Skip to content

chore(deps): bump the dataviewer-backend-dependencies group across 1 directory with 5 updates#602

Merged
katriendg merged 1 commit into
mainfrom
dependabot/uv/data-management/viewer/backend/dataviewer-backend-dependencies-8968a544de
May 5, 2026
Merged

chore(deps): bump the dataviewer-backend-dependencies group across 1 directory with 5 updates#602
katriendg merged 1 commit into
mainfrom
dependabot/uv/data-management/viewer/backend/dataviewer-backend-dependencies-8968a544de

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 1, 2026
edited
Loading

Bumps the dataviewer-backend-dependencies group with 5 updates in the /data-management/viewer/backend directory:

Package From To
python-multipart 0.0.26 0.0.27
hypothesis 6.152.3 6.152.4
schemathesis 4.16.1 4.17.0
huggingface-hub 1.12.0 1.13.0
ultralytics 8.4.41 8.4.46

Updates python-multipart from 0.0.26 to 0.0.27

Release notes

Sourced from python-multipart's releases.

0.0.27

What's Changed

Full Changelog: Kludex/python-multipart@0.0.26...0.0.27

Changelog

Sourced from python-multipart's changelog.

0.0.27 (2026-04-27)

  • Add multipart header limits #267.
  • Pass parse offsets via constructors #268.
Commits

Updates hypothesis from 6.152.3 to 6.152.4

Release notes

Sourced from hypothesis's releases.

Hypothesis for Python - version 6.152.4

This patch fixes a rare internal error during "Phase.explain" introduced in version 6.149.0 for certain strategies (issue #4708).

The canonical version of these notes (with links) is on readthedocs.

Commits
  • 84f92dc Bump hypothesis-python version to 6.152.4 and update changelog
  • c6814df Merge pull request #4717 from HypothesisWorks/DRMacIver/issue4708
  • 82e9446 Address PR review feedback
  • c77d7e7 Merge pull request #4719 from Liam-DeVoe/fix-mobile-word-wrapping
  • 4d6a7f0 fix footnote overflow on mobile
  • 4b554b0 Fix AssertionError in Shrinker.explain() for unstable span labels
  • See full diff in compare view

Updates schemathesis from 4.16.1 to 4.17.0

Release notes

Sourced from schemathesis's releases.

Release 4.17.0

🚀 Added

  • Capture path-parameter values from successful 2xx requests for reuse during fuzzing.
  • Capture request-body field values from successful 2xx requests for reuse during fuzzing.
  • Coverage phase records request identifiers into the runtime resource pool for reuse in later phases.
  • Use identifiers from the runtime resource pool for resource-bound parameters and body fields during the coverage phase.
  • Use captured body-field values to fill resource-bound fields in the examples phase.
  • Enable the runtime resource pool for producers that return empty response bodies.
  • Chain st fuzz scenarios via inferred and schema Links, biased 80% toward link-driven steps.
  • Pick correlated identifiers for nested-resource operations during the coverage phase.
  • Dependency inference recognizes <resource>Name-style body fields on collection paths (e.g. POST /products {productName: ...}).
  • Dependency inference recognizes more identifier-style path parameters (e.g. username, containerGroupName).
  • Dependency inference treats POST /resource/{name} as a producer when the response has no body.
  • Dependency inference treats POST /collection {idField: ...} as a producer when the response has no body.
  • Dependency inference recognizes GET /collection returning an array of identifier strings.
  • Dependency inference recognizes plural {ids} path parameters (e.g. GET /persons/{ids}).
  • Seed the runtime resource pool with identifier values from a Bearer JWT or HTTP Basic username.

🐛 Fixed

  • False positive negative_data_rejection for body-level type mutations on multipart/form-data endpoints. #3801
  • False positive negative_data_rejection for body fields with format: binary or format: byte.
  • Crash on schemas with non-schema values inside properties (e.g. an integer where a sub-schema is expected).
  • Cascading generation failures after one schema corrupted shared hypothesis-jsonschema constants in the same process.
  • Crash on $ref with sibling keywords when exploring the Python API outside the pytest runner.
  • HypothesisRefResolutionError when a $ref and its target both have distinct anyOf lists.
  • Report malformed sub-schemas (e.g. description: null) as a clean schema error.
  • Unsatisfiable for arrays with allOf of multiple contains requiring distinct const values.
  • Operation scheduling respects RESTful method priority even when all operations collapse into one layer.
  • Draft-03 schemas surface as a clean InvalidSchema instead of a generic InvalidArgument from the strategy generator.
  • False InfiniteRecursiveReference on cycles breakable through patternProperties.
  • False InfiniteRecursiveReference on cycles breakable through oneOf/anyOf, top-level allOf, or unused definitions.
  • False positives from \p{X} Unicode property escapes inside character classes (e.g. [\p{Alnum}_]+).
  • Translate POSIX character classes (e.g. [[:alnum:]_]) to Python equivalents instead of misparsing them.
  • Silent character-set widening when \p{X} patterns combine with PCRE class-set operators (||, &&) or nested classes.
  • Runtime Error in negative generation for OpenAPI 3.1 schemas with prefixItems. #3842
  • Honor discriminator pin in oneOf/anyOf validation under Draft 4 (OpenAPI 2.0/3.0).
  • Spurious FlakyStrategyDefinition from st fuzz when the time limit trips mid-scenario.
  • Crash in the examples phase when a body example contained format: binary data alongside captured pool values.
  • Resource-pool variants for path/query/header parameters skip values that violate the destination schema.
  • Bodies missing required fields when a captured value is overlaid on a schema without type: object.
  • Boolean path parameters rewritten to integer 1 when the path also contains an integer parameter.
  • Examples violating their own schema surfacing as POSITIVE generation cases.
  • Duplicate required header entries when a spec parameter and a security scheme share a header name.
  • NDJSON reports truncated after the first event from a threaded requests import race in the writer.

🔧 Changed

... (truncated)

Changelog

Sourced from schemathesis's changelog.

4.17.0 - 2026-04-30

🚀 Added

  • Capture path-parameter values from successful 2xx requests for reuse during fuzzing.
  • Capture request-body field values from successful 2xx requests for reuse during fuzzing.
  • Coverage phase records request identifiers into the runtime resource pool for reuse in later phases.
  • Use identifiers from the runtime resource pool for resource-bound parameters and body fields during the coverage phase.
  • Use captured body-field values to fill resource-bound fields in the examples phase.
  • Enable the runtime resource pool for producers that return empty response bodies.
  • Chain st fuzz scenarios via inferred and schema Links, biased 80% toward link-driven steps.
  • Pick correlated identifiers for nested-resource operations during the coverage phase.
  • Dependency inference recognizes <resource>Name-style body fields on collection paths (e.g. POST /products {productName: ...}).
  • Dependency inference recognizes more identifier-style path parameters (e.g. username, containerGroupName).
  • Dependency inference treats POST /resource/{name} as a producer when the response has no body.
  • Dependency inference treats POST /collection {idField: ...} as a producer when the response has no body.
  • Dependency inference recognizes GET /collection returning an array of identifier strings.
  • Dependency inference recognizes plural {ids} path parameters (e.g. GET /persons/{ids}).
  • Seed the runtime resource pool with identifier values from a Bearer JWT or HTTP Basic username.

🐛 Fixed

  • False positive negative_data_rejection for body-level type mutations on multipart/form-data endpoints. #3801
  • False positive negative_data_rejection for body fields with format: binary or format: byte.
  • Crash on schemas with non-schema values inside properties (e.g. an integer where a sub-schema is expected).
  • Cascading generation failures after one schema corrupted shared hypothesis-jsonschema constants in the same process.
  • Crash on $ref with sibling keywords when exploring the Python API outside the pytest runner.
  • HypothesisRefResolutionError when a $ref and its target both have distinct anyOf lists.
  • Report malformed sub-schemas (e.g. description: null) as a clean schema error.
  • Unsatisfiable for arrays with allOf of multiple contains requiring distinct const values.
  • Operation scheduling respects RESTful method priority even when all operations collapse into one layer.
  • Draft-03 schemas surface as a clean InvalidSchema instead of a generic InvalidArgument from the strategy generator.
  • False InfiniteRecursiveReference on cycles breakable through patternProperties.
  • False InfiniteRecursiveReference on cycles breakable through oneOf/anyOf, top-level allOf, or unused definitions.
  • False positives from \p{X} Unicode property escapes inside character classes (e.g. [\p{Alnum}_]+).
  • Translate POSIX character classes (e.g. [[:alnum:]_]) to Python equivalents instead of misparsing them.
  • Silent character-set widening when \p{X} patterns combine with PCRE class-set operators (||, &&) or nested classes.
  • Runtime Error in negative generation for OpenAPI 3.1 schemas with prefixItems. #3842
  • Honor discriminator pin in oneOf/anyOf validation under Draft 4 (OpenAPI 2.0/3.0).
  • Spurious FlakyStrategyDefinition from st fuzz when the time limit trips mid-scenario.
  • Crash in the examples phase when a body example contained format: binary data alongside captured pool values.
  • Resource-pool variants for path/query/header parameters skip values that violate the destination schema.
  • Bodies missing required fields when a captured value is overlaid on a schema without type: object.
  • Boolean path parameters rewritten to integer 1 when the path also contains an integer parameter.
  • Examples violating their own schema surfacing as POSITIVE generation cases.
  • Duplicate required header entries when a spec parameter and a security scheme share a header name.
  • NDJSON reports truncated after the first event from a threaded requests import race in the writer.

🔧 Changed

... (truncated)

Commits
  • 5662c32 chore: Release 4.17.0
  • 6767844 test: Update inference metrics
  • 7cd1963 test: Show more context on snapshot mismatches for st fuzz
  • c6120f2 feat: Dependency inference recognizes plural {ids} path parameters
  • 2cdff14 fix: False positive negative_data_rejection for body fields with `format: b...
  • cdc04f9 test: Skip influxdata.com/2.0.0.json in corpus tests
  • 3270d87 fix: Honor discriminator pin in oneOf/anyOf validation under Draft 4 (O...
  • bc4202b test: Show more context on cassette loading failure
  • 7eba5ad chore: Improve typing
  • e896ab6 chore: Probe each path with undeclared HTTP methods once per path instead of ...
  • Additional commits viewable in compare view

Updates huggingface-hub from 1.12.0 to 1.13.0

Release notes

Sourced from huggingface-hub's releases.

[v1.13.0] new CLI commands and formatting, and HF URI parsing

🖥️ New CLI commands: repo cards, file listings, and dataset leaderboards

This release adds three new CLI capabilities for exploring Hub content. hf models card, hf datasets card, and hf spaces card fetch the README of any repo and print it to stdout, with --metadata (YAML frontmatter as JSON) and --text (prose only) flags for splitting the card into its structured and unstructured parts. Calling hf models ls <repo_id>, hf datasets ls <repo_id>, or hf spaces ls <repo_id> now switches from listing repos to listing files inside that repo, with --tree, -R, -h, and --revision options mirroring the existing hf buckets ls behavior. And hf datasets leaderboard <dataset_id> surfaces model scores submitted to a benchmark dataset, making it easy to compare models by score from the terminal.

# Get model card metadata as JSON
hf models card google/gemma-4-31B-it --metadata --format json
List files in a model repo (tree view with sizes)
hf models ls meta-llama/Llama-3.2-1B-Instruct --tree -h
Show top 5 models on SWE-bench
hf datasets leaderboard SWE-bench/SWE-bench_Verified --limit 5

📚 Documentation: CLI guide

🚀 Manage Spaces from the CLI

Three new hf spaces subcommands bring full lifecycle control to the terminal. hf spaces pause and hf spaces restart stop or rebuild a Space (with --factory-reboot for a clean rebuild), and hf spaces settings lets you configure sleep time and hardware in one call. A companion hf spaces hardware command lists all available hardware flavors with pricing, so you can discover options before changing settings. Pause and restart include a confirmation prompt (-y to skip) since they tear down the running container.

# Pause a Space when not in use (not billed while paused)
hf spaces pause username/my-space
Restart with a GPU
hf spaces settings username/my-space --hardware t4-medium --sleep-time 3600
List available hardware options
hf spaces hardware

📚 Documentation: CLI guide — Spaces

🔃 hf update replaces the auto-update prompt

The blocking interactive Y/n auto-update prompt at CLI startup is gone. It was catching too many non-interactive contexts (CI runners, Homebrew post-install hooks, Jupyter notebooks) and hanging automation. In its place, a single yellow stderr warning suggests running hf update — a new command that detects how hf was installed (Homebrew, standalone installer, or pip) and runs the right upgrade command. Set HF_HUB_DISABLE_UPDATE_CHECK=1 to silence the startup check entirely, for example in offline CI.

hf update

... (truncated)

Commits

Updates ultralytics from 8.4.41 to 8.4.46

Commits

@dependabot dependabot Bot added dataviewer dependencies Dependency version updates python Pull requests that update python code labels May 1, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 1, 2026 20:18
@dependabot dependabot Bot added dataviewer dependencies Dependency version updates python Pull requests that update python code labels May 1, 2026
@github-actions github-actions Bot changed the title chore(deps): bump the dataviewer-backend-dependencies group in /data-management/viewer/backend with 5 updates security(deps): bump the dataviewer-backend-dependencies group in /data-management/viewer/backend with 5 updates May 1, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 1, 2026
edited
Loading

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 6 package(s) with unknown licenses.
See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 007802f.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

data-management/viewer/backend/uv.lock

PackageVersionLicenseIssue Type
huggingface-hub1.13.0NullUnknown License
hypothesis6.152.4NullUnknown License
jsonschema-rs0.46.4NullUnknown License
python-multipart0.0.27NullUnknown License
schemathesis4.17.0NullUnknown License
ultralytics8.4.46NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
pip/huggingface-hub 1.13.0 UnknownUnknown
pip/hypothesis 6.152.4 UnknownUnknown
pip/jsonschema-rs 0.46.4 UnknownUnknown
pip/python-multipart 0.0.27 UnknownUnknown
pip/schemathesis 4.17.0 UnknownUnknown
pip/ultralytics 8.4.46 UnknownUnknown

Scanned Files

  • data-management/viewer/backend/uv.lock

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented May 1, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.27%. Comparing base (10ab980) to head (007802f).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #602   +/-   ##
=======================================
  Coverage   77.27%   77.27%           
=======================================
  Files         272      272           
  Lines       18140    18140           
  Branches     2452     2452           
=======================================
  Hits        14018    14018           
  Misses       3698     3698           
  Partials      424      424
Flag Coverage Δ *Carryforward flag
pester 83.13% <ø> (ø) Carriedforward from 10ab980
pytest-data-pipeline 100.00% <ø> (ø) Carriedforward from 10ab980
pytest-dataviewer 93.60% <ø> (ø)
pytest-dm-tools 100.00% <ø> (ø) Carriedforward from 10ab980
pytest-evaluation 99.51% <ø> (ø)
pytest-fuzz 4.89% <ø> (ø) Carriedforward from 10ab980
pytest-inference 100.00% <ø> (ø) Carriedforward from 10ab980
pytest-training 93.32% <ø> (ø) Carriedforward from 10ab980
vitest 53.02% <ø> (ø) Carriedforward from 10ab980

*This pull request uses carry forward flags. Click here to find out more.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-actions[bot]
github-actions Bot reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Advisory Review Summary

Ecosystems / surfaces touched: uv / pippython-runtime (dataviewer backend at data-management/viewer/backend/)

Both pyproject.toml (manifest) and uv.lock (lockfile) are modified. All five packages are scoped to the dataviewer backend; three are optional-extra dependencies ([huggingface], [yolo], [dev]).

Package From To Severity Surface
python-multipart 0.0.26 0.0.27 None known python-runtime (dataviewer)
hypothesis 6.152.3 6.152.4 None known python-runtime (dataviewer, dev-only)
schemathesis 4.16.1 4.17.0 None known python-runtime (dataviewer, dev-only)
huggingface-hub 1.12.0 1.13.0 None known python-runtime (dataviewer, optional)
ultralytics 8.4.41 8.4.46 None known python-runtime (dataviewer, optional)

python-multipart

No CVE or GHSA advisory identified. This is a patch bump. Notable change: adds multipart header limits (#267) — a security hardening addition that caps header counts in multipart parsing. The security(deps): PR title prefix from Dependabot likely reflects this hardening.

Release notes (0.0.27, 2026-04-27):

  • Add multipart header limits #267
  • Pass parse offsets via constructors #268

Source: Kludex/python-multipart@0.0.26...0.0.27

Repo-specific risk: python-multipart is a direct runtime dependency used by FastAPI for multipart form parsing. The header-limits hardening is beneficial and has no reported compatibility issues with FastAPI 0.136.1 pinned in this project.

Validation Signal

Deterministic CI: PR_VALIDATION_CONCLUSION = in_progress:in_progress

⚠️ Deterministic CI conclusion not yet available; verdict is advisory only.

Relevant check runs for python-runtime (dataviewer) surface: Dataviewer Backend Pytest, Pytest Data Management Tools, Python Lint. Results pending at: https://github.com/microsoft/physical-ai-toolchain/actions/runs/25231383504

Static impact reasoning: No ABI-sensitive packages (numpy, torch, tensordict, onnxruntime-gpu) were changed. The existing numpy==2.4.4 and pyarrow==24.0.0 pins in pyproject.toml are unchanged by this PR. No Isaac Sim training paths are touched.

hypothesis

No CVE or GHSA advisory identified. Patch bump; dev-only dependency with no runtime impact.

Release: HypothesisWorks/hypothesis@hypothesis-python-6.152.3...hypothesis-python-6.152.4

Validation Signal

Deterministic CI: pending (see above). Static impact: dev-only, no ABI concerns.

schemathesis

No CVE or GHSA advisory identified. Minor bump (4.16.1 → 4.17.0); dev-only API fuzzing tool.

Release notes (4.17.0, 2026-04-30):

  • Capture path-parameter values from successful 2xx requests for reuse during fuzzing
  • Capture request-body field values from successful 2xx requests for reuse during fuzzing
  • Coverage phase records request identifiers into the runtime resource pool for reuse in later phases
  • Use identifiers from the runtime resource pool for resource-bound parameters and body fields during the coverage phase
  • Chain st fuzz scenarios via inferred steps

Source: schemathesis/schemathesis@v4.16.1...v4.17.0

Repo-specific risk: Feature additions for smarter fuzzing. No breaking changes visible. Dev-only dependency.

Validation Signal

Deterministic CI: pending (see above). Static impact: dev-only, no ABI concerns.

huggingface-hub

No CVE or GHSA advisory identified. Minor bump (1.12.0 → 1.13.0); optional [huggingface] extra.

Release notes (1.13.0, 2026-04-30):

  • New hf spaces hardware CLI command
  • Centralized hf:// URI parsing
  • Avoid re-uploading pre-uploaded LFS files
  • Added bucket+mount transport for Jobs script upload
  • [CLI] Add file listing to models/datasets/spaces ls

Source: huggingface/huggingface_hub@v1.12.0...v1.13.0

Repo-specific risk: Minor feature additions; no breaking API changes visible. Optional dependency, only active when [huggingface] extras are installed.

Validation Signal

Deterministic CI: pending (see above). Static impact: no ABI-sensitive packages changed.

ultralytics

No CVE or GHSA advisory identified. Patch bump spanning five releases (8.4.41 → 8.4.46); optional [yolo] extra.

Release notes (8.4.42 – 8.4.46):

  • 8.4.46: Fix multiscale minimum train size
  • 8.4.45: Fix pretrained checkpoint training regression
  • 8.4.44: Apply pretrained arg across model trainers
  • Additional: Improved export results path, RKNN export improvements, stop resume when training is already finished

Source: ultralytics/ultralytics@v8.4.41...v8.4.46

Repo-specific risk: Bug-fix releases; no major version change. Optional dependency, only active when [yolo] extras are installed. No CUDA/GPU ABI changes detected.

Validation Signal

Deterministic CI: pending (see above). Static impact: no ABI-sensitive packages (torch, onnxruntime-gpu) changed by this PR.

Advisory verdict: COMMENT — CI conclusion is in_progress; all five bumps are patch/minor with no identified CVE or GHSA advisories and no high-risk ABI triggers. Review again once Dataviewer Backend Pytest and Python Lint check runs complete.

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

  • #602 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by AW Dependabot PR Review for issue #602 · ● 1.7M

Comment thread data-management/viewer/backend/pyproject.toml
Comment thread data-management/viewer/backend/pyproject.toml
Comment thread data-management/viewer/backend/pyproject.toml
Comment thread data-management/viewer/backend/pyproject.toml
Comment thread data-management/viewer/backend/pyproject.toml
@dependabot dependabot Bot changed the title security(deps): bump the dataviewer-backend-dependencies group in /data-management/viewer/backend with 5 updates chore(deps): bump the dataviewer-backend-dependencies group across 1 directory with 5 updates May 4, 2026
@dependabot dependabot Bot force-pushed the dependabot/uv/data-management/viewer/backend/dataviewer-backend-dependencies-8968a544de branch from 90e039d to 706305c Compare May 4, 2026 03:36
github-actions[bot]
github-actions Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Advisory Review Summary

Ecosystems / surfaces touched:

  • python-runtime (dataviewer)data-management/viewer/backend/pyproject.toml + uv.lock

Package table:

Package From To Severity Surface
python-multipart 0.0.26 0.0.27 None python-runtime (dataviewer)
hypothesis 6.152.3 6.152.4 None python-runtime (dataviewer)
schemathesis 4.16.1 4.17.0 None python-runtime (dataviewer)
huggingface-hub 1.12.0 1.13.0 None python-runtime (dataviewer)
ultralytics 8.4.41 8.4.46 None python-runtime (dataviewer)

No GHSA or CVE identifiers were found in the PR body. No advisory enrichment chain hits (GHSA / OSV / NVD) for any of the bumped versions. No ABI-sensitive packages (numpy, torch, tensordict, onnxruntime-gpu) are present. No major version bumps.

All five packages are exact-pinned in pyproject.toml (not transitive-only); uv.lock is updated in tandem.

python-multipart

Release notes — 0.0.27 (source):

  • Add multipart header limits (#267)
  • Pass parse offsets via constructors (#268)

Patch bump. The header-limits addition hardens multipart parsing against oversized headers — a net security improvement. No breaking API change. No advisory.

Validation Signal

  1. Deterministic CI: PR Validation: in_progress:in_progress⚠️ Deterministic CI conclusion not yet available; verdict is advisory only.
  2. Static impact reasoning: Package is not ABI-sensitive. No Isaac Sim guard applies. Exact pin in pyproject.toml, consistent with existing pinning style.

hypothesis

Release notes — 6.152.4: Patch bump. No public changelog excerpt in PR body; upstream patch history indicates minor internal test-generator refinements. No advisory.

Validation Signal

  1. Deterministic CI: PR Validation: in_progress:in_progress — conclusion pending.
  2. Static impact reasoning: Test-only dependency. No ABI sensitivity. No Isaac Sim guard applies.

schemathesis

Release notes — 4.17.0 (source):

  • Fixed false InfiniteRecursiveReference on cycles breakable through patternProperties, oneOf/anyOf, top-level allOf, or unused definitions
  • Fixed false positives from \p{X} Unicode property escapes inside character classes
  • Fixed FlakyStrategyDefinition from st fuzz when time limit trips mid-scenario
  • Fixed NDJSON reports truncated after first event from threaded requests import race

Minor bump. All changes are bug fixes; no breaking API changes noted. Relevant surfaces: Dataviewer Backend Pytest (exercises schemathesis-based API schema tests). No advisory.

Validation Signal

  1. Deterministic CI: PR Validation: in_progress:in_progress — conclusion pending.
  2. Static impact reasoning: Test/validation library only. No ABI sensitivity. No Isaac Sim guard applies.

huggingface-hub

Release notes — 1.13.0 (source):

  • New CLI commands: hf models card, hf datasets card, hf spaces card, file listings, hf datasets leaderboard
  • New hf spaces lifecycle subcommands: pause, restart, settings, hardware
  • hf update replaces the blocking interactive Y/N auto-update prompt (removed startup hang in non-interactive contexts)
  • Centralized hf:// URI parsing

Minor bump with new CLI features and URI parsing improvements. No breaking changes to the Python API noted. No advisory.

Validation Signal

  1. Deterministic CI: PR Validation: in_progress:in_progress — conclusion pending.
  2. Static impact reasoning: Used in the dataviewer backend for HuggingFace Hub dataset access. Minor bump; no ABI sensitivity. No Isaac Sim guard applies.

ultralytics

Release notes — 8.4.41 → 8.4.46 (source):

  • Fix multiscale minimum train size

Patch bump across 5 micro-versions. The primary fix addresses multiscale training. Ultralytics is used in the dataviewer backend for YOLO inference (mocked in tests). No advisory.

Validation Signal

  1. Deterministic CI: PR Validation: in_progress:in_progress — conclusion pending.
  2. Static impact reasoning: Not ABI-sensitive relative to CUDA/Isaac Sim. Training-related fix is internal to the model engine; no impact on inference API surface used by the dataviewer.

Validation Signal (overall)

⚠️ Deterministic CI conclusion not yet available; verdict is advisory only.

  • PR Validation: in_progress:in_progressrun link
  • Relevant check runs for python-runtime (dataviewer): Dataviewer Backend Pytest, Pytest Data Management Tools, Python Lint — conclusions not yet available.
  • Run npm run validate:backend in data-management/viewer/ once CI completes to confirm.

Advisory verdict: COMMENT — CI is still in progress; all five bumps are minor/patch with no known advisories and no ABI-sensitive changes. Re-review is not required once CI passes.

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

  • #602 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by AW Dependabot PR Review for issue #602 · ● 586.1K

@dependabot
chore(deps): bump the dataviewer-backend-dependencies group across 1 …
007802f 
…directory with 5 updates

Bumps the dataviewer-backend-dependencies group with 5 updates in the /data-management/viewer/backend directory:

| Package | From | To |
| --- | --- | --- |
| [python-multipart](https://github.com/Kludex/python-multipart) | `0.0.26` | `0.0.27` |
| [hypothesis](https://github.com/HypothesisWorks/hypothesis) | `6.152.3` | `6.152.4` |
| [schemathesis](https://github.com/schemathesis/schemathesis) | `4.16.1` | `4.17.0` |
| [huggingface-hub](https://github.com/huggingface/huggingface_hub) | `1.12.0` | `1.13.0` |
| [ultralytics](https://github.com/ultralytics/ultralytics) | `8.4.41` | `8.4.46` |



Updates `python-multipart` from 0.0.26 to 0.0.27
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md)
- [Commits](Kludex/python-multipart@0.0.26...0.0.27)

Updates `hypothesis` from 6.152.3 to 6.152.4
- [Release notes](https://github.com/HypothesisWorks/hypothesis/releases)
- [Commits](HypothesisWorks/hypothesis@hypothesis-python-6.152.3...hypothesis-python-6.152.4)

Updates `schemathesis` from 4.16.1 to 4.17.0
- [Release notes](https://github.com/schemathesis/schemathesis/releases)
- [Changelog](https://github.com/schemathesis/schemathesis/blob/master/CHANGELOG.md)
- [Commits](schemathesis/schemathesis@v4.16.1...v4.17.0)

Updates `huggingface-hub` from 1.12.0 to 1.13.0
- [Release notes](https://github.com/huggingface/huggingface_hub/releases)
- [Commits](huggingface/huggingface_hub@v1.12.0...v1.13.0)

Updates `ultralytics` from 8.4.41 to 8.4.46
- [Release notes](https://github.com/ultralytics/ultralytics/releases)
- [Commits](ultralytics/ultralytics@v8.4.41...v8.4.46)

---
updated-dependencies:
- dependency-name: huggingface-hub
  dependency-version: 1.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dataviewer-backend-dependencies
- dependency-name: hypothesis
  dependency-version: 6.152.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dataviewer-backend-dependencies
- dependency-name: python-multipart
  dependency-version: 0.0.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dataviewer-backend-dependencies
- dependency-name: schemathesis
  dependency-version: 4.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dataviewer-backend-dependencies
- dependency-name: ultralytics
  dependency-version: 8.4.46
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dataviewer-backend-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/uv/data-management/viewer/backend/dataviewer-backend-dependencies-8968a544de branch from 706305c to 007802f Compare May 5, 2026 03:57
github-actions[bot]
github-actions Bot reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Advisory Review Summary

  • Ecosystem: uv / PyPI
  • Surface: python-runtimedata-management/viewer/backend/
  • Manifest: data-management/viewer/backend/pyproject.toml + data-management/viewer/backend/uv.lock
  • Files changed: 2 (1 manifest + 1 lockfile)
Package From To Severity Surface
python-multipart 0.0.26 0.0.27 None python-runtime
hypothesis 6.152.3 6.152.4 None python-runtime (dev)
schemathesis 4.16.1 4.17.0 None python-runtime (dev)
huggingface-hub 1.12.0 1.13.0 None python-runtime (huggingface extra)
ultralytics 8.4.41 8.4.46 None python-runtime (yolo extra)
jsonschema-rs (transitive) 0.46.2 0.46.4 None python-runtime (via schemathesis)

python-multipart

Release notes: Adds multipart header limits (#267) and passes parse offsets via constructors (#268). Full changelog: Kludex/python-multipart@0.0.26...0.0.27

Advisory context: GHSA-mj87-hwqh-73pj (CVE-2026-40347, CWE-400/CWE-834, CVSS 3.1: 5.3 MODERATE) — DoS via large multipart preamble/epilogue data. Fixed at 0.0.26. This PR bumps from an already-patched version; 0.0.27 adds further header-limit hardening.

No advisories affect 0.0.260.0.27.

Validation Signal

  1. Deterministic CI: PR_VALIDATION_CONCLUSION: in_progress:in_progress — orchestrator has not completed. Relevant check runs: Dataviewer Backend Pytest, Pytest Data Management Tools, Python Lint — conclusions not yet available.
    • ⚠️ Deterministic CI conclusion not yet available; verdict is advisory only.
  2. Static impact reasoning: python-multipart is not an ABI-sensitive package; no Isaac Sim or GPU-path constraints apply. The patch bump has no known peer-dependency conflicts.

hypothesis

Release notes: Fixes a rare internal error during Phase.explain for certain strategies introduced in 6.149.0 (issue #4708). Source: (hypothesis.readthedocs.io/redacted)

No GHSA/CVE advisories found for hypothesis in this patch range. Dev dependency only.

Validation Signal

  1. Deterministic CI: in_progress:in_progress — pending.
  2. Static impact reasoning: Patch bugfix release; no ABI sensitivity.

schemathesis

Release notes: Minor version release (4.16.1 → 4.17.0) with 15 new additions (resource-pool fuzzing, link chaining, runtime pool seeding from JWT credentials, dependency inference improvements) and ~25 bug fixes (false-positive results, crash fixes, Unicode pattern corrections). Source: schemathesis/schemathesis@v4.16.1...v4.17.0

No GHSA/CVE advisories found. Dev dependency (API test runner only). Minor bump with extensive changes — confirm test suite passes locally before merge.

Transitive note: jsonschema-rs bumped 0.46.20.46.4 in uv.lock as a transitive dependency of schemathesis. This is a lockfile-only change with no manifest edit. No published advisories found.

Validation Signal

  1. Deterministic CI: in_progress:in_progress — pending.
  2. Static impact reasoning: Test-only dependency; no runtime surface exposure. The minor bump is extensive but carries no known breaking API changes.

huggingface-hub

Release notes: v1.13.0 adds new CLI commands (hf models card, hf datasets card, hf spaces card, hf datasets leaderboard), Space lifecycle commands, HF URI parsing centralisation, and replaces the blocking auto-update prompt with a non-blocking warning. Source: https://github.com/huggingface/huggingface_hub/releases/tag/v1.13.0

No GHSA/CVE advisories found. Optional extra (huggingface); not loaded in default runtime. Minor version bump with additive CLI and API changes.

Validation Signal

  1. Deterministic CI: in_progress:in_progress — pending.
  2. Static impact reasoning: Optional extra, not a core runtime dep. No ABI sensitivity.

ultralytics

Release notes: Five patch versions (8.4.41 → 8.4.46) covering: fix multiscale minimum train size, fix pretrained checkpoint training regression, improve data/fraction args across export formats, stop resume when training is already finished. Source: ultralytics/ultralytics@v8.4.41...v8.4.46

Advisory check: GHSA-7x29-qqmq-v6qc is a GitHub Actions script injection advisory for the ultralytics/actions GitHub Action — not the ultralytics PyPI package. Not applicable here.

No GHSA/CVE advisories found affecting the ultralytics PyPI package in this range. Optional extra (yolo); not loaded in default runtime.

Validation Signal

  1. Deterministic CI: in_progress:in_progress — pending.
  2. Static impact reasoning: Optional YOLO extra; no ABI-sensitive packages involved (no numpy, torch, or onnxruntime changes).

Risk Assessment

No high-risk triggers apply:

  • No numpy, torch, tensordict, onnxruntime-gpu, scipy, scikit-learn, pyarrow, or opencv* bumps.
  • No major version boundaries crossed.
  • No Isaac Sim ABI constraints implicated (training/rl/requirements.txt not in diff).
  • schemathesis and hypothesis are dev/test dependencies with no production surface.
  • huggingface-hub and ultralytics are optional extras.

Advisory verdict: COMMENT — CI is still in progress (in_progress:in_progress); verdict will remain advisory until Dataviewer Backend Pytest, Pytest Data Management Tools, and Python Lint check runs complete.

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

  • #602 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by AW Dependabot PR Review for issue #602 · ● 1.4M

Comment thread data-management/viewer/backend/uv.lock
Comment thread data-management/viewer/backend/pyproject.toml
Comment thread data-management/viewer/backend/pyproject.toml
@katriendg katriendg merged commit 6c27ab5 into main May 5, 2026
48 checks passed
@katriendg katriendg deleted the dependabot/uv/data-management/viewer/backend/dataviewer-backend-dependencies-8968a544de branch May 5, 2026 06:49
@physical-ai-toolchain-release physical-ai-toolchain-release Bot mentioned this pull request May 5, 2026
Merged
WilliamBerryiii pushed a commit that referenced this pull request May 8, 2026
@physical-ai-toolchain-release @github-actions
chore(main): release 0.8.0 (#450)
f906f37 
🤖 I have created a release *beep* *boop*
---


##
[0.8.0](v0.7.4...v0.8.0)
(2026-05-08)


### ⚠ BREAKING CHANGES

* **dataviewer:** bump frontend stack to React 19, Vite 8, Tailwind v4,
MSAL 5, ESLint 10
([#524](#524))

### ✨ Features

* **agents:** add automated validation for high-risk Dependabot bumps
([#574](#574))
([8c3686a](8c3686a)),
closes
[#573](#573)
* **data:** add camera selector to annotation workspace and fix AV1
frame extraction
([#591](#591))
([c809d2f](c809d2f))
* **data:** seed dataviewer frontend test foundation and per-section
codecov flags
([#594](#594))
([c06c4e3](c06c4e3))
* **dataviewer:** add OWASP security middleware stack
([#439](#439))
([239edb9](239edb9))
* **infrastructure:** add conversion pipeline Terraform module
([#542](#542))
([244531e](244531e))
* **infrastructure:** upgrade OSMO to chart 1.2.1 / image 6.2 with
secure auth and skrl 2.0.0 compatibility
([#492](#492))
([edfd7a5](edfd7a5))
* **pipeline:** add ACSA setup for ROS2 bag sync to Blob
([#451](#451))
([c271a54](c271a54))
* **workflows:** add advisory Dependabot PR reviewer agentic workflow
([#498](#498))
([d4bb140](d4bb140))
* **workflows:** trigger AW Dependabot PR reviewer after PR Validation
([#580](#580))
([7ab3d16](7ab3d16))


### 🐛 Bug Fixes

* **ci:** correct stale version comment for
actions/create-github-app-token
([#506](#506))
([b2e9a54](b2e9a54))
* **ci:** restore data-pipeline and training broken tests by domain
folder restructure
([#547](#547))
([06d8472](06d8472))
* **docs:** update remaining stale 'Coming soon' labels in
docs/README.md
([#507](#507))
([02439d6](02439d6))
* **docs:** update stale coming soon label for Training section
([#472](#472))
([46db49b](46db49b))
* **evaluation:** scope SIL AzureML validation code path and script
reference
([#387](#387))
([9f138a9](9f138a9))
* **infrastructure:** OSMO workflow execution, PostgreSQL public access,
and quickstart corrections
([#477](#477))
([9ed2da6](9ed2da6))
* **scripts:** exclude CHANGELOG.md from changed-files msdate check
([#644](#644))
([8133bdc](8133bdc))
* **workflows:** allow dependabot[bot] to activate AW Dependabot PR
Review
([#586](#586))
([39dc022](39dc022))
* **workflows:** correct branches filter on AW Dependabot PR Review
workflow_run trigger
([#584](#584))
([fe06b52](fe06b52))
* **workflows:** normalize validate.yaml placeholder env/compute values
([#510](#510))
([340ff44](340ff44))
* **workflows:** recompile aw-dependabot-pr-review lock file
([#576](#576))
([d77c167](d77c167))
* **workflows:** switch AW Dependabot PR Review to pull_request_target
([#589](#589))
([3f1edd1](3f1edd1))


### 📚 Documentation

* **docs:** Fix deployment guide links
([#614](#614))
([0070b04](0070b04))
* document dependency-pinning-artifacts directory purpose
([#508](#508))
([50e0010](50e0010))


### 📦 Build System

* **training:** standardize on Python 3.12 across manifests, containers,
and runtime scripts
([#541](#541))
([7ad014a](7ad014a))


### 🔧 Operations

* **build:** add Copilot cloud agent setup-steps workflow
([#593](#593))
([c912668](c912668))


### 🔧 Miscellaneous

* **build:** exclude auto-generated CHANGELOG.md from cspell and seed
dictionary
([#582](#582))
([de1dd57](de1dd57))
* **build:** redesign codecov flags and split pytest CI per component
([#520](#520))
([357e745](357e745))
* **dataviewer:** bump frontend stack to React 19, Vite 8, Tailwind v4,
MSAL 5, ESLint 10
([#524](#524))
([50f8ad4](50f8ad4))
* **dataviewer:** repoint stale src/dataviewer references to
data-management/viewer
([#504](#504))
([88fa1b4](88fa1b4)),
closes
[#503](#503)
* **deps-dev:** bump basic-ftp from 5.3.0 to 5.3.1
([#618](#618))
([ca10f2a](ca10f2a))
* **deps-dev:** bump globals from 15.15.0 to 17.5.0 in
/data-management/viewer/frontend
([#527](#527))
([0e0b2ae](0e0b2ae))
* **deps-dev:** bump ip-address from 10.1.0 to 10.2.0
([#616](#616))
([816c9cf](816c9cf))
* **deps-dev:** bump lint-staged from 16.4.0 to 17.0.2 in the
root-npm-dependencies group across 1 directory
([#626](#626))
([0e2f293](0e2f293))
* **deps-dev:** bump pydantic from 2.13.3 to 2.13.4 in the
python-dependencies group across 1 directory
([#629](#629))
([c24f1c1](c24f1c1))
* **deps-dev:** bump the python-dependencies group across 1 directory
with 2 updates
([#514](#514))
([8410f4b](8410f4b))
* **deps:** bump azure-core from 1.39.0 to 1.40.0 in /evaluation in the
inference-dependencies group across 1 directory
([#597](#597))
([6141db4](6141db4))
* **deps:** bump cryptography from 46.0.6 to 46.0.7 in
/data-management/viewer
([#424](#424))
([5fb6d58](5fb6d58))
* **deps:** bump cryptography from 46.0.6 to 46.0.7 in
/data-management/viewer/backend
([#423](#423))
([b516ad5](b516ad5))
* **deps:** bump lucide-react from 0.469.0 to 1.8.0 in
/data-management/viewer/frontend
([#528](#528))
([1bdfc1e](1bdfc1e))
* **deps:** bump nginx from `8aa63af` to `5616878` in
/data-management/viewer/frontend
([#511](#511))
([9e7e20e](9e7e20e))
* **deps:** bump nginx from 1.27-alpine to 1.29-alpine in
/data-management/viewer/frontend
([#484](#484))
([0e5c3dd](0e5c3dd))
* **deps:** bump node from `435f353` to `e49fd70` in
/data-management/viewer/frontend
([#560](#560))
([2884649](2884649))
* **deps:** bump react-is from 18.3.1 to 19.2.5 in
/data-management/viewer/frontend
([#530](#530))
([d51318c](d51318c))
* **deps:** bump tensordict from 0.11.0 to 0.12.1 in /evaluation in the
inference-dependencies group across 1 directory
([#456](#456))
([b24e733](b24e733))
* **deps:** bump the dataviewer-backend-dependencies group across 1
directory with 2 updates
([#531](#531))
([171a1da](171a1da))
* **deps:** bump the dataviewer-backend-dependencies group across 1
directory with 5 updates
([#516](#516))
([4f9a577](4f9a577))
* **deps:** bump the dataviewer-backend-dependencies group across 1
directory with 5 updates
([#602](#602))
([6c27ab5](6c27ab5))
* **deps:** bump the dataviewer-dependencies group across 1 directory
with 2 updates
([#529](#529))
([8646971](8646971))
* **deps:** bump the dataviewer-dependencies group across 1 directory
with 3 updates
([#601](#601))
([d28fb50](d28fb50))
* **deps:** bump the dataviewer-dependencies group across 1 directory
with 3 updates
([#632](#632))
([4ca5f3e](4ca5f3e))
* **deps:** bump the dataviewer-dependencies group across 1 directory
with 5 updates
([#515](#515))
([109ee81](109ee81))
* **deps:** bump the dataviewer-frontend-patch-minor group across 1
directory with 6 updates
([#630](#630))
([04d5dfd](04d5dfd))
* **deps:** bump the dataviewer-frontend-patch-minor group across 1
directory with 9 updates
([#563](#563))
([c08f450](c08f450))
* **deps:** bump the docusaurus-dependencies group across 1 directory
with 4 updates
([#627](#627))
([f5825fc](f5825fc))
* **deps:** bump the docusaurus-dependencies group across 1 directory
with 6 updates
([#599](#599))
([b859344](b859344))
* **deps:** bump the github-actions group across 1 directory with 4
updates
([#459](#459))
([2609c52](2609c52))
* **deps:** bump the github-actions group across 1 directory with 4
updates
([#517](#517))
([f54bf5d](f54bf5d))
* **deps:** bump the inference-dependencies group across 1 directory
with 11 updates
([#562](#562))
([087f53a](087f53a))
* **deps:** bump the inference-dependencies group across 1 directory
with 2 updates
([#628](#628))
([4a3be47](4a3be47))
* **deps:** bump the pip group across 2 directories with 1 update
([#494](#494))
([a14b6b0](a14b6b0))
* **docs:** update stale Python 3.11 references to 3.12
([#575](#575))
([6f85c95](6f85c95))
* **scripts:** remove redundant SC1091 disables in OSMO deploy scripts
([#509](#509))
([ae1cb82](ae1cb82))


### 🔒 Security

* **build:** pin dependencies and hash-verify downloads
([#465](#465))
([0289f49](0289f49))
* **build:** remediate dependency security advisories
([#479](#479))
([7196d6d](7196d6d))
* **deps-dev:** bump basic-ftp from 5.2.1 to 5.2.2
([#454](#454))
([cb158f1](cb158f1))
* **deps-dev:** bump basic-ftp from 5.2.2 to 5.3.0
([#495](#495))
([e983b8b](e983b8b))
* **deps-dev:** bump hypothesis from 6.152.3 to 6.152.4 in the
python-dependencies group
([#598](#598))
([83384d2](83384d2))
* **deps-dev:** bump markdownlint-cli2 from 0.22.0 to 0.22.1 in the
root-npm-dependencies group
([#559](#559))
([32bde35](32bde35))
* **deps-dev:** bump picomatch from 2.3.1 to 2.3.2 in /docs/docusaurus
([#455](#455))
([66f86ca](66f86ca))
* **deps-dev:** bump postcss from 8.5.10 to 8.5.12 in
/data-management/viewer/frontend
([#569](#569))
([a652dba](a652dba))
* **deps-dev:** bump the python-dependencies group with 2 updates
([#457](#457))
([749d231](749d231))
* **deps-dev:** bump the python-dependencies group with 2 updates
([#485](#485))
([71b44fd](71b44fd))
* **deps-dev:** bump the python-dependencies group with 3 updates
([#564](#564))
([9fc52fd](9fc52fd))
* **deps-dev:** bump typescript from 6.0.2 to 6.0.3 in /docs/docusaurus
in the docusaurus-dependencies group
([#513](#513))
([5694dbc](5694dbc))
* **deps:** bump azureml/openmpi4.1.0-ubuntu22.04 from 20260303.v5 to
20260409.v4 in /evaluation/sil/docker
([#480](#480))
([25d4df8](25d4df8))
* **deps:** bump cryptography from 46.0.6 to 46.0.7 in /evaluation in
the uv group across 1 directory
([#538](#538))
([92c5b2e](92c5b2e))
* **deps:** bump diffusers from 0.35.2 to 0.38.0 in /training/il/lerobot
([#638](#638))
([6261d19](6261d19))
* **deps:** bump follow-redirects from 1.15.11 to 1.16.0 in
/docs/docusaurus
([#469](#469))
([0458908](0458908))
* **deps:** bump gitpython and mako for lerobot IL training
([#623](#623))
([9f8022b](9f8022b))
* **deps:** bump node from 24.14.1-slim to 25.9.0-slim in
/data-management/viewer/frontend
([#482](#482))
([1532d09](1532d09))
* **deps:** bump packaging from 26.0 to 26.1 in /evaluation in the
inference-dependencies group
([#483](#483))
([f4afb6c](f4afb6c))
* **deps:** bump pillow from 12.1.1 to 12.2.0
([#467](#467))
([39fb663](39fb663))
* **deps:** bump python from 3.11-slim to 3.14-slim in
/data-management/viewer/backend
([#481](#481))
([7af9dfc](7af9dfc))
* **deps:** bump the dataviewer-backend-dependencies group across 1
directory with 15 updates
([#428](#428))
([e4446a2](e4446a2))
* **deps:** bump the dataviewer-backend-dependencies group in
/data-management/viewer/backend with 4 updates
([#487](#487))
([0f57c5b](0f57c5b))
* **deps:** bump the dataviewer-backend-dependencies group in
/data-management/viewer/backend with 8 updates
([#566](#566))
([d6e7869](d6e7869))
* **deps:** bump the dataviewer-dependencies group across 1 directory
with 5 updates
([#464](#464))
([24c208d](24c208d))
* **deps:** bump the dataviewer-dependencies group in
/data-management/viewer with 2 updates
([#486](#486))
([90149f3](90149f3))
* **deps:** bump the dataviewer-dependencies group in
/data-management/viewer with 6 updates
([#565](#565))
([f0bb36b](f0bb36b))
* **deps:** bump the dataviewer-frontend-patch-minor group across 1
directory with 10 updates
([#613](#613))
([e481f83](e481f83))
* **deps:** bump the github-actions group across 1 directory with 4
updates
([#534](#534))
([5478ab6](5478ab6))
* **deps:** bump the github-actions group with 2 updates
([#488](#488))
([4e6ce98](4e6ce98))
* **deps:** bump the github-actions group with 3 updates
([#567](#567))
([48c38dc](48c38dc))
* **deps:** bump the github-actions group with 3 updates
([#634](#634))
([00cfb49](00cfb49))
* **deps:** bump the github-actions group with 6 updates
([#603](#603))
([73eb79a](73eb79a))
* **deps:** bump the training-dependencies group across 1 directory with
23 updates
([#463](#463))
([d5a8656](d5a8656))
* **deps:** bump yaml from 2.8.2 to 2.8.3 in
/data-management/viewer/frontend
([#453](#453))
([10449df](10449df))
* pytest harness, dependabot advisories, and OSSF Scorecard remediations
([#501](#501))
([e8756e8](e8756e8))
* **scripts:** pin and hash-verify all shell script downloads
([#468](#468))
([0c2bb9c](0c2bb9c))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: physical-ai-toolchain-release[bot] <267194360+physical-ai-toolchain-release[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@katriendg katriendg katriendg approved these changes

Assignees

No one assigned

Labels

dataviewer dependencies Dependency version updates python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@codecov-commenter @katriendg