface: python-runtime

cryptography==47.0.0 is a major bump from 46.0.7. The cryptography library is part of the security(deps): group signal. This package frequently carries CVE remediations in major releases; however no explicit GHSA or CVE IDs were referenced in the PR body. The 47.x series drops legacy cipher support. Validate Azure SDK TLS and JWT signing behavior.

Source: [cryptography changelog]((cryptography.io/redacted)

---

pandas

Surface: python-runtime — transitive via mlflow

pandas==3.0.2 is a major bump from 2.3.3. pandas 3.0 enforces copy-on-write semantics by default and removes several deprecated APIs. This is a lockfile-only (transitive) bump via mlflow. No explicit advisory IDs referenced.

---

pyarrow

Surface: python-runtime — transitive via mlflow

pyarrow==24.0.0 is a 2-major-version bump from 22.0.0. pyarrow has ABI sensitivity with numpy and pandas. With numpy 2.x also landing in this PR, the combined numpy+pyarrow upgrade requires validation. Source: [Apache Arrow releases]((arrow.apache.org/redacted)

---

wrapt

Surface: python-runtime — transitive via opentelemetry-instrumentation

wrapt==2.1.2 is a major bump from 1.17.3. wrapt 2.x changes decorator wrapping behavior and drops Python 2 compatibility shims. OpenTelemetry instrumentation wraps FastAPI/Flask handlers — verify instrumented endpoints still function correctly.

---

Other notable major bumps (overflow from inline comment limit)

Package	From	To	Notes
protobuf	6.33.6	7.34.1	Major bump; affects MLflow gRPC serialization
gunicorn	23.0.0	25.3.0	2 major jumps; worker config API changes
huey	2.6.0	3.0.0	Task queue; breaking API in 3.0
importlib-metadata	8.7.1	9.0.0	Build tooling; affects package discovery
cachetools	6.2.6	7.0.6	TTLCache/LRUCache eviction API changes
onnxscript	0.6.2	0.7.0	Used by rsl-rl-lib; ONNX export path

---

Validation Results

⚠️ Validation skipped: python3 / uv toolchain unavailable in the review runner environment. Manual validation recommended per the per-surface rubric.

Recommended manual steps before merging:

1. Update training/rl/scripts/train.sh numpy pin or verify Isaac Sim 2.3.2 container numpy 2.x compatibility
2. Run cd training && uv sync && uv run ruff check . && uv run pytest --tb=short -q
3. Smoke-test RL training on a GPU node with the Isaac Lab container

---

Advisory verdict: COMMENT — The numpy 1.x → 2.x bump directly violates the enforced train.sh pin (>=1.26.0,<2.0.0) required for Isaac Sim 4.x ABI compatibility; this grouped update should not merge until that conflict is resolved and validated on a GPU node.

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• #577 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by AW Dependabot PR Review for issue #577 · ● 1.9M

[github-actions]

marshmallow 3 → 4 (breaking API changes)

marshmallow==4.3.0 is a major version bump from 3.26.2. The marshmallow 4.0 release contains breaking schema serialization changes (field validators, Meta class options, and dump/load method signatures changed). This is used transitively by azure-ai-ml and directly by this package.

Review the [marshmallow 4.0 migration guide]((marshmallow.readthedocs.io/redacted) and confirm no ML job submission or model logging code depends on removed 3.x API surface.

[github-actions]

⚠️ ABI breakage — Isaac Sim incompatibility

numpy==2.4.4 is a major version bump (1.x → 2.x) that directly violates the hard pin in training/rl/scripts/train.sh:

uv pip install --upgrade "numpy>=1.26.0,<2.0.0"

train.sh enforces <2.0.0 at runtime to satisfy Isaac Sim's ABI requirements. At execution time, train.sh first installs a 1.x numpy, then uv pip install --no-deps -r requirements.txt re-installs numpy==2.4.4, leaving 2.x on the path. This will cause CUDA_ERROR_NO_DEVICE or silent numerical failures in Isaac Lab environments.

Resolution: Update the train.sh pin constraint first and validate against Isaac Sim 4.x before merging. If numpy 2.x is not yet supported by Isaac Sim, revert this single line to "numpy==1.26.4" and exclude numpy from this grouped bump.

[github-actions]

cryptography 46 → 47 (security update)

cryptography==47.0.0 is a major bump from 46.0.7. This package is part of the security(deps): group signal; the cryptography library frequently ships major versions with CVE remediations. The 47.x release drops support for some legacy cipher suites. Validate that no Azure SDK or JWT signing code depends on deprecated ciphers from 46.x.

Source: [cryptography changelog]((cryptography.io/redacted)

[github-actions]

pandas 2 → 3 (breaking changes, transitive via mlflow)

pandas==3.0.2 is a major version bump from 2.3.3. pandas 3.0 removes .swapaxes(), changes copy-on-write semantics by default, and drops Python 3.9 support. This is a transitive dependency via mlflow. Confirm MLflow 3.11.1 is tested against pandas 3.x — check the [MLflow compatibility matrix]((mlflow.org/redacted) if MLflow metric logging or artifact loading breaks in CI.

[github-actions]

Lockfile echo of the ABI-breaking numpy bump

This locked entry (numpy==2.4.4) is regenerated from pyproject.toml. Fixing line 7 of pyproject.toml back to numpy==1.26.4 and re-running uv pip compile pyproject.toml -o requirements.txt will reset this entry to 1.26.4 and restore compatibility with the train.sh runtime pin.

[katriendg]

@dependabot rebase

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.