Skip to content

security(deps): bump the training-dependencies group across 1 directory with 69 updates #577

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dependabot wants to merge 1 commit into from
Closed

security(deps): bump the training-dependencies group across 1 directory with 69 updates #577

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions training/rl/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,22 +4,22 @@ version = "0.1.0"
description = "RL training workflow runtime dependencies"
requires-python = ">=3.12"
dependencies = [
"numpy==1.26.4",
"numpy==2.4.4",
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ ABI breakage — Isaac Sim incompatibility

numpy==2.4.4 is a major version bump (1.x → 2.x) that directly violates the hard pin in training/rl/scripts/train.sh:

uv pip install --upgrade "numpy>=1.26.0,<2.0.0"

train.sh enforces <2.0.0 at runtime to satisfy Isaac Sim's ABI requirements. At execution time, train.sh first installs a 1.x numpy, then uv pip install --no-deps -r requirements.txt re-installs numpy==2.4.4, leaving 2.x on the path. This will cause CUDA_ERROR_NO_DEVICE or silent numerical failures in Isaac Lab environments.

Resolution: Update the train.sh pin constraint first and validate against Isaac Sim 4.x before merging. If numpy 2.x is not yet supported by Isaac Sim, revert this single line to "numpy==1.26.4" and exclude numpy from this grouped bump.

"azure-core==1.39.0",
"azure-storage-blob==12.28.0",
"azure-identity==1.25.3",
"azure-ai-ml==1.32.0",
"marshmallow==3.26.2",
"marshmallow==4.3.0",
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

marshmallow 3 → 4 (breaking API changes)

marshmallow==4.3.0 is a major version bump from 3.26.2. The marshmallow 4.0 release contains breaking schema serialization changes (field validators, Meta class options, and dump/load method signatures changed). This is used transitively by azure-ai-ml and directly by this package.

Review the [marshmallow 4.0 migration guide]((marshmallow.readthedocs.io/redacted) and confirm no ML job submission or model logging code depends on removed 3.x API surface.

"mlflow==3.11.1",
"packaging==26.1",
"packaging==26.2",
"psutil==7.2.2",
"pynvml==13.0.1",
"pyperclip==1.11.0",
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cryptography 46 → 47 (security update)

cryptography==47.0.0 is a major bump from 46.0.7. This package is part of the security(deps): group signal; the cryptography library frequently ships major versions with CVE remediations. The 47.x release drops support for some legacy cipher suites. Validate that no Azure SDK or JWT signing code depends on deprecated ciphers from 46.x.

Source: [cryptography changelog]((cryptography.io/redacted)

"cryptography==46.0.7",
"cryptography==47.0.0",
"pyjwt==2.12.1",
"rsl-rl-lib==5.0.1",
"rsl-rl-lib==5.2.0",
"skrl==2.0.0",
"tensordict==0.12.1",
"tensordict==0.12.2",
]

[build-system]
Expand Down
Loading
Loading