Conversation
dependabot
Bot
added
dependencies
Dependency ReviewThe following issues were found:
Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. License Issuesevaluation/pyproject.toml
OpenSSF Scorecard
Scanned Files
|
github-actions
Bot
changed the title
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #597 +/- ##
==========================================
+ Coverage 65.16% 67.70% +2.53%
==========================================
Files 251 263 +12
Lines 15597 16827 +1230
Branches 2152 2290 +138
==========================================
+ Hits 10164 11392 +1228
Misses 5142 5142
- Partials 291 293 +2
*This pull request uses carry forward flags. Click here to find out more. 🚀 New features to boost your workflow:
|
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/pip/evaluation/inference-dependencies-fb496b5af1
branch
from
3a62ea3 to
cde73b7
Compare
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Advisory Review Summary
- Ecosystem: pip (
uv) - Surface:
python-runtime (evaluation) - Manifest:
evaluation/pyproject.toml
| Package | From | To | Severity | Surface |
|---|---|---|---|---|
| azure-core | 1.39.0 | 1.40.0 | None | python-runtime (evaluation) |
azure-core
Advisory: No CVE or GHSA identifiers are referenced in this PR. No known security advisories were found for this release. Source: azure-core releases.
Release notes highlights (from PR body, sourced from azure-core releases):
Features Added
- Added support for per-operation
http_logging_leveloverrides inHttpLoggingPolicy. #44115- Introduced
additional_allowed_query_paramstoDistributedTracingPolicyandHttpLoggingPolicy. #46482Other Changes
- URL attributes in HTTP tracing spans will now have query parameters sanitized by default. #46482
- Python 3.9 is no longer supported.
Repo-specific risk notes:
- Python 3.9 end-of-support is not a concern; this repo requires
>=3.12. - The default query-param sanitization in HTTP tracing spans is a subtle behavior change. If evaluation code inspects span attributes or
HttpLoggingPolicyoutput for raw query strings, those values will now be redacted. Useadditional_allowed_query_paramsto allowlist parameters that must remain visible. - This is a minor version bump with no ABI-sensitive packages affected (not
numpy,torch,tensordict, oronnxruntime-gpu). - Manifest-only change in
evaluation/pyproject.toml; no lockfile-only transitive pin.
Validation Signal
Deterministic CI: PR Validation: pending
⚠️ Deterministic CI conclusion not yet available; verdict is advisory only.
Relevant per-surface check runs for python-runtime (evaluation):
| Check Run | Conclusion | Link |
|---|---|---|
| Python Lint / Ruff Lint and Format Check | success |
view |
| Pytest Inference | skipped |
view |
| pr-validation-summary | queued |
view |
Pytest Inference is skipped for this PR. The pr-validation-summary orchestrator is still queued. Verdict is held at COMMENT until the orchestrator completes.
Static impact reasoning: No Isaac Sim ABI guard applies (no changes to training/rl/). No ABI-sensitive packages are touched. The only static concern is the default query-param sanitization behavior change noted above.
Advisory verdict: COMMENT — the deterministic CI orchestrator has not yet completed; Pytest Inference was skipped, so evaluation-specific test coverage for this bump is absent. The bump itself presents no known security risk and no high-risk triggers for the python-runtime (evaluation) surface.
Generated by AW Dependabot PR Review for issue #597 · ● 306.3K
|
@dependabot rebase |
Bumps the inference-dependencies group with 1 update in the /evaluation directory: [azure-core](https://github.com/Azure/azure-sdk-for-python). Updates `azure-core` from 1.39.0 to 1.40.0 - [Release notes](https://github.com/Azure/azure-sdk-for-python/releases) - [Commits](Azure/azure-sdk-for-python@azure-core_1.39.0...azure-core_1.40.0) --- updated-dependencies: - dependency-name: azure-core dependency-version: 1.40.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: inference-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/pip/evaluation/inference-dependencies-fb496b5af1
branch
from
cde73b7 to
1f3374f
Compare
There was a problem hiding this comment.
Advisory Review Summary
- Ecosystems touched:
pip(uv-managed) - Surfaces touched:
python-runtime (evaluation)
| Package | From | To | Severity | Surface |
|---|---|---|---|---|
azure-core |
1.39.0 | 1.40.0 | None (no advisory) | python-runtime (evaluation) |
azure-core
Advisory: No GHSA or CVE identifiers found for this release. No known security vulnerabilities in the azure-core 1.39.0 → 1.40.0 range as of review time. (PyPI)
Release notes highlights (sourced from azure-core releases):
Features Added
- Added support for per-operation
http_logging_leveloverrides inHttpLoggingPolicy. #44115- Introduced
additional_allowed_query_paramskeyword toDistributedTracingPolicyandHttpLoggingPolicy. #46482Other Changes
- URL attributes in HTTP tracing spans will now have query parameters sanitized by default. #46482
- Python 3.9 is no longer supported (repo requires
>=3.12— no impact).
Repo-specific risk notes:
- Minor version bump only; no major version crossing.
azure-coreis not ABI-sensitive; no Isaac Sim / CUDA compatibility concern.- The query-parameter sanitization behavior change in tracing spans is a default-on change. Existing evaluation code that reads span attributes would see query params redacted unless
additional_allowed_query_paramsis passed. evaluation/pyproject.tomlalso pinsnumpy==2.2.6,onnxruntime-gpu==1.25.1,torch==2.10.0, andtensordict==0.12.2— none of those are changed in this PR.- Isaac Sim ABI guard: not applicable;
training/rl/requirements.txtis not in this diff.
Validation Signal
Deterministic CI: The PR Validation orchestrator (pr-validation-summary) completed with success per check-run inspection. The PR_VALIDATION_CONCLUSION environment variable read in_progress:in_progress at agent-start time (timing artifact). Relevant per-surface check runs:
Evaluation Pytest / Evaluation Pytest— success (link)Python Lint / Ruff Lint and Format Check— success (link)Pytest Inference— skipped (not triggered for this diff scope)
Static impact reasoning: The diff is limited to a single pin update in evaluation/pyproject.toml. No training/rl/requirements.txt change; Isaac Sim numpy>=1.26.0,<2.0.0 ABI guard does not apply. No peer-dep conflict checks are needed (pip ecosystem).
PR_VALIDATION_CONCLUSION was in_progress:in_progress at env-capture time; per policy, verdict is held at COMMENT. Based on the completed check runs above, all relevant surfaces are green.
Advisory verdict: COMMENT — PR_VALIDATION_CONCLUSION was in_progress:in_progress at capture time; holding verdict at COMMENT per policy despite all relevant check runs showing success. No security advisories. Safe to merge once CI is confirmed complete.
Generated by AW Dependabot PR Review for issue #597 · ● 322.4K
katriendg
deleted the
dependabot/pip/evaluation/inference-dependencies-fb496b5af1
branch
2 participants
Bumps the inference-dependencies group with 1 update in the /evaluation directory: azure-core.
Updates
azure-corefrom 1.39.0 to 1.40.0Release notes
Sourced from azure-core's releases.
Commits
c14e6ba[Core] Prepare release (#46612)a08ffff[Core] Set kwarg explicitly in method signatures (#46633)2bdb89e[Core] Prepare release (#46631)73df99a[Core] Add + refactor query param sanitization (#46482)3db7fb5Updatecoreflask server startup (#46263)e18edb6Swap CI toCFS(#45995)bd33bafNO_CI [Doc] Update references to wiki pages (#46169)f51d146Make HttpLoggingPolicy log level configurable (#44115)20f80d9Add doc for the envs supported in azure-core (#45975)e8b2c42[Core] Make _enforce_https a module level function (#45890)