security(deps): bump diffusers from 0.35.2 to 0.38.0 in /training/il/lerobot in the pip group across 1 directory#621
Conversation
Bumps the pip group with 1 update in the /training/il/lerobot directory: [diffusers](https://github.com/huggingface/diffusers). Updates `diffusers` from 0.35.2 to 0.38.0 - [Release notes](https://github.com/huggingface/diffusers/releases) - [Commits](huggingface/diffusers@v0.35.2...v0.38.0) --- updated-dependencies: - dependency-name: diffusers dependency-version: 0.38.0 dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
github-actions
Bot
changed the title
Dependency ReviewThe following issues were found:
Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. License Issuestraining/il/lerobot/requirements.txt
OpenSSF Scorecard
Scanned Files
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #621 +/- ##
=======================================
Coverage 77.38% 77.38%
=======================================
Files 272 272
Lines 18140 18140
Branches 2452 2452
=======================================
Hits 14038 14038
Misses 3677 3677
Partials 425 425
*This pull request uses carry forward flags. Click here to find out more. 🚀 New features to boost your workflow:
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Advisory Review Summary
Affected surfaces: python-runtime (training/il/lerobot — IL / LeRobot imitation learning)
| Package | From | To | Severity | Surface |
|---|---|---|---|---|
| diffusers | 0.35.2 | 0.38.0 | No advisory in PR body | python-runtime (il-training) |
| cryptography | 46.0.7 | 48.0.0 | No advisory in PR body; security(deps): prefix implies CVE |
python-runtime (il-training) |
diffusers
Bump: 0.35.2 → 0.38.0 (direct LeRobot dependency, lockfile-only pin in training/il/lerobot/requirements.txt)
Release highlights (from PR body — sourced from diffusers releases):
- New pipelines: LLaDA2 (discrete diffusion language model), NucleusMoE-Image (2B/17B MoE), ERNIE-Image (8B), LongCat-AudioDiT, ACE-Step 1.5, Flux.2 Small Decoder
- Bug fixes:
latents_bn_stddtype cast in VAE normalisation, UniPC scheduler device mismatch, ErnieImagePipeline prompt embedding
ABI sensitivity: diffusers is not in the Isaac Sim ABI-sensitive set (numpy, torch, tensordict, onnxruntime-gpu). No GPU smoke-test gate applies. No training/rl/ manifest changes detected; Isaac Sim ABI guard does not apply.
Advisory enrichment: External advisory APIs (OSV.dev, GitHub Advisory, PyPI) were inaccessible from the sandbox firewall. No GHSA or CVE IDs appear in the PR body.
cryptography
Bump: 46.0.7 → 48.0.0 (transitive dependency via azure-identity and azure-storage-blob, lockfile-only pin)
This is a two-major-release jump. The security(deps): PR title prefix implies a known vulnerability in the 46.x line motivated the update. No GHSA or CVE IDs are present in the PR body and external APIs are blocked by the sandbox firewall.
Maintainer action: Verify the relevant advisories in the cryptography CHANGELOG for versions 47.x and 48.0.0.
Transitive-only pin note
Both package changes are lockfile-only updates to training/il/lerobot/requirements.txt. No corresponding manifest (pyproject.toml) change appears in the diff. This is expected for a pip-compiled lockfile.
Uncovered manifest note
training/il/lerobot/ is not listed in .github/dependabot.yml. The Dependabot configuration covers pip for /training/rl and /evaluation but not for /training/il/lerobot. This PR was triggered via a security alert rather than a scheduled Dependabot entry. Consider adding a pip entry for /training/il/lerobot to enable routine lockfile updates.
Validation Signal
Deterministic CI:
PR_VALIDATION_CONCLUSION(env):in_progress:in_progress— captured before the orchestrator completedpr-validation-summary: success — runPytest Training / Pytest Training: success — runPython Lint / Ruff Lint and Format Check: success — run
The orchestrator env var captured an in-progress state; per-surface check runs have since completed successfully.
Static impact reasoning: Both changes are lockfile-only pins in training/il/lerobot/requirements.txt. No training/rl/requirements.txt or training/rl/pyproject.toml changes are present, so the Isaac Sim numpy ABI guard (>=1.26.0,<2.0.0) does not apply. cryptography is a security-critical transitive dependency; no ABI sensitivity to GPU runtimes.
Advisory verdict: COMMENT — PR_VALIDATION_CONCLUSION was in_progress:in_progress at agent start (per-surface checks are green). Advisory enrichment was limited by the sandbox network firewall; maintainers should verify cryptography CVE coverage before merging. The uncovered training/il/lerobot manifest entry in dependabot.yml is recommended.
🔒 - Generated by Copilot
Generated by AW Dependabot PR Review for issue #621 · ● 474.6K
| deepdiff==8.6.2 | ||
| # via lerobot | ||
| diffusers==0.35.2 | ||
| diffusers==0.38.0 |
There was a problem hiding this comment.
diffusers 0.35.2 → 0.38.0 (direct LeRobot dep, lockfile-only)
Minor version bump spanning three releases. Release highlights include new pipelines (LLaDA2, NucleusMoE, ERNIE-Image, ACE-Step 1.5, Flux.2 Small Decoder) and core library improvements — no ABI-breaking changes reported. Not in the Isaac Sim ABI-sensitive set (numpy, torch, tensordict, onnxruntime-gpu), so no GPU smoke-test gate applies.
| contourpy==1.3.3 | ||
| # via matplotlib | ||
| cryptography==46.0.7 | ||
| cryptography==48.0.0 |
There was a problem hiding this comment.
cryptography 46.0.7 → 48.0.0 (transitive, lockfile-only)
This is a two-major-release jump for a security-critical package. The security(deps): PR title prefix signals that a known vulnerability in the 46.x line motivated this bump. Transitive consumers are azure-identity and azure-storage-blob.
No GHSA or CVE IDs appear in the PR body, and external advisory APIs are inaccessible from the sandbox. Verify the relevant advisories in the cryptography CHANGELOG for versions 47.x and 48.0.0 before merging.
|
Superseded by #638. |
dependabot
Bot
deleted the
dependabot/pip/training/il/lerobot/pip-447900e926
branch
1 participant
Bumps the pip group with 1 update in the /training/il/lerobot directory: diffusers.
Updates
diffusersfrom 0.35.2 to 0.38.0Release notes
Sourced from diffusers's releases.
... (truncated)
Commits
275869dRelease: v0.38.0-release42a46e4Fix missing latents_bn_std dtype cast in VAE normalization (#13299)1a8a17bAdd ACE-Step pipeline for text-to-music generation (#13095)303c1d8[Ernie-Image] Add lora support (#13575)716f246Fix UniPC scheduler device mismatch when using offloading (#13489)a5bc046NucleusMoE docs (#13661)4744648[ci] use tokenizers stable installtion in CI. (#13562)50cb2dbfeat: support ring attention with arbitrary KV sequence lengths (#13545)0fff459Fix ErnieImagePipeline pre-computed prompt_embeds + num_images_per_prompt sha...2173c55[docs] fix typo in AutoencoderOobleck docs (#13642) (#13645)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.