Conversation
dependabot
Bot
added
dataviewer
dependencies
dependabot
Bot
added
dataviewer
dependencies
github-actions
Bot
changed the title
Dependency ReviewThe following issues were found:
Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. License Issuesdata-management/viewer/uv.lock
OpenSSF Scorecard
Scanned Files
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #601 +/- ##
==========================================
+ Coverage 65.16% 67.70% +2.53%
==========================================
Files 251 263 +12
Lines 15597 16827 +1230
Branches 2193 2331 +138
==========================================
+ Hits 10164 11392 +1228
Misses 5142 5142
- Partials 291 293 +2
*This pull request uses carry forward flags. Click here to find out more. 🚀 New features to boost your workflow:
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Advisory Review Summary
Affected ecosystems and surfaces:
pip/python-runtime—data-management/viewer/pyproject.toml+data-management/viewer/uv.lock(groupeddataviewer-dependenciesupdate, 3 packages)
| Package | From | To | Severity | Surface |
|---|---|---|---|---|
| python-multipart | 0.0.26 | 0.0.27 | Unconfirmed (security-labeled) | python-runtime |
| huggingface-hub | 1.12.0 | 1.13.0 | None | python-runtime |
| ultralytics | 8.4.41 | 8.4.46 | None | python-runtime |
python-multipart
Advisory: No explicit GHSA or CVE ID appears in the PR body. Dependabot designated this security(deps):, indicating a linked advisory. The 0.0.27 changelog adds multipart header limits (Kludex/python-multipart#267) — a standard DoS hardening measure for multipart parsers — and passes parse offsets via constructors (#268). Severity cannot be rated without a confirmed identifier.
Release notes highlights (compare view):
Repo-specific risk: Required base dependency of the FastAPI backend. Patch bump; no breaking changes; manifest and lockfile both updated (not lockfile-only).
Validation Signal
- Deterministic CI: PR Validation:
in_progress:queued
⚠️ Deterministic CI conclusion not yet available; verdict is advisory only.
Relevant check runs:Dataviewer Backend Pytest,Pytest Data Management Tools,Python Lint— all pending. - Static impact reasoning: Manifest (
pyproject.toml) and lockfile (uv.lock) both updated; not a lockfile-only pin. Patch bump; no ABI-sensitive packages touched.
huggingface-hub
Advisory: No security advisory. Minor version bump (1.12.0 → 1.13.0).
Release notes highlights (v1.13.0):
- New CLI commands:
hf models card,hf datasets card,hf datasets leaderboard, file listings inlssubcommands- New Spaces lifecycle commands:
hf spaces pause,hf spaces restart,hf spaces settings- Blocking interactive auto-update prompt removed; replaced with non-interactive
hf update
Repo-specific risk: Used under the optional [huggingface] extra. Minor version bump; API backward-compatible per release notes.
Validation Signal
- Deterministic CI: PR Validation:
in_progress:queued— relevant check runs not yet available. - Static impact reasoning: Minor version bump within an optional extra; no ABI or breaking-change signals in changelog.
ultralytics
Advisory: No security advisory. Patch bump across five consecutive releases (8.4.41 → 8.4.46).
Release notes highlights (compare view):
- 8.4.46: Fix
multiscaleminimum train size- 8.4.45: Fix pretrained checkpoint training regression
- 8.4.44: Apply
pretrainedarg across model trainers- Improve export results path and
data/fractionargs across export formats
Repo-specific risk: Used under the optional [yolo] extra for YOLO-based annotation inference. Patch level; no breaking changes noted.
Validation Signal
- Deterministic CI: PR Validation:
in_progress:queued— relevant check runs not yet available. - Static impact reasoning: Patch bump; not an ABI-sensitive package in this surface context (not
training/rl/).
Advisory verdict: COMMENT — PR Validation is still queued (in_progress:queued); advisory details for the security(deps): label could not be confirmed from the PR body (no explicit GHSA/CVE IDs present). All three bumps are patch or minor level with no high-risk surface triggers (no ABI-sensitive packages, no major version jumps). Re-evaluate once Dataviewer Backend Pytest and Python Lint check runs complete at PR Validation run.
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
- #601
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | noneGenerated by AW Dependabot PR Review for issue #601 · ● 1M
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/uv/data-management/viewer/dataviewer-dependencies-6abeeb5e8f
branch
from
ed26398 to
024121b
Compare
There was a problem hiding this comment.
Advisory Review Summary
Grouped Dependabot PR bumping 3 packages in the dataviewer-dependencies group under data-management/viewer/.
Ecosystems and surfaces touched:
uv/pip—data-management/viewer/pyproject.toml+uv.lock→ python-runtime (dataviewer) surface
Package table:
| Package | From | To | Severity | Surface |
|---|---|---|---|---|
python-multipart |
0.0.26 | 0.0.27 | None found | python-runtime (dataviewer) |
huggingface-hub |
1.12.0 | 1.13.0 | None found | python-runtime (dataviewer) |
ultralytics |
8.4.41 | 8.4.46 | None found | python-runtime (dataviewer) |
Note — transitive-only lockfile detection: Both
pyproject.toml(manifest) anduv.lock(lockfile) are updated for all three packages, confirming these are direct dependency bumps, not transitive-only pins.
python-multipart
Advisory: No GHSA or CVE identifiers found in the PR body. External advisory APIs (OSV, NVD) were unreachable from the review sandbox; no fabricated severities are reported.
Release notes (0.0.27, 2026-04-27):
Changelog: Kludex/python-multipart@0.0.26...0.0.27
Risk notes: Patch bump; no breaking changes identified. The python-multipart library is used by FastAPI for form data and file upload parsing in the dataviewer backend.
Validation Signal
- Deterministic CI:
PR Validation: in_progress:in_progress— the orchestrator has not yet completed at review time. Relevant check runs for this surface:Dataviewer Backend Pytest,Pytest Data Management Tools,Python Lint. Results are not yet available. - Static impact reasoning: No ABI-sensitive packages (e.g.,
numpy,torch,onnxruntime-gpu) are touched. Bump is a patch release with no Isaac Sim or CUDA boundary implications.
huggingface-hub
Advisory: No GHSA or CVE identifiers found in the PR body. External advisory APIs were unreachable from the review sandbox.
Release notes highlights (v1.13.0, 2026-04-30):
- New CLI commands:
hf models card,hf datasets card,hf spaces card, file listings,hf datasets leaderboard- Space lifecycle management via CLI (
hf spaces pause,hf spaces restart,hf spaces settings)- Breaking behavior change for CLI automation: The blocking Y/n auto-update prompt at CLI startup is removed. Replaced with a non-blocking stderr warning and
hf updatecommand. SetHF_HUB_DISABLE_UPDATE_CHECK=1to silence in offline CI.hf://URI parsing centralised
Changelog: https://github.com/huggingface/huggingface_hub/releases/tag/v1.13.0
Risk notes: Minor bump (1.12.0 → 1.13.0). The auto-update prompt removal is a CLI behavioral change but does not affect the programmatic Python API used by the dataviewer backend. No ABI concerns. The [huggingface] optional dependency group is used by the dataviewer for Hub dataset integration.
Validation Signal
- Deterministic CI:
PR Validation: in_progress:in_progress. Relevant check runs:Dataviewer Backend Pytest,Python Lint. Not yet available. - Static impact reasoning: Minor version bump; all changes are additive CLI features or behavioral improvements. No import API renames noted.
ultralytics
Advisory: No GHSA or CVE identifiers found in the PR body. External advisory APIs were unreachable from the review sandbox.
Commits (8.4.41 → 8.4.46):
Compare: ultralytics/ultralytics@v8.4.41...v8.4.46
Risk notes: Five patch releases since 8.4.41; all are bug fixes with no API removals noted. ultralytics depends on torch and torchvision transitively, but this patch bump does not cross any torch major-version boundary. Used in the [yolo] optional dependency group for YOLO inference in the dataviewer backend.
Validation Signal
- Deterministic CI:
PR Validation: in_progress:in_progress. Relevant check runs:Dataviewer Backend Pytest,Python Lint. Not yet available. - Static impact reasoning: Patch bump across 5 releases. No Isaac Sim path touched (
training/rl/not in diff). NonumpyABI guard applies here —ultralyticsis in the dataviewer[yolo]optional group, not the RL training stack.
Advisory verdict: COMMENT — CI is still in progress (in_progress:in_progress); no advisory identifiers found for any of the three bumps; all changes are patch or minor version bumps with no high-risk ABI, peer-dep, or breaking-change signals. Maintainers may merge once Dataviewer Backend Pytest, Pytest Data Management Tools, and Python Lint pass.
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
- #601
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | noneGenerated by AW Dependabot PR Review for issue #601 · ● 405.6K
|
@dependabot rebase |
…y with 3 updates Bumps the dataviewer-dependencies group with 3 updates in the /data-management/viewer directory: [python-multipart](https://github.com/Kludex/python-multipart), [huggingface-hub](https://github.com/huggingface/huggingface_hub) and [ultralytics](https://github.com/ultralytics/ultralytics). Updates `python-multipart` from 0.0.26 to 0.0.27 - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.26...0.0.27) Updates `huggingface-hub` from 1.12.0 to 1.13.0 - [Release notes](https://github.com/huggingface/huggingface_hub/releases) - [Commits](huggingface/huggingface_hub@v1.12.0...v1.13.0) Updates `ultralytics` from 8.4.41 to 8.4.46 - [Release notes](https://github.com/ultralytics/ultralytics/releases) - [Commits](ultralytics/ultralytics@v8.4.41...v8.4.46) --- updated-dependencies: - dependency-name: huggingface-hub dependency-version: 1.13.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dataviewer-dependencies - dependency-name: python-multipart dependency-version: 0.0.27 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dataviewer-dependencies - dependency-name: ultralytics dependency-version: 8.4.46 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dataviewer-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/uv/data-management/viewer/dataviewer-dependencies-6abeeb5e8f
branch
from
024121b to
09de262
Compare
There was a problem hiding this comment.
Advisory Review Summary
Grouped Dependabot bump across 1 directory (data-management/viewer/) with 3 packages. All changes touch both the manifest (pyproject.toml) and the lockfile (uv.lock) — not transitive-only.
Affected ecosystems and surfaces:
uv/pipunderdata-management/viewer/→ python-runtime (dataviewer)
| Package | From | To | Severity | Surface |
|---|---|---|---|---|
python-multipart |
0.0.26 | 0.0.27 | None | python-runtime (dataviewer) |
huggingface-hub |
1.12.0 | 1.13.0 | None | python-runtime (dataviewer) |
ultralytics |
8.4.41 | 8.4.46 | None | python-runtime (dataviewer) |
python-multipart
No GHSA or CVE advisories found. Patch release (0.0.26 → 0.0.27) adds multipart header limits and passes parse offsets via constructors. This is a core dependency used by FastAPI for file/form uploads in the dataviewer backend. No breaking changes in the changelog.
Repo-specific risk: Low. Patch bump with security-hardening characteristics (header limits). No ABI sensitivity.
Validation Signal
- Deterministic CI:
PR Validation: in_progress:in_progress
⚠️ Deterministic CI conclusion not yet available; verdict is advisory only.- Relevant check runs:
Dataviewer Backend Pytest,Pytest Data Management Tools,Python Lint— conclusions pending.
- Relevant check runs:
- Static impact reasoning: No
training/rl/paths in this diff; Isaac Sim ABI guard does not apply. No ABI-sensitive packages (numpy, torch, onnxruntime-gpu) are changed.
huggingface-hub
No GHSA or CVE advisories found. Minor release (1.12.0 → 1.13.0) adds new CLI capabilities and centralizes hf:// URI parsing. The blocking interactive auto-update prompt at CLI startup is removed (replaced with a passive stderr warning). Used only under the optional huggingface extra in the dataviewer. See v1.13.0 release notes.
Repo-specific risk: Low. Minor bump with additive CLI features only. No API-breaking changes relevant to hub download workflows used by the dataviewer.
Validation Signal
- Deterministic CI:
PR Validation: in_progress:in_progress— pending. - Static impact reasoning: Optional extra; only loaded when
huggingfaceinstall target is selected. No ABI constraints.
ultralytics
No GHSA or CVE advisories found. Patch bump spanning 5 releases (8.4.41 → 8.4.46). Fixes include: pretrained-checkpoint training regression (8.4.45), pretrained arg propagation across model trainers (8.4.44), multiscale minimum train size fix (8.4.46), and improved export results path handling. Used only under the optional yolo extra. See compare view.
Repo-specific risk: Low. Optional extra; all changes are internal bug fixes to training/export pipelines. No YOLO inference API changes. Not in training/rl/ scope so no Isaac Sim ABI concern.
Validation Signal
- Deterministic CI:
PR Validation: in_progress:in_progress— pending. - Static impact reasoning:
ultralyticsis not in the Isaac Sim ABI-sensitive list. Patch bump only; no CUDA/driver compatibility concerns noted.
Advisory verdict: COMMENT — CI validation is still in progress (in_progress:in_progress); all three bumps are patch/minor with no advisory identifiers, no high-risk triggers, and no ABI-sensitive packages. Safe to approve once Dataviewer Backend Pytest, Pytest Data Management Tools, and Python Lint checks pass.
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
- #601
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | noneGenerated by AW Dependabot PR Review for issue #601 · ● 404K
katriendg
deleted the
dependabot/uv/data-management/viewer/dataviewer-dependencies-6abeeb5e8f
branch
2 participants
Bumps the dataviewer-dependencies group with 3 updates in the /data-management/viewer directory: python-multipart, huggingface-hub and ultralytics.
Updates
python-multipartfrom 0.0.26 to 0.0.27Release notes
Sourced from python-multipart's releases.
Changelog
Sourced from python-multipart's changelog.
Commits
6d1d689Version 0.0.27 (#272)0b10220Run CI on main branch pull requests (#271)3e64f5fAdd multipart header limits (#267)eb109ccPass parse offsets via constructors (#268)78e29abBump pytest from 9.0.2 to 9.0.3 (#266)b2ddd09fuzz: Enhance fuzzing capabilities with new chunked and boundary tests (#264)Updates
huggingface-hubfrom 1.12.0 to 1.13.0Release notes
Sourced from huggingface-hub's releases.
... (truncated)
Commits
3790483Release: v1.13.0b648072Release: v1.13.0.rc06e89ade[CLI] Make --format / --json / -q global (#4162)6a57790[CLI] Addhf spaces hardwarecommand (#4169)5fb553dCentralize hf:// URI parsing (#4158)bc4069b[CLI] Add file listing to models/datasets/spaces ls (#4166)81e04b3[CLI] Add--hardwareflag tohf spaces settings(#4163)c1775a5Avoid reuploading preuploaded LFS files (#4165)1b2bce2[Release] Mark minor releases as "latest" on GitHub (#4167)47437a6Add bucket+mount transport for Jobs script upload (#4025)Updates
ultralyticsfrom 8.4.41 to 8.4.46Commits
0ca0b6dultralytics 8.4.46Fixmultiscaleminimum train size (#24394)1c68a1eFix docs strict validation warnings (#24389)b4cf7c4Improve export results path to point to actual artifact path (#24316)670237cImprovedataandfractionargs across export formats (#24382)4da693fAdd https://youtu.be/FvWl00sD4rc to docs (#24370)5840258Fix: stop resume when training is already finished (#24386)08edc82Improve RKNN exports to highlight non-int8 supported chips (#24384)79b2086ultralytics 8.4.45Fix pretrained checkpoint training regression (#24378)a8ff07aultralytics 8.4.44Applypretrainedarg across model trainers (#24374)62bd0e0Docs: Datasets Clustering (#24376)