Skip to content

chore(deps): bump the dataviewer-dependencies group across 1 directory with 3 updates#601

Merged
katriendg merged 1 commit into
mainfrom
dependabot/uv/data-management/viewer/dataviewer-dependencies-6abeeb5e8f
May 4, 2026
Merged

chore(deps): bump the dataviewer-dependencies group across 1 directory with 3 updates#601
katriendg merged 1 commit into
mainfrom
dependabot/uv/data-management/viewer/dataviewer-dependencies-6abeeb5e8f

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 1, 2026
edited
Loading

Bumps the dataviewer-dependencies group with 3 updates in the /data-management/viewer directory: python-multipart, huggingface-hub and ultralytics.

Updates python-multipart from 0.0.26 to 0.0.27

Release notes

Sourced from python-multipart's releases.

0.0.27

What's Changed

Full Changelog: Kludex/python-multipart@0.0.26...0.0.27

Changelog

Sourced from python-multipart's changelog.

0.0.27 (2026-04-27)

  • Add multipart header limits #267.
  • Pass parse offsets via constructors #268.
Commits

Updates huggingface-hub from 1.12.0 to 1.13.0

Release notes

Sourced from huggingface-hub's releases.

[v1.13.0] new CLI commands and formatting, and HF URI parsing

🖥️ New CLI commands: repo cards, file listings, and dataset leaderboards

This release adds three new CLI capabilities for exploring Hub content. hf models card, hf datasets card, and hf spaces card fetch the README of any repo and print it to stdout, with --metadata (YAML frontmatter as JSON) and --text (prose only) flags for splitting the card into its structured and unstructured parts. Calling hf models ls <repo_id>, hf datasets ls <repo_id>, or hf spaces ls <repo_id> now switches from listing repos to listing files inside that repo, with --tree, -R, -h, and --revision options mirroring the existing hf buckets ls behavior. And hf datasets leaderboard <dataset_id> surfaces model scores submitted to a benchmark dataset, making it easy to compare models by score from the terminal.

# Get model card metadata as JSON
hf models card google/gemma-4-31B-it --metadata --format json
List files in a model repo (tree view with sizes)
hf models ls meta-llama/Llama-3.2-1B-Instruct --tree -h
Show top 5 models on SWE-bench
hf datasets leaderboard SWE-bench/SWE-bench_Verified --limit 5

📚 Documentation: CLI guide

🚀 Manage Spaces from the CLI

Three new hf spaces subcommands bring full lifecycle control to the terminal. hf spaces pause and hf spaces restart stop or rebuild a Space (with --factory-reboot for a clean rebuild), and hf spaces settings lets you configure sleep time and hardware in one call. A companion hf spaces hardware command lists all available hardware flavors with pricing, so you can discover options before changing settings. Pause and restart include a confirmation prompt (-y to skip) since they tear down the running container.

# Pause a Space when not in use (not billed while paused)
hf spaces pause username/my-space
Restart with a GPU
hf spaces settings username/my-space --hardware t4-medium --sleep-time 3600
List available hardware options
hf spaces hardware

📚 Documentation: CLI guide — Spaces

🔃 hf update replaces the auto-update prompt

The blocking interactive Y/n auto-update prompt at CLI startup is gone. It was catching too many non-interactive contexts (CI runners, Homebrew post-install hooks, Jupyter notebooks) and hanging automation. In its place, a single yellow stderr warning suggests running hf update — a new command that detects how hf was installed (Homebrew, standalone installer, or pip) and runs the right upgrade command. Set HF_HUB_DISABLE_UPDATE_CHECK=1 to silence the startup check entirely, for example in offline CI.

hf update

... (truncated)

Commits

Updates ultralytics from 8.4.41 to 8.4.46

Commits

@dependabot dependabot Bot added dataviewer dependencies Dependency version updates python Pull requests that update python code labels May 1, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 1, 2026 20:17
@dependabot dependabot Bot added dataviewer dependencies Dependency version updates python Pull requests that update python code labels May 1, 2026
@github-actions github-actions Bot changed the title chore(deps): bump the dataviewer-dependencies group in /data-management/viewer with 3 updates security(deps): bump the dataviewer-dependencies group in /data-management/viewer with 3 updates May 1, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 1, 2026
edited
Loading

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 3 package(s) with unknown licenses.
See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 09de262.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

data-management/viewer/uv.lock

PackageVersionLicenseIssue Type
huggingface-hub1.13.0NullUnknown License
python-multipart0.0.27NullUnknown License
ultralytics8.4.46NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
pip/huggingface-hub 1.13.0 UnknownUnknown
pip/python-multipart 0.0.27 UnknownUnknown
pip/ultralytics 8.4.46 UnknownUnknown

Scanned Files

  • data-management/viewer/uv.lock

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented May 1, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.70%. Comparing base (c912668) to head (09de262).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #601      +/-   ##
==========================================
+ Coverage   65.16%   67.70%   +2.53%     
==========================================
  Files         251      263      +12     
  Lines       15597    16827    +1230     
  Branches     2193     2331     +138     
==========================================
+ Hits        10164    11392    +1228     
  Misses       5142     5142              
- Partials      291      293       +2
Flag Coverage Δ *Carryforward flag
pester 83.13% <ø> (ø) Carriedforward from c912668
pytest-data-pipeline 100.00% <ø> (ø) Carriedforward from c912668
pytest-dataviewer 66.92% <ø> (ø) Carriedforward from c912668
pytest-dm-tools 100.00% <ø> (ø) Carriedforward from c912668
pytest-evaluation 99.83% <ø> (?)
pytest-fuzz 4.90% <ø> (ø) Carriedforward from c912668
pytest-inference 0.00% <ø> (ø) Carriedforward from c912668
pytest-training 82.14% <ø> (ø) Carriedforward from c912668
vitest 53.02% <ø> (ø) Carriedforward from c912668

*This pull request uses carry forward flags. Click here to find out more.
see 12 files with indirect coverage changes

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-actions[bot]
github-actions Bot reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Advisory Review Summary

Affected ecosystems and surfaces:

  • pip / python-runtimedata-management/viewer/pyproject.toml + data-management/viewer/uv.lock (grouped dataviewer-dependencies update, 3 packages)
Package From To Severity Surface
python-multipart 0.0.26 0.0.27 Unconfirmed (security-labeled) python-runtime
huggingface-hub 1.12.0 1.13.0 None python-runtime
ultralytics 8.4.41 8.4.46 None python-runtime

python-multipart

Advisory: No explicit GHSA or CVE ID appears in the PR body. Dependabot designated this security(deps):, indicating a linked advisory. The 0.0.27 changelog adds multipart header limits (Kludex/python-multipart#267) — a standard DoS hardening measure for multipart parsers — and passes parse offsets via constructors (#268). Severity cannot be rated without a confirmed identifier.

Release notes highlights (compare view):

  • Add multipart header limits #267
  • Pass parse offsets via constructors #268

Repo-specific risk: Required base dependency of the FastAPI backend. Patch bump; no breaking changes; manifest and lockfile both updated (not lockfile-only).

Validation Signal

  1. Deterministic CI: PR Validation: in_progress:queued
    ⚠️ Deterministic CI conclusion not yet available; verdict is advisory only.
    Relevant check runs: Dataviewer Backend Pytest, Pytest Data Management Tools, Python Lint — all pending.
  2. Static impact reasoning: Manifest (pyproject.toml) and lockfile (uv.lock) both updated; not a lockfile-only pin. Patch bump; no ABI-sensitive packages touched.

huggingface-hub

Advisory: No security advisory. Minor version bump (1.12.0 → 1.13.0).

Release notes highlights (v1.13.0):

  • New CLI commands: hf models card, hf datasets card, hf datasets leaderboard, file listings in ls subcommands
  • New Spaces lifecycle commands: hf spaces pause, hf spaces restart, hf spaces settings
  • Blocking interactive auto-update prompt removed; replaced with non-interactive hf update

Repo-specific risk: Used under the optional [huggingface] extra. Minor version bump; API backward-compatible per release notes.

Validation Signal

  1. Deterministic CI: PR Validation: in_progress:queued — relevant check runs not yet available.
  2. Static impact reasoning: Minor version bump within an optional extra; no ABI or breaking-change signals in changelog.

ultralytics

Advisory: No security advisory. Patch bump across five consecutive releases (8.4.41 → 8.4.46).

Release notes highlights (compare view):

  • 8.4.46: Fix multiscale minimum train size
  • 8.4.45: Fix pretrained checkpoint training regression
  • 8.4.44: Apply pretrained arg across model trainers
  • Improve export results path and data/fraction args across export formats

Repo-specific risk: Used under the optional [yolo] extra for YOLO-based annotation inference. Patch level; no breaking changes noted.

Validation Signal

  1. Deterministic CI: PR Validation: in_progress:queued — relevant check runs not yet available.
  2. Static impact reasoning: Patch bump; not an ABI-sensitive package in this surface context (not training/rl/).

Advisory verdict: COMMENT — PR Validation is still queued (in_progress:queued); advisory details for the security(deps): label could not be confirmed from the PR body (no explicit GHSA/CVE IDs present). All three bumps are patch or minor level with no high-risk surface triggers (no ABI-sensitive packages, no major version jumps). Re-evaluate once Dataviewer Backend Pytest and Python Lint check runs complete at PR Validation run.

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

  • #601 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by AW Dependabot PR Review for issue #601 · ● 1M

Comment thread data-management/viewer/pyproject.toml
Comment thread data-management/viewer/pyproject.toml
Comment thread data-management/viewer/pyproject.toml
@dependabot dependabot Bot changed the title security(deps): bump the dataviewer-dependencies group in /data-management/viewer with 3 updates chore(deps): bump the dataviewer-dependencies group across 1 directory with 3 updates May 4, 2026
@dependabot dependabot Bot force-pushed the dependabot/uv/data-management/viewer/dataviewer-dependencies-6abeeb5e8f branch from ed26398 to 024121b Compare May 4, 2026 03:35
github-actions[bot]
github-actions Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Advisory Review Summary

Grouped Dependabot PR bumping 3 packages in the dataviewer-dependencies group under data-management/viewer/.

Ecosystems and surfaces touched:

  • uv / pipdata-management/viewer/pyproject.toml + uv.lockpython-runtime (dataviewer) surface

Package table:

Package From To Severity Surface
python-multipart 0.0.26 0.0.27 None found python-runtime (dataviewer)
huggingface-hub 1.12.0 1.13.0 None found python-runtime (dataviewer)
ultralytics 8.4.41 8.4.46 None found python-runtime (dataviewer)

Note — transitive-only lockfile detection: Both pyproject.toml (manifest) and uv.lock (lockfile) are updated for all three packages, confirming these are direct dependency bumps, not transitive-only pins.

python-multipart

Advisory: No GHSA or CVE identifiers found in the PR body. External advisory APIs (OSV, NVD) were unreachable from the review sandbox; no fabricated severities are reported.

Release notes (0.0.27, 2026-04-27):

  • Add multipart header limits (#267)
  • Pass parse offsets via constructors (#268)

Changelog: Kludex/python-multipart@0.0.26...0.0.27

Risk notes: Patch bump; no breaking changes identified. The python-multipart library is used by FastAPI for form data and file upload parsing in the dataviewer backend.

Validation Signal

  1. Deterministic CI: PR Validation: in_progress:in_progress — the orchestrator has not yet completed at review time. Relevant check runs for this surface: Dataviewer Backend Pytest, Pytest Data Management Tools, Python Lint. Results are not yet available.
  2. Static impact reasoning: No ABI-sensitive packages (e.g., numpy, torch, onnxruntime-gpu) are touched. Bump is a patch release with no Isaac Sim or CUDA boundary implications.

⚠️ Deterministic CI conclusion not yet available; verdict is advisory only.

huggingface-hub

Advisory: No GHSA or CVE identifiers found in the PR body. External advisory APIs were unreachable from the review sandbox.

Release notes highlights (v1.13.0, 2026-04-30):

  • New CLI commands: hf models card, hf datasets card, hf spaces card, file listings, hf datasets leaderboard
  • Space lifecycle management via CLI (hf spaces pause, hf spaces restart, hf spaces settings)
  • Breaking behavior change for CLI automation: The blocking Y/n auto-update prompt at CLI startup is removed. Replaced with a non-blocking stderr warning and hf update command. Set HF_HUB_DISABLE_UPDATE_CHECK=1 to silence in offline CI.
  • hf:// URI parsing centralised

Changelog: https://github.com/huggingface/huggingface_hub/releases/tag/v1.13.0

Risk notes: Minor bump (1.12.0 → 1.13.0). The auto-update prompt removal is a CLI behavioral change but does not affect the programmatic Python API used by the dataviewer backend. No ABI concerns. The [huggingface] optional dependency group is used by the dataviewer for Hub dataset integration.

Validation Signal

  1. Deterministic CI: PR Validation: in_progress:in_progress. Relevant check runs: Dataviewer Backend Pytest, Python Lint. Not yet available.
  2. Static impact reasoning: Minor version bump; all changes are additive CLI features or behavioral improvements. No import API renames noted.

⚠️ Deterministic CI conclusion not yet available; verdict is advisory only.

ultralytics

Advisory: No GHSA or CVE identifiers found in the PR body. External advisory APIs were unreachable from the review sandbox.

Commits (8.4.41 → 8.4.46):

  • 8.4.46: Fix multiscale minimum train size (#24394)
  • 8.4.45: Fix pretrained checkpoint training regression (#24378)
  • 8.4.44: Apply pretrained arg across model trainers (#24374)
  • Improve export results path, data/fraction args, RKNN export docs

Compare: ultralytics/ultralytics@v8.4.41...v8.4.46

Risk notes: Five patch releases since 8.4.41; all are bug fixes with no API removals noted. ultralytics depends on torch and torchvision transitively, but this patch bump does not cross any torch major-version boundary. Used in the [yolo] optional dependency group for YOLO inference in the dataviewer backend.

Validation Signal

  1. Deterministic CI: PR Validation: in_progress:in_progress. Relevant check runs: Dataviewer Backend Pytest, Python Lint. Not yet available.
  2. Static impact reasoning: Patch bump across 5 releases. No Isaac Sim path touched (training/rl/ not in diff). No numpy ABI guard applies here — ultralytics is in the dataviewer [yolo] optional group, not the RL training stack.

⚠️ Deterministic CI conclusion not yet available; verdict is advisory only.

Advisory verdict: COMMENT — CI is still in progress (in_progress:in_progress); no advisory identifiers found for any of the three bumps; all changes are patch or minor version bumps with no high-risk ABI, peer-dep, or breaking-change signals. Maintainers may merge once Dataviewer Backend Pytest, Pytest Data Management Tools, and Python Lint pass.

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

  • #601 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by AW Dependabot PR Review for issue #601 · ● 405.6K

Comment thread data-management/viewer/pyproject.toml
Comment thread data-management/viewer/pyproject.toml
Comment thread data-management/viewer/pyproject.toml
@katriendg
Copy link
Copy Markdown
Collaborator

katriendg commented May 4, 2026

@dependabot rebase

@dependabot
chore(deps): bump the dataviewer-dependencies group across 1 director…
09de262 
…y with 3 updates

Bumps the dataviewer-dependencies group with 3 updates in the /data-management/viewer directory: [python-multipart](https://github.com/Kludex/python-multipart), [huggingface-hub](https://github.com/huggingface/huggingface_hub) and [ultralytics](https://github.com/ultralytics/ultralytics).


Updates `python-multipart` from 0.0.26 to 0.0.27
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md)
- [Commits](Kludex/python-multipart@0.0.26...0.0.27)

Updates `huggingface-hub` from 1.12.0 to 1.13.0
- [Release notes](https://github.com/huggingface/huggingface_hub/releases)
- [Commits](huggingface/huggingface_hub@v1.12.0...v1.13.0)

Updates `ultralytics` from 8.4.41 to 8.4.46
- [Release notes](https://github.com/ultralytics/ultralytics/releases)
- [Commits](ultralytics/ultralytics@v8.4.41...v8.4.46)

---
updated-dependencies:
- dependency-name: huggingface-hub
  dependency-version: 1.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dataviewer-dependencies
- dependency-name: python-multipart
  dependency-version: 0.0.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dataviewer-dependencies
- dependency-name: ultralytics
  dependency-version: 8.4.46
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dataviewer-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/uv/data-management/viewer/dataviewer-dependencies-6abeeb5e8f branch from 024121b to 09de262 Compare May 4, 2026 07:25
github-actions[bot]
github-actions Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Advisory Review Summary

Grouped Dependabot bump across 1 directory (data-management/viewer/) with 3 packages. All changes touch both the manifest (pyproject.toml) and the lockfile (uv.lock) — not transitive-only.

Affected ecosystems and surfaces:

  • uv / pip under data-management/viewer/python-runtime (dataviewer)
Package From To Severity Surface
python-multipart 0.0.26 0.0.27 None python-runtime (dataviewer)
huggingface-hub 1.12.0 1.13.0 None python-runtime (dataviewer)
ultralytics 8.4.41 8.4.46 None python-runtime (dataviewer)

python-multipart

No GHSA or CVE advisories found. Patch release (0.0.26 → 0.0.27) adds multipart header limits and passes parse offsets via constructors. This is a core dependency used by FastAPI for file/form uploads in the dataviewer backend. No breaking changes in the changelog.

Repo-specific risk: Low. Patch bump with security-hardening characteristics (header limits). No ABI sensitivity.

Validation Signal

  1. Deterministic CI: PR Validation: in_progress:in_progress
    ⚠️ Deterministic CI conclusion not yet available; verdict is advisory only.
    • Relevant check runs: Dataviewer Backend Pytest, Pytest Data Management Tools, Python Lint — conclusions pending.
  2. Static impact reasoning: No training/rl/ paths in this diff; Isaac Sim ABI guard does not apply. No ABI-sensitive packages (numpy, torch, onnxruntime-gpu) are changed.

huggingface-hub

No GHSA or CVE advisories found. Minor release (1.12.0 → 1.13.0) adds new CLI capabilities and centralizes hf:// URI parsing. The blocking interactive auto-update prompt at CLI startup is removed (replaced with a passive stderr warning). Used only under the optional huggingface extra in the dataviewer. See v1.13.0 release notes.

Repo-specific risk: Low. Minor bump with additive CLI features only. No API-breaking changes relevant to hub download workflows used by the dataviewer.

Validation Signal

  1. Deterministic CI: PR Validation: in_progress:in_progress — pending.
  2. Static impact reasoning: Optional extra; only loaded when huggingface install target is selected. No ABI constraints.

ultralytics

No GHSA or CVE advisories found. Patch bump spanning 5 releases (8.4.41 → 8.4.46). Fixes include: pretrained-checkpoint training regression (8.4.45), pretrained arg propagation across model trainers (8.4.44), multiscale minimum train size fix (8.4.46), and improved export results path handling. Used only under the optional yolo extra. See compare view.

Repo-specific risk: Low. Optional extra; all changes are internal bug fixes to training/export pipelines. No YOLO inference API changes. Not in training/rl/ scope so no Isaac Sim ABI concern.

Validation Signal

  1. Deterministic CI: PR Validation: in_progress:in_progress — pending.
  2. Static impact reasoning: ultralytics is not in the Isaac Sim ABI-sensitive list. Patch bump only; no CUDA/driver compatibility concerns noted.

Advisory verdict: COMMENT — CI validation is still in progress (in_progress:in_progress); all three bumps are patch/minor with no advisory identifiers, no high-risk triggers, and no ABI-sensitive packages. Safe to approve once Dataviewer Backend Pytest, Pytest Data Management Tools, and Python Lint checks pass.

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

  • #601 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by AW Dependabot PR Review for issue #601 · ● 404K

Comment thread data-management/viewer/pyproject.toml
Comment thread data-management/viewer/pyproject.toml
Comment thread data-management/viewer/pyproject.toml
@katriendg katriendg merged commit d28fb50 into main May 4, 2026
48 checks passed
@katriendg katriendg deleted the dependabot/uv/data-management/viewer/dataviewer-dependencies-6abeeb5e8f branch May 4, 2026 07:41
@physical-ai-toolchain-release physical-ai-toolchain-release Bot mentioned this pull request May 4, 2026
Merged
WilliamBerryiii pushed a commit that referenced this pull request May 8, 2026
@physical-ai-toolchain-release @github-actions
chore(main): release 0.8.0 (#450)
f906f37 
🤖 I have created a release *beep* *boop*
---


##
[0.8.0](v0.7.4...v0.8.0)
(2026-05-08)


### ⚠ BREAKING CHANGES

* **dataviewer:** bump frontend stack to React 19, Vite 8, Tailwind v4,
MSAL 5, ESLint 10
([#524](#524))

### ✨ Features

* **agents:** add automated validation for high-risk Dependabot bumps
([#574](#574))
([8c3686a](8c3686a)),
closes
[#573](#573)
* **data:** add camera selector to annotation workspace and fix AV1
frame extraction
([#591](#591))
([c809d2f](c809d2f))
* **data:** seed dataviewer frontend test foundation and per-section
codecov flags
([#594](#594))
([c06c4e3](c06c4e3))
* **dataviewer:** add OWASP security middleware stack
([#439](#439))
([239edb9](239edb9))
* **infrastructure:** add conversion pipeline Terraform module
([#542](#542))
([244531e](244531e))
* **infrastructure:** upgrade OSMO to chart 1.2.1 / image 6.2 with
secure auth and skrl 2.0.0 compatibility
([#492](#492))
([edfd7a5](edfd7a5))
* **pipeline:** add ACSA setup for ROS2 bag sync to Blob
([#451](#451))
([c271a54](c271a54))
* **workflows:** add advisory Dependabot PR reviewer agentic workflow
([#498](#498))
([d4bb140](d4bb140))
* **workflows:** trigger AW Dependabot PR reviewer after PR Validation
([#580](#580))
([7ab3d16](7ab3d16))


### 🐛 Bug Fixes

* **ci:** correct stale version comment for
actions/create-github-app-token
([#506](#506))
([b2e9a54](b2e9a54))
* **ci:** restore data-pipeline and training broken tests by domain
folder restructure
([#547](#547))
([06d8472](06d8472))
* **docs:** update remaining stale 'Coming soon' labels in
docs/README.md
([#507](#507))
([02439d6](02439d6))
* **docs:** update stale coming soon label for Training section
([#472](#472))
([46db49b](46db49b))
* **evaluation:** scope SIL AzureML validation code path and script
reference
([#387](#387))
([9f138a9](9f138a9))
* **infrastructure:** OSMO workflow execution, PostgreSQL public access,
and quickstart corrections
([#477](#477))
([9ed2da6](9ed2da6))
* **scripts:** exclude CHANGELOG.md from changed-files msdate check
([#644](#644))
([8133bdc](8133bdc))
* **workflows:** allow dependabot[bot] to activate AW Dependabot PR
Review
([#586](#586))
([39dc022](39dc022))
* **workflows:** correct branches filter on AW Dependabot PR Review
workflow_run trigger
([#584](#584))
([fe06b52](fe06b52))
* **workflows:** normalize validate.yaml placeholder env/compute values
([#510](#510))
([340ff44](340ff44))
* **workflows:** recompile aw-dependabot-pr-review lock file
([#576](#576))
([d77c167](d77c167))
* **workflows:** switch AW Dependabot PR Review to pull_request_target
([#589](#589))
([3f1edd1](3f1edd1))


### 📚 Documentation

* **docs:** Fix deployment guide links
([#614](#614))
([0070b04](0070b04))
* document dependency-pinning-artifacts directory purpose
([#508](#508))
([50e0010](50e0010))


### 📦 Build System

* **training:** standardize on Python 3.12 across manifests, containers,
and runtime scripts
([#541](#541))
([7ad014a](7ad014a))


### 🔧 Operations

* **build:** add Copilot cloud agent setup-steps workflow
([#593](#593))
([c912668](c912668))


### 🔧 Miscellaneous

* **build:** exclude auto-generated CHANGELOG.md from cspell and seed
dictionary
([#582](#582))
([de1dd57](de1dd57))
* **build:** redesign codecov flags and split pytest CI per component
([#520](#520))
([357e745](357e745))
* **dataviewer:** bump frontend stack to React 19, Vite 8, Tailwind v4,
MSAL 5, ESLint 10
([#524](#524))
([50f8ad4](50f8ad4))
* **dataviewer:** repoint stale src/dataviewer references to
data-management/viewer
([#504](#504))
([88fa1b4](88fa1b4)),
closes
[#503](#503)
* **deps-dev:** bump basic-ftp from 5.3.0 to 5.3.1
([#618](#618))
([ca10f2a](ca10f2a))
* **deps-dev:** bump globals from 15.15.0 to 17.5.0 in
/data-management/viewer/frontend
([#527](#527))
([0e0b2ae](0e0b2ae))
* **deps-dev:** bump ip-address from 10.1.0 to 10.2.0
([#616](#616))
([816c9cf](816c9cf))
* **deps-dev:** bump lint-staged from 16.4.0 to 17.0.2 in the
root-npm-dependencies group across 1 directory
([#626](#626))
([0e2f293](0e2f293))
* **deps-dev:** bump pydantic from 2.13.3 to 2.13.4 in the
python-dependencies group across 1 directory
([#629](#629))
([c24f1c1](c24f1c1))
* **deps-dev:** bump the python-dependencies group across 1 directory
with 2 updates
([#514](#514))
([8410f4b](8410f4b))
* **deps:** bump azure-core from 1.39.0 to 1.40.0 in /evaluation in the
inference-dependencies group across 1 directory
([#597](#597))
([6141db4](6141db4))
* **deps:** bump cryptography from 46.0.6 to 46.0.7 in
/data-management/viewer
([#424](#424))
([5fb6d58](5fb6d58))
* **deps:** bump cryptography from 46.0.6 to 46.0.7 in
/data-management/viewer/backend
([#423](#423))
([b516ad5](b516ad5))
* **deps:** bump lucide-react from 0.469.0 to 1.8.0 in
/data-management/viewer/frontend
([#528](#528))
([1bdfc1e](1bdfc1e))
* **deps:** bump nginx from `8aa63af` to `5616878` in
/data-management/viewer/frontend
([#511](#511))
([9e7e20e](9e7e20e))
* **deps:** bump nginx from 1.27-alpine to 1.29-alpine in
/data-management/viewer/frontend
([#484](#484))
([0e5c3dd](0e5c3dd))
* **deps:** bump node from `435f353` to `e49fd70` in
/data-management/viewer/frontend
([#560](#560))
([2884649](2884649))
* **deps:** bump react-is from 18.3.1 to 19.2.5 in
/data-management/viewer/frontend
([#530](#530))
([d51318c](d51318c))
* **deps:** bump tensordict from 0.11.0 to 0.12.1 in /evaluation in the
inference-dependencies group across 1 directory
([#456](#456))
([b24e733](b24e733))
* **deps:** bump the dataviewer-backend-dependencies group across 1
directory with 2 updates
([#531](#531))
([171a1da](171a1da))
* **deps:** bump the dataviewer-backend-dependencies group across 1
directory with 5 updates
([#516](#516))
([4f9a577](4f9a577))
* **deps:** bump the dataviewer-backend-dependencies group across 1
directory with 5 updates
([#602](#602))
([6c27ab5](6c27ab5))
* **deps:** bump the dataviewer-dependencies group across 1 directory
with 2 updates
([#529](#529))
([8646971](8646971))
* **deps:** bump the dataviewer-dependencies group across 1 directory
with 3 updates
([#601](#601))
([d28fb50](d28fb50))
* **deps:** bump the dataviewer-dependencies group across 1 directory
with 3 updates
([#632](#632))
([4ca5f3e](4ca5f3e))
* **deps:** bump the dataviewer-dependencies group across 1 directory
with 5 updates
([#515](#515))
([109ee81](109ee81))
* **deps:** bump the dataviewer-frontend-patch-minor group across 1
directory with 6 updates
([#630](#630))
([04d5dfd](04d5dfd))
* **deps:** bump the dataviewer-frontend-patch-minor group across 1
directory with 9 updates
([#563](#563))
([c08f450](c08f450))
* **deps:** bump the docusaurus-dependencies group across 1 directory
with 4 updates
([#627](#627))
([f5825fc](f5825fc))
* **deps:** bump the docusaurus-dependencies group across 1 directory
with 6 updates
([#599](#599))
([b859344](b859344))
* **deps:** bump the github-actions group across 1 directory with 4
updates
([#459](#459))
([2609c52](2609c52))
* **deps:** bump the github-actions group across 1 directory with 4
updates
([#517](#517))
([f54bf5d](f54bf5d))
* **deps:** bump the inference-dependencies group across 1 directory
with 11 updates
([#562](#562))
([087f53a](087f53a))
* **deps:** bump the inference-dependencies group across 1 directory
with 2 updates
([#628](#628))
([4a3be47](4a3be47))
* **deps:** bump the pip group across 2 directories with 1 update
([#494](#494))
([a14b6b0](a14b6b0))
* **docs:** update stale Python 3.11 references to 3.12
([#575](#575))
([6f85c95](6f85c95))
* **scripts:** remove redundant SC1091 disables in OSMO deploy scripts
([#509](#509))
([ae1cb82](ae1cb82))


### 🔒 Security

* **build:** pin dependencies and hash-verify downloads
([#465](#465))
([0289f49](0289f49))
* **build:** remediate dependency security advisories
([#479](#479))
([7196d6d](7196d6d))
* **deps-dev:** bump basic-ftp from 5.2.1 to 5.2.2
([#454](#454))
([cb158f1](cb158f1))
* **deps-dev:** bump basic-ftp from 5.2.2 to 5.3.0
([#495](#495))
([e983b8b](e983b8b))
* **deps-dev:** bump hypothesis from 6.152.3 to 6.152.4 in the
python-dependencies group
([#598](#598))
([83384d2](83384d2))
* **deps-dev:** bump markdownlint-cli2 from 0.22.0 to 0.22.1 in the
root-npm-dependencies group
([#559](#559))
([32bde35](32bde35))
* **deps-dev:** bump picomatch from 2.3.1 to 2.3.2 in /docs/docusaurus
([#455](#455))
([66f86ca](66f86ca))
* **deps-dev:** bump postcss from 8.5.10 to 8.5.12 in
/data-management/viewer/frontend
([#569](#569))
([a652dba](a652dba))
* **deps-dev:** bump the python-dependencies group with 2 updates
([#457](#457))
([749d231](749d231))
* **deps-dev:** bump the python-dependencies group with 2 updates
([#485](#485))
([71b44fd](71b44fd))
* **deps-dev:** bump the python-dependencies group with 3 updates
([#564](#564))
([9fc52fd](9fc52fd))
* **deps-dev:** bump typescript from 6.0.2 to 6.0.3 in /docs/docusaurus
in the docusaurus-dependencies group
([#513](#513))
([5694dbc](5694dbc))
* **deps:** bump azureml/openmpi4.1.0-ubuntu22.04 from 20260303.v5 to
20260409.v4 in /evaluation/sil/docker
([#480](#480))
([25d4df8](25d4df8))
* **deps:** bump cryptography from 46.0.6 to 46.0.7 in /evaluation in
the uv group across 1 directory
([#538](#538))
([92c5b2e](92c5b2e))
* **deps:** bump diffusers from 0.35.2 to 0.38.0 in /training/il/lerobot
([#638](#638))
([6261d19](6261d19))
* **deps:** bump follow-redirects from 1.15.11 to 1.16.0 in
/docs/docusaurus
([#469](#469))
([0458908](0458908))
* **deps:** bump gitpython and mako for lerobot IL training
([#623](#623))
([9f8022b](9f8022b))
* **deps:** bump node from 24.14.1-slim to 25.9.0-slim in
/data-management/viewer/frontend
([#482](#482))
([1532d09](1532d09))
* **deps:** bump packaging from 26.0 to 26.1 in /evaluation in the
inference-dependencies group
([#483](#483))
([f4afb6c](f4afb6c))
* **deps:** bump pillow from 12.1.1 to 12.2.0
([#467](#467))
([39fb663](39fb663))
* **deps:** bump python from 3.11-slim to 3.14-slim in
/data-management/viewer/backend
([#481](#481))
([7af9dfc](7af9dfc))
* **deps:** bump the dataviewer-backend-dependencies group across 1
directory with 15 updates
([#428](#428))
([e4446a2](e4446a2))
* **deps:** bump the dataviewer-backend-dependencies group in
/data-management/viewer/backend with 4 updates
([#487](#487))
([0f57c5b](0f57c5b))
* **deps:** bump the dataviewer-backend-dependencies group in
/data-management/viewer/backend with 8 updates
([#566](#566))
([d6e7869](d6e7869))
* **deps:** bump the dataviewer-dependencies group across 1 directory
with 5 updates
([#464](#464))
([24c208d](24c208d))
* **deps:** bump the dataviewer-dependencies group in
/data-management/viewer with 2 updates
([#486](#486))
([90149f3](90149f3))
* **deps:** bump the dataviewer-dependencies group in
/data-management/viewer with 6 updates
([#565](#565))
([f0bb36b](f0bb36b))
* **deps:** bump the dataviewer-frontend-patch-minor group across 1
directory with 10 updates
([#613](#613))
([e481f83](e481f83))
* **deps:** bump the github-actions group across 1 directory with 4
updates
([#534](#534))
([5478ab6](5478ab6))
* **deps:** bump the github-actions group with 2 updates
([#488](#488))
([4e6ce98](4e6ce98))
* **deps:** bump the github-actions group with 3 updates
([#567](#567))
([48c38dc](48c38dc))
* **deps:** bump the github-actions group with 3 updates
([#634](#634))
([00cfb49](00cfb49))
* **deps:** bump the github-actions group with 6 updates
([#603](#603))
([73eb79a](73eb79a))
* **deps:** bump the training-dependencies group across 1 directory with
23 updates
([#463](#463))
([d5a8656](d5a8656))
* **deps:** bump yaml from 2.8.2 to 2.8.3 in
/data-management/viewer/frontend
([#453](#453))
([10449df](10449df))
* pytest harness, dependabot advisories, and OSSF Scorecard remediations
([#501](#501))
([e8756e8](e8756e8))
* **scripts:** pin and hash-verify all shell script downloads
([#468](#468))
([0c2bb9c](0c2bb9c))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: physical-ai-toolchain-release[bot] <267194360+physical-ai-toolchain-release[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@katriendg katriendg katriendg approved these changes

Assignees

No one assigned

Labels

dataviewer dependencies Dependency version updates python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@codecov-commenter @katriendg