security(deps): bump the training-dependencies group across 1 directory with 76 updates

[dependabot]

Bumps the training-dependencies group with 76 updates in the /training/rl directory:

Package	From	To
numpy	1.26.4	2.4.4
azure-core	1.39.0	1.40.0
marshmallow	3.26.2	4.3.0
packaging	26.1	26.2
cryptography	46.0.7	47.0.0
rsl-rl-lib	5.0.1	5.2.0
tensordict	0.12.1	0.12.2
azure-core-tracing-opentelemetry	1.0.0b12	1.0.0b13
azure-storage-file-datalake	12.22.0	12.23.0
cachetools	6.2.6	7.1.1
certifi	2026.2.25	2026.4.22
click	8.3.2	8.3.3
cuda-pathfinder	1.5.3	1.5.4
cuda-toolkit	13.0.2	13.2.1
databricks-sdk	0.102.0	0.106.0
farama-notifications	0.0.4	0.0.6
fastapi	0.135.3	0.136.1
filelock	3.28.0	3.29.0
fsspec	2026.3.0	2026.4.0
gitpython	3.1.46	3.1.49
google-auth	2.49.2	2.50.0
greenlet	3.4.0	3.5.0
gunicorn	23.0.0	25.3.0
gymnasium	1.2.3	1.3.0
huey	2.6.0	3.0.0
idna	3.11	3.13
importlib-metadata	8.7.1	9.0.0
mako	1.3.11	1.3.12
matplotlib	3.10.8	3.10.9
mpmath	1.3.0	1.4.1
nvidia-cublas	13.1.0.3	13.4.1.1
nvidia-cuda-cupti	13.0.85	13.2.75
nvidia-cuda-nvrtc	13.0.88	13.2.78
nvidia-cuda-runtime	13.0.96	13.2.75
nvidia-cudnn-cu13	9.19.0.56	9.21.1.3
nvidia-cufft	12.0.0.61	12.2.0.46
nvidia-cufile	1.15.1.6	1.17.1.22
nvidia-curand	10.4.0.35	10.4.2.55
nvidia-cusolver	12.0.4.66	12.2.0.1
nvidia-cusparse	12.6.3.3	12.7.10.1
nvidia-cusparselt-cu13	0.8.0	0.9.1
nvidia-nccl-cu13	2.28.9	2.30.4
nvidia-nvjitlink	13.0.88	13.2.78
nvidia-nvshmem-cu13	3.4.5	3.6.5
nvidia-nvtx	13.0.85	13.2.75
onnx-ir	0.2.0	0.2.1
onnxscript	0.6.2	0.7.0
opentelemetry-api	1.40.0	1.41.1
opentelemetry-instrumentation	0.61b0	0.62b1
opentelemetry-instrumentation-asgi	0.61b0	0.62b1
opentelemetry-instrumentation-dbapi	0.61b0	0.62b1
opentelemetry-instrumentation-django	0.61b0	0.62b1
opentelemetry-instrumentation-fastapi	0.61b0	0.62b1
opentelemetry-instrumentation-flask	0.61b0	0.62b1
opentelemetry-instrumentation-logging	0.61b0	0.62b1
opentelemetry-instrumentation-psycopg2	0.61b0	0.62b1
opentelemetry-instrumentation-requests	0.61b0	0.62b1
opentelemetry-instrumentation-urllib	0.61b0	0.62b1
opentelemetry-instrumentation-urllib3	0.61b0	0.62b1
opentelemetry-instrumentation-wsgi	0.61b0	0.62b1
opentelemetry-proto	1.41.0	1.41.1
opentelemetry-sdk	1.40.0	1.41.1
opentelemetry-semantic-conventions	0.61b0	0.62b1
opentelemetry-util-http	0.61b0	0.62b1
pandas	2.3.3	3.0.2
protobuf	6.33.6	7.34.1
pyarrow	22.0.0	24.0.0
pydantic	2.13.1	2.13.3
pydantic-core	2.46.1	2.46.3
pytz	2025.2	2026.2
setuptools	81.0.0	82.0.1
skops	0.13.0	0.14.0
tzdata	2026.1	2026.2
uvicorn	0.44.0	0.46.0
wcwidth	0.6.0	0.7.0
wrapt	1.17.3	2.1.2

Updates numpy from 1.26.4 to 2.4.4

Release notes

Sourced from numpy's releases.

2.4.4 (Mar 29, 2026)

NumPy 2.4.4 Release Notes

The NumPy 2.4.4 is a patch release that fixes bugs discovered after the 2.4.3 release. It should finally close issue #30816, the OpenBLAS threading problem on ARM.

This release supports Python versions 3.11-3.14

Contributors

A total of 8 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• Charles Harris
• Daniel Haag +
• Denis Prokopenko +
• Harshith J +
• Koki Watanabe
• Marten van Kerkwijk
• Matti Picus
• Nathan Goldbaum

Pull requests merged

A total of 7 pull requests were merged for this release.

• #30978: MAINT: Prepare 2.4.x for further development
• #31049: BUG: Add test to reproduce problem described in #30816 (#30818)
• #31052: BUG: fix FNV-1a 64-bit selection by using NPY_SIZEOF_UINTP (#31035)
• #31053: BUG: avoid warning on ufunc with where=True and no output
• #31058: DOC: document caveats of ndarray.resize on 3.14 and newer
• #31079: TST: fix POWER VSX feature mapping (#30801)
• #31084: MAINT: numpy.i: Replace deprecated sprintf with snprintf...

2.4.3 (Mar 9, 2026)

NumPy 2.4.3 Release Notes

The NumPy 2.4.3 is a patch release that fixes bugs discovered after the 2.4.2 release. The most user visible fix may be a threading fix for OpenBLAS on ARM, closing issue #30816.

This release supports Python versions 3.11-3.14

Contributors

A total of 11 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• Antareep Sarkar +

... (truncated)

Changelog

Sourced from numpy's changelog.

This is a walkthrough of the NumPy 2.4.0 release on Linux, which will be the first feature release using the numpy/numpy-release <https://github.com/numpy/numpy-release>__ repository.

The commands can be copied into the command line, but be sure to replace 2.4.0 with the correct version. This should be read together with the :ref:general release guide <prepare_release>.

Facility preparation

Before beginning to make a release, use the requirements/*_requirements.txt files to ensure that you have the needed software. Most software can be installed with pip, but some will require apt-get, dnf, or whatever your system uses for software. You will also need a GitHub personal access token (PAT) to push the documentation. There are a few ways to streamline things:

• Git can be set up to use a keyring to store your GitHub personal access token. Search online for the details.

Prior to release

Add/drop Python versions

When adding or dropping Python versions, multiple config and CI files need to be edited in addition to changing the minimum version in pyproject.toml. Make these changes in an ordinary PR against main and backport if necessary. We currently release wheels for new Python versions after the first Python RC once manylinux and cibuildwheel support that new Python version.

Backport pull requests

Changes that have been marked for this release must be backported to the maintenance/2.4.x branch.

Update 2.4.0 milestones

Look at the issues/prs with 2.4.0 milestones and either push them off to a later version, or maybe remove the milestone. You may need to add a milestone.

Check the numpy-release repo

... (truncated)

Commits

• be93fe2 Merge pull request #31090 from charris/prepare-2.4.4
• f5245dc REL: Prepare for the NumPy 2.4.4 release
• 02e838b Merge pull request #31084 from charris/backport-31056
• fa74b2d MAINT: numpy.i: Replace deprecated sprintf with snprintf (#31056)
• 533a6db Merge pull request #31079 from charris/backport-20801
• 9e496cb TST: fix POWER VSX feature mapping (#30801)
• 8052c4b Merge pull request #31058 from charris/backport-31021
• 7f13b5a MAINT: Skip test on PyPy.
• 4c5fdd6 MAINT: Remove unused import of tracemalloc.
• a3ca5ed Update numpy/_core/src/multiarray/shape.c
• Additional commits viewable in compare view

Updates azure-core from 1.39.0 to 1.40.0

Release notes

Sourced from azure-core's releases.

azure-core_1.40.0

1.40.0 (2026-04-30)

Features Added

• Added support for per-operation http_logging_level overrides in HttpLoggingPolicy. #44115
• Introduced the keyword argument additional_allowed_query_params to DistributedTracingPolicy and HttpLoggingPolicy to allow users to specify additional URL query parameters that should not be redacted in span attributes or logs. #46482
  • Users can specify this at the SDK client level by passing additional_allowed_query_params to the client constructor. For example: client = ServiceClient(..., additional_allowed_query_params={"custom_param"}). This will apply to all operations performed by the client.

Other Changes

• URL attributes in HTTP tracing spans will now have query parameters sanitized by default. To add additional query parameters that should not be redacted, use the additional_allowed_query_params argument in your client constructor. #46482
• Python 3.9 is no longer supported. Please use Python version 3.10 or later.

Commits

• c14e6ba [Core] Prepare release (#46612)
• a08ffff [Core] Set kwarg explicitly in method signatures (#46633)
• 2bdb89e [Core] Prepare release (#46631)
• 73df99a [Core] Add + refactor query param sanitization (#46482)
• 3db7fb5 Update core flask server startup (#46263)
• e18edb6 Swap CI to CFS (#45995)
• bd33baf NO_CI [Doc] Update references to wiki pages (#46169)
• f51d146 Make HttpLoggingPolicy log level configurable (#44115)
• 20f80d9 Add doc for the envs supported in azure-core (#45975)
• e8b2c42 [Core] Make _enforce_https a module level function (#45890)
• Additional commits viewable in compare view

Updates marshmallow from 3.26.2 to 4.3.0

Changelog

Sourced from marshmallow's changelog.

4.3.0 (2026-04-03)

Features:

• Add pre_load and post_load parameters to marshmallow.fields.Field for field-level pre- and post-processing (:issue:2787).
• Typing: improvements to marshmallow.validate (:pr:2940).

4.2.4 (2026-04-02)

Bug fixes:

• marshmallow.validate.URL and marshmallow.validate.Email accept Internationalized Domain Names (IDNs) (:issue:2821, :issue:2936). marshmallow.validate.Email also correctly rejects IDN domains with leading/trailing hyphens. Thanks :user:touhidurrr for the report.
• Typing: Fix typing of nested in marshmallow.fields.Nested (:pr:2935).

4.2.3 (2026-03-25)

Bug fixes:

• Make marshmallow.fields.Number and marshmallow.fields.Mapping abstract base classes to prevent using them within Schemas (:issue:2924). Thanks :user:MartingaleCoda for reporting.
• Allow required to be set on marshmallow.fields.Contant (:issue:2900). Thanks :user:nosnickid for the report and :user:worksbyfriday for the PR.
• Fix marshmallow.validate.OneOf emitting extra pairs when labels outnumber choices (:issue:2869). Thanks: user:T90REAL for the report and :user:rstar327 for the PR.
• Fix behavior when passing a dot-delimited attribute name to partial for a key with data_key set (:pr:2903). Thanks :user:bysiber for the PR.
• Fix Enum field by-name lookup to only return actual members (:pr:2902). Thanks :user:bysiber for the PR.
• marshmallow.fields.DateTime with format="timestamp_ms" properly rejects bool values (:pr:2904). Thanks :user:bysiber for the PR.
• Fix typing of error_messages argument to marshmallow.fields.Field (:pr:1636). Thanks :user:repole for reporting and :user:dhruvildarji for the PR.

Other changes:

• Add ipaddress.* to marshmallow.Schema.TYPE_MAPPING (:issue:1695). Thanks :user:liberforce for the suggestion and :user:dhruvildarji for the PR.

4.2.2 (2026-02-04)

Bug fixes:

• Fix behavior of fields.Contant(None) (:issue:2868).

... (truncated)

Commits

• b596fdb Bump version and update changelog
• 256f0aa Add pre/post_load parameters to Field (#2799)
• c847ad4 Typing improvements to marshmallow.validate (#2940)
• eb86322 Remove redundant docs job (#2939)
• a44ad62 Avoid infinite recursion in nesting docs (#2938)
• 3360e34 Bump version and update changelog
• 7b9ce45 Fix changelog typos and update releasing docs
• f07eadc Fix validate.Email to accept IDNs (#2937)
• 4acb783 Fix Unreachable Warning (#2935)
• 3492fae Remove redundant python-version (#2932)
• Additional commits viewable in compare view

Updates packaging from 26.1 to 26.2

Release notes

Sourced from packaging's releases.

26.2

What's Changed

Fixes:

• Fix incorrect sysconfig var name for pyemscripten by @​ryanking13 in pypa/packaging#1160
• Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe and backward-compatible with pickles created in 25.0-26.1 (including references to the removed packaging._structures module) by @​eachimei and @​henryiii in pypa/packaging#1163, pypa/packaging#1168, pypa/packaging#1170, and pypa/packaging#1171
• fix: re-export ExceptionGroup for now by @​henryiii in pypa/packaging#1164

Documentation:

• docs: add errors section and fix missing details by @​henryiii in pypa/packaging#1159
• docs(dev): document property-based test suite by @​r266-tech in pypa/packaging#1167
• Fix typo in DirectUrl documentation by @​sbidoul in pypa/packaging#1169
• docs(specifiers): add is_unsatisfiable() usage example by @​r266-tech in pypa/packaging#1166

Internal:

• Enable the auditor persona on zizmor by @​henryiii in pypa/packaging#1158
• Test new pickle guarantees by @​henryiii in pypa/packaging#1174
• Use native uv integration in rtd by @​henryiii in pypa/packaging#1175

New Contributors

• @​ryanking13 made their first contribution in pypa/packaging#1160
• @​eachimei made their first contribution in pypa/packaging#1163

Full Changelog: pypa/packaging@26.1...26.2

Changelog

Sourced from packaging's changelog.

26.2 - 2026-04-24

Fixes:

Fix incorrect sysconfig var name for pyemscripten in (:pull:1160)
Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe

and backward-compatible with pickles created in 25.0-26.1 (including references to the removed

packaging._structures module) (:pull:1163, :pull:1168, :pull:1170, :pull:1171)
Re-export ExceptionGroup in metadata for now in (:pull:1164)

Documentation:

Add errors section and fix missing details in (:pull:1159)
Document our property-based test suite in (:pull:1167)
Fix a DirectUrl typo in (:pull:1167)
Add example of is_unsatisfiable in (:pull:1166)

Internal:

Enable the auditor persona on zizmor in (:pull:1158)
Test new pickle guarantees in (:pull:1174)
Use new native ReadTheDocs uv integration in (:pull:1175)

Commits

• 84a87ee Bump for release
• 4a616b6 docs: a few more updates to prepare for 26.2 (#1176)
• 9de6f44 ci: use native uv integration in rtd (#1175)
• bc76e14 chore: update changelog for 26.2 (#1161)
• 3f00091 tests: add a pickle check (#1174)
• 48a8a06 fix: make Requirements/Markers pickle-safe (#1171)
• 823b44e fix: make Tags pickle-safe (#1170)
• 4bed32d fix: make Specifier / SpecifierSet pickle-safe (#1168)
• 963118e fix: re-export ExceptionGroup for now (#1164)
• 66e34a8 docs(specifiers): add is_unsatisfiable() usage example (#1166)
• Additional commits viewable in compare view

Updates cryptography from 46.0.7 to 47.0.0

Changelog

Sourced from cryptography's changelog.

47.0.0 - 2026-04-24

* Support for Python 3.8 is deprecated and will be removed in the next
  ``cryptography`` release.
* **BACKWARDS INCOMPATIBLE:** Support for binary elliptic curves
  (``SECT*`` classes) has been removed. These curves are rarely used and
  have additional security considerations that make them undesirable.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been removed.
  OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC
  continue to be supported.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 4.1.
* **BACKWARDS INCOMPATIBLE:** Loading keys with unsupported algorithms or
  keys with unsupported explicit curve encodings now raises
  :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of
  ``ValueError``. This change affects
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`,
  and :meth:`~cryptography.x509.Certificate.public_key` when called on
  certificates with unsupported public key algorithms.
* **BACKWARDS INCOMPATIBLE:** When parsing elliptic curve private keys, we now
  reject keys that incorrectly encode a private key of the wrong length because
  such keys are impossible to process in a constant-time manner. We do not
  believe keys with this problem are in wide use, however we may revert this
  change based on the feedback we receive.
* Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to
  :class:`~cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES`. In a
  future release, only 192-bit (24-byte) keys will be accepted. Users should
  expand shorter keys themselves (e.g., for single DES: ``key + key + key``,
  for two-key: ``key + key[:8]``).
* Updated the minimum supported Rust version (MSRV) to 1.83.0, from 1.74.0.
* Support for ``x86_64`` macOS (including publishing wheels) is deprecated
  and will be removed in the next release. We will switch to publishing an
  ``arm64`` only wheel for macOS.
* Support for 32-bit Windows (including publishing wheels) is deprecated
  and will be removed in the next release. Users should move to a 64-bit
  Python installation.
* ``public_bytes`` and ``private_bytes`` methods on keys now raise
  ``TypeError`` (instead of ``ValueError``) if an invalid encoding is provided
  for the given ``format``.
* Moved :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB`,
  :class:`~cryptography.hazmat.decrepit.ciphers.modes.OFB`, and
  :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB8` into
  :doc:`/hazmat/decrepit/index` and deprecated them in the ``modes`` module.
  They will be removed from the ``modes`` module in 49.0.0.
* Moved :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Camellia`
  into  :doc:`/hazmat/decrepit/index` and deprecated it in the ``cipher`` module.
  It will be removed from the ``cipher`` module in 49.0.0.
</tr></table> 

... (truncated)

Commits

• 59c5f5e bump for 47.0.0 release (#14730)
• 9025578 Add MLKEM1024-P384 hybrid KEM support in HPKE (#14722)
• ef66de4 Recommend Argon2id over PBKDF2HMAC as KDF (#14724)
• d996a37 Add ubuntu-resolute to CI workflow (#14729)
• e86da41 chore(deps): bump libc from 0.2.185 to 0.2.186 (#14725)
• 1c33c9a Bump downstream dependencies in CI (#14728)
• 67fb6be Bump x509-limbo and/or wycheproof in CI (#14727)
• 6cb20b3 Bump BoringSSL, OpenSSL, AWS-LC in CI (#14726)
• d6f372d Update supported OpenSSL versions in installation docs (#14721)
• ebd2619 openssl 3.3 is out of upstream support (#14720)
• Additional commits viewable in compare view

Updates rsl-rl-lib from 5.0.1 to 5.2.0

Release notes

Sourced from rsl-rl-lib's releases.

v5.2.0

Overview

This release adds the option to keep a fixed standard deviation for the Gaussian distribution, and adds standard deviation clamping to all distributions.

Full Changelog: leggedrobotics/rsl_rl@5.1.0...v5.2.0

Added

• Adds clip and constant std functionalities to Gaussian Distribution by @​epalmaEth in leggedrobotics/rsl_rl#201

New Contributors

• @​epalmaEth made their first contribution in leggedrobotics/rsl_rl#201

v5.1.0

Overview

This release introduces model compilation via torch.compile, which can speed up training especially for large networks like CNNs. For example, the Isaac-Dexsuite-Kuka-Allegro-Lift-v0 task in Isaac Lab trains 1.3x faster with the compilation mode default. For simple networks like MLPs no speed up is expected. The release also includes a clean up of PPO, moving a large part of the extension logic to their respective files rnd.py and symmetry.py.

Full Changelog: leggedrobotics/rsl_rl@v5.0.1...5.1.0

Added

• Adds Torch compile for PPO and Distillation by @​ClemensSchwarke and @​adenzler-nvidia in leggedrobotics/rsl_rl#199
• Cleans up PPO by moving extension logic to the extension files by @​ClemensSchwarke in leggedrobotics/rsl_rl#200

New Contributors

• @​adenzler-nvidia made their first contribution in leggedrobotics/rsl_rl#199

Commits

• 8068577 Add clip and constant std functionalities to Gaussian Distribution (#201)
• 64f8ee4 Bump version to 5.1.0
• 1e77222 Clean up PPO by moving extension logic to the extension files (#200)
• 0234a93 Add Torch compile for PPO and Distillation (#199)
• c7beb6f minor docs fixes
• See full diff in compare view

Updates tensordict from 0.12.1 to 0.12.2

Release notes

Sourced from tensordict's releases.

TensorDict v0.12.2

Patch release with a bug fix for consolidated nested tensors.

Bug Fixes

• Fix _ragged_idx loss during consolidation of nested tensors, which caused numerical incorrectness when the nested tensor had more than 2 dimensions and ragged_idx != 1 (#1675)

Installation

pip install tensordict==0.12.2

Full Changelog: pytorch/tensordict@v0.12.1...v0.12.2

Commits

• 8ee33fa [Release] Bump version to 0.12.2
• dcb6ddd [BugFix] fix ragged_idx of consolidated tensor (#1675)
• 85ea4e7 [CI] Temporarily use vmoens/test-infra fork for macOS builds
• See full diff in compare view

Updates azure-core-tracing-opentelemetry from 1.0.0b12 to 1.0.0b13

Release notes

Sourced from azure-core-tracing-opentelemetry's releases.

azure-core-tracing-opentelemetry_1.0.0b13

1.0.0b13 (2026-04-30)

Breaking Changes

• Remapped certain attributes to converge with OpenTelemetry semantic conventions version 1.23.1 (#34089):
  • http.method -> http.request.method
  • http.status_code -> http.response.status_code
  • net.peer.name -> server.address
  • net.peer.port -> server.port
  • http.url -> url.full

Other Changes

• Python 3.8 and 3.9 are no longer supported. Please use Python version 3.10 or later.

Commits

• c14e6ba [Core] Prepare release (#46612)
• a08ffff [Core] Set kwarg explicitly in method signatures (#46633)
• 2bdb89e [Core] Prepare release (#46631)
• 73df99a [Core] Add + refactor query param sanitization (#46482)
• 3db7fb5 Update core flask server startup (#46263)
• e18edb6 Swap CI to CFS (#45995)
• bd33baf NO_CI [Doc] Update references to wiki pages (#46169)
• f51d146 Make HttpLoggingPolicy log level configurable (#44115)
• 20f80d9 Add doc for the envs supported in azure-core (#45975)
• e8b2c42 [Core] Make _enforce_https a module level function (#45890)
• Additional commits viewable in compare view

Updates azure-storage-file-datalake from 12.22.0 to 12.23.0

Commits

• b3301ac STG 100 GA Release Date for 2026-01-06
• beb8dfa [Storage][STG 100] Prepare branch for GA + cherry-pick block size change (#44...
• 6c9b459 Increment package version after release of azure-monitor-opentelemetry-export...
• b9dcce8 Bump cspell from 9.3.2 to 9.4.0 in /eng/common/spelling (#44264)
• 04be001 [py sdk - TA] add 2025-11-01 to Readme (#44259)
• 31e2155 adding more agent creation traces (#44263)
• 2f728ba Use azpysdk Bandit Check in CI (#44214)
• 771fa84 Fix unhelpful error when no stress packages are found (#43538)
• 8646fbe Sync eng/common directory with azure-sdk-tools for PR 13142 (#44244)
• 874cfcf [Storage] Update Swagger and Release Date (#44243)
• Additional commits viewable in compare view

Updates cachetools from 6.2.6 to 7.1.1

Changelog

Sourced from cachetools's changelog.

v7.1.1 (2026-05-03)

• Various type stub improvements.

v7.1.0 (2026-05-01)

• Add type stubs based on the work of the good people at typeshed <https://github.com/python/typeshed/tree/main/stubs/cachetools/>__.

• Update unit tests.

v7.0.6 (2026-04-20)

• Minor code improvements.

• Update project URLs.

• Update CI environment.

v7.0.5 (2026-03-09)

• Minor @cachedmethod performance improvements.

v7.0.4 (2026-03-08)

• Fix and properly document @cachedmethod.cache_key behavior.

• Minor documentation improvements.

v7.0.3 (2026-03-05)

• Fix DeprecationWarning when creating an autospec mock with @cachedmethod decorations.

v7.0.2 (2026-03-02)

• Provide more efficient clear() implementation for all support

... (truncated)

Commits

• 2e6a2d2 Release v7.1.1.
• cc06558 Minor typing improvements.
• 193dd62 Fix #393: Improve ambiguous overloads for decorators.
• 1ea3422 Bump release date.
• d987446 Release v7.1.0.
• 3d79e80 Update Copilot Instructions.
• 83fe6bc Add tox pyright check.
• bd3fbc4 Improve typing support.
• 09dd6fe Improve original type stubs from typeshed.
• 873c701 Add typeshed typings.
• Additional commits viewable in compare view

Updates certifi from 2026.2.25 to 2026.4.22

Commits

• 5dddfb0 2026.04.22 (#410)
• f99eccd Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#404)
• 918bed0 Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#405)
• 0a49067 Bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#403)
• acf6ce8 Bump actions/download-artifact from 8.0.0 to 8.0.1 (#398)
• feb0ed2 Bump actions/download-artifact from 7.0.0 to 8.0.0 (#397)
• d9c11a5 Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#396)
• See full diff in compare view

Updates click from 8.3.2 to 8.3.3

Release notes

Sourced from click's releases.

8.3.3

This is the Click 8.3.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.3/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-3 Milestone: https://github.com/pallets/click/milestone/30

• Use :func:shlex.split to split pager and editor commands into argv lists for :class:subprocess.Popen, removing shell=True. #1026 #1477 #2775
• Fix TypeError when rendering help for an option whose default value is an object that doesn't support equality comparison with strings, such as semver.Version. #3298 #3299
• Fix pager test pollution under parallel execution by using pytest's tmp_path fixture instead of a shared temporary file path. #3238
• Treat Sentinel.UNSET values in a default_map as absent, so they fall through to the next default source instead of being used as the value. #3224 #3240
• Patch pdb.Pdb in CliRunner isolation so pdb.set_trace(), breakpoint(), and debuggers subclassing pdb.Pdb (ipdb, pdbpp) can interact with the real terminal instead of the captured I/O streams. #654 #824 #843 #951 #3235
• Add optional randomized parallel test execution using pytest-randomly and pytest-xdist to detect test pollution and race conditions. #3151
• Add contributor documentation for running stress tests, randomized parallel tests, and Flask smoke tests. #3151 #3177
• Show custom show_default string in prompts, matching the existing help text behavior. #2836 #2837 #3165 #3262 #3280 #3328
• Fix default=True with boolean flag_value always returning the flag_value instead of True. The default=True to flag_value substitution now only applies to non-boolean flags, where True acts as a sentinel meaning "activate this flag by default". For boolean flags, default=True is returned as a literal value. #3111 #3239
• Mark make_default_short_help as private API. #3189 #3250
• CliRunner's redirected streams now expose the original file descriptor via fileno(), so that faulthandler, subprocess, and other C-level consumers no longer crash with io.UnsupportedOperation. #2865
• Change :class:ParameterSource to an :class:~enum.IntEnum and reorder its members from most to least explicit, so values can be compared to check whether a parameter was explicitly provided. #2879 #3248

Changelog

Sourced from click's changelog.

Version 8.3.3

Released 2026-04-20

• Use :func:shlex.split to split pager and editor commands into argv lists for :class:subprocess.Popen, removing shell=True. :issue:1026 :pr:1477 :pr:2775
• Fix TypeError when rendering help for an option whose default value is an object that doesn't support equality comparison with strings, such as semver.Version. :issue:3298 :pr:3299
• Fix pager test pollution under parallel execution by using pytest's tmp_path fixture instead of a shared temporary file path. :pr:3238
• Treat Sentinel.UNSET values in a default_map as absent, so they fall through to the next default source instead of being used as the value. :issue:3224 :pr:3240
• Patch pdb.Pdb in CliRunner isolation so pdb.set_trace(), breakpoint(), and debuggers subclassing pdb.Pdb (ipdb, pdbpp) can interact with the real terminal instead of the captured I/O streams. :issue:654 :issue:824 :issue:843 :pr:951 :pr:3235
• Add optional randomized parallel test execution using pytest-randomly and pytest-xdist to detect test pollution and race conditions. :pr:3151
• Add contributor documentation for running stress tests, randomized parallel tests, and Flask smoke tests. :pr:3151 :pr:3177
• Show custom show_default string in prompts, matching the existing help text behavior. :issue:2836 :pr:2837 :pr:3165 :pr:3262 :pr:3280 :pr:3328
• Fix default=True with boolean flag_value always returning the flag_value instead of True. The default=True to flag_value substitution now only applies to non-boolean flags, where True acts as a sentinel meaning "activate this flag by default". For boolean flags, default=True is returned as a literal value. :issue:3111 :pr:3239
• Mark make_default_short_help as private API. :issue:3189 :pr:3250
• CliRunner's redirected streams now expose the original file descriptor via fileno(), so that faulthandler, subprocess, and other C-level consumers no longer crash with io.UnsupportedOperation. :issue:2865
• Change :class:ParameterSource to an :class:~enum.IntEnum and reorder its members from most to least explicit, so values can be compared to check whether a parameter was explicitly provided. :issue:2879 :pr:3248

Commits

• c06d2d0 Release 8.3.3
• f1f191e Apply format guidelines to commits since latest 8.3.2 release (#3343)
• ...

  Description has been truncated

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 70 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 3717aa2.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

training/rl/pyproject.toml

Package	Version	License	Issue Type
azure-core	1.40.0	Null	Unknown License
marshmallow	4.3.0	Null	Unknown License
packaging	26.2	Null	Unknown License
rsl-rl-lib	5.2.0	Null	Unknown License
tensordict	0.12.2	Null	Unknown License

training/rl/requirements.txt

Package	Version	License	Issue Type
azure-core	1.40.0	Null	Unknown License
azure-core-tracing-opentelemetry	1.0.0b13	Null	Unknown License
cachetools	7.1.1	Null	Unknown License
click	8.3.3	Null	Unknown License
cuda-pathfinder	1.5.4	Null	Unknown License
cuda-toolkit	13.2.1	Null	Unknown License
databricks-sdk	0.106.0	Null	Unknown License
fastapi	0.136.1	Null	Unknown License
filelock	3.29.0	Null	Unknown License
fsspec	2026.4.0	Null	Unknown License
google-auth	2.50.0	Null	Unknown License
greenlet	3.5.0	Null	Unknown License
gunicorn	25.3.0	Null	Unknown License
gymnasium	1.3.0	Null	Unknown License
huey	3.0.0	Null	Unknown License
idna	3.13	Null	Unknown License
mako	1.3.12	Null	Unknown License
marshmallow	4.3.0	Null	Unknown License
matplotlib	3.10.9	Null	Unknown License
mpmath	1.4.1	Null	Unknown License
nvidia-cublas	13.4.1.1	Null	Unknown License
nvidia-cuda-cupti	13.2.75	Null	Unknown License
nvidia-cuda-nvrtc	13.2.78	Null	Unknown License
nvidia-cuda-runtime	13.2.75	Null	Unknown License
nvidia-cudnn-cu13	9.21.1.3	Null	Unknown License
nvidia-cufft	12.2.0.46	Null	Unknown License
nvidia-cufile	1.17.1.22	Null	Unknown License
nvidia-curand	10.4.2.55	Null	Unknown License
nvidia-cusolver	12.2.0.1	Null	Unknown License
nvidia-cusparse	12.7.10.1	Null	Unknown License
nvidia-cusparselt-cu13	0.9.1	Null	Unknown License
nvidia-nccl-cu13	2.30.4	Null	Unknown License
nvidia-nvjitlink	13.2.78	Null	Unknown License
nvidia-nvshmem-cu13	3.6.5	Null	Unknown License
nvidia-nvtx	13.2.75	Null	Unknown License
onnx-ir	0.2.1	Null	Unknown License
onnxscript	0.7.0	Null	Unknown License
opentelemetry-api	1.41.1	Null	Unknown License
opentelemetry-instrumentation	0.62b1	Null	Unknown License
opentelemetry-instrumentation-asgi	0.62b1	Null	Unknown License
opentelemetry-instrumentation-dbapi	0.62b1	Null	Unknown License
opentelemetry-instrumentation-django	0.62b1	Null	Unknown License
opentelemetry-instrumentation-fastapi	0.62b1	Null	Unknown License
opentelemetry-instrumentation-flask	0.62b1	Null	Unknown License
opentelemetry-instrumentation-logging	0.62b1	Null	Unknown License
opentelemetry-instrumentation-psycopg2	0.62b1	Null	Unknown License
opentelemetry-instrumentation-requests	0.62b1	Null	Unknown License
opentelemetry-instrumentation-urllib	0.62b1	Null	Unknown License
opentelemetry-instrumentation-urllib3	0.62b1	Null	Unknown License
opentelemetry-instrumentation-wsgi	0.62b1	Null	Unknown License
opentelemetry-proto	1.41.1	Null	Unknown License
opentelemetry-sdk	1.41.1	Null	Unknown License
opentelemetry-semantic-conventions	0.62b1	Null	Unknown License
opentelemetry-util-http	0.62b1	Null	Unknown License
packaging	26.2	Null	Unknown License
pyarrow	24.0.0	Null	Unknown License
pydantic	2.13.3	Null	Unknown License
pytz	2026.2	Null	Unknown License
rsl-rl-lib	5.2.0	Null	Unknown License
skops	0.14.0	Null	Unknown License
tensordict	0.12.2	Null	Unknown License
uvicorn	0.46.0	Null	Unknown License
wcwidth	0.7.0	Null	Unknown License
certifi	2026.4.22	Null	Unknown License
tzdata	2026.2	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
pip/azure-core	1.40.0	Unknown	Unknown
pip/cryptography	47.0.0	Unknown	Unknown
pip/marshmallow	4.3.0	Unknown	Unknown
pip/numpy	2.4.4	Unknown	Unknown
pip/packaging	26.2	Unknown	Unknown
pip/rsl-rl-lib	5.2.0	Unknown	Unknown
pip/tensordict	0.12.2	Unknown	Unknown
pip/azure-core	1.40.0	Unknown	Unknown
pip/azure-core-tracing-opentelemetry	1.0.0b13	Unknown	Unknown
pip/azure-storage-file-datalake	12.23.0	🟢 6.7	Details Check Score Reason Code-Review 🟢 9 Found 29/30 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 License 🟢 10 license file detected CII-Best-Practices 🟢 5 badge detected: Passing Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 8 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing 🟢 10 project is fuzzed
pip/cachetools	7.1.1	Unknown	Unknown
pip/certifi	2026.4.22	🟢 6	Details Check Score Reason Code-Review ⚠️ 1 Found 1/8 approved changesets -- score normalized to 1 Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 8 8 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 8 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/click	8.3.3	Unknown	Unknown
pip/cryptography	47.0.0	Unknown	Unknown
pip/cuda-pathfinder	1.5.4	Unknown	Unknown
pip/cuda-toolkit	13.2.1	Unknown	Unknown
pip/databricks-sdk	0.106.0	Unknown	Unknown
pip/farama-notifications	0.0.6	Unknown	Unknown
pip/fastapi	0.136.1	Unknown	Unknown
pip/filelock	3.29.0	Unknown	Unknown
pip/fsspec	2026.4.0	Unknown	Unknown
pip/gitpython	3.1.49	🟢 7.6	Details Check Score Reason Code-Review 🟢 5 Found 5/9 approved changesets -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits
pip/google-auth	2.50.0	Unknown	Unknown
pip/greenlet	3.5.0	Unknown	Unknown
pip/gunicorn	25.3.0	Unknown	Unknown
pip/gymnasium	1.3.0	Unknown	Unknown
pip/huey	3.0.0	Unknown	Unknown
pip/idna	3.13	Unknown	Unknown
pip/importlib-metadata	9.0.0	Unknown	Unknown
pip/mako	1.3.12	Unknown	Unknown
pip/marshmallow	4.3.0	Unknown	Unknown
pip/matplotlib	3.10.9	Unknown	Unknown
pip/mpmath	1.4.1	Unknown	Unknown
pip/numpy	2.4.4	Unknown	Unknown
pip/nvidia-cublas	13.4.1.1	Unknown	Unknown
pip/nvidia-cuda-cupti	13.2.75	Unknown	Unknown
pip/nvidia-cuda-nvrtc	13.2.78	Unknown	Unknown
pip/nvidia-cuda-runtime	13.2.75	Unknown	Unknown
pip/nvidia-cudnn-cu13	9.21.1.3	Unknown	Unknown
pip/nvidia-cufft	12.2.0.46	Unknown	Unknown
pip/nvidia-cufile	1.17.1.22	Unknown	Unknown
pip/nvidia-curand	10.4.2.55	Unknown	Unknown
pip/nvidia-cusolver	12.2.0.1	Unknown	Unknown
pip/nvidia-cusparse	12.7.10.1	Unknown	Unknown
pip/nvidia-cusparselt-cu13	0.9.1	Unknown	Unknown
pip/nvidia-nccl-cu13	2.30.4	Unknown	Unknown
pip/nvidia-nvjitlink	13.2.78	Unknown	Unknown
pip/nvidia-nvshmem-cu13	3.6.5	Unknown	Unknown
pip/nvidia-nvtx	13.2.75	Unknown	Unknown
pip/onnx-ir	0.2.1	Unknown	Unknown
pip/onnxscript	0.7.0	Unknown	Unknown
pip/opentelemetry-api	1.41.1	Unknown	Unknown
pip/opentelemetry-instrumentation	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-asgi	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-dbapi	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-django	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-fastapi	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-flask	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-logging	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-psycopg2	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-requests	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-urllib	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-urllib3	0.62b1	Unknown	Unknown
pip/opentelemetry-instrumentation-wsgi	0.62b1	Unknown	Unknown
pip/opentelemetry-proto	1.41.1	Unknown	Unknown
pip/opentelemetry-sdk	1.41.1	Unknown	Unknown
pip/opentelemetry-semantic-conventions	0.62b1	Unknown	Unknown
pip/opentelemetry-util-http	0.62b1	Unknown	Unknown
pip/packaging	26.2	Unknown	Unknown
pip/pandas	3.0.2	Unknown	Unknown
pip/protobuf	7.34.1	Unknown	Unknown
pip/pyarrow	24.0.0	Unknown	Unknown
pip/pydantic	2.13.3	Unknown	Unknown
pip/pydantic-core	2.46.3	🟢 6.6	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 9 Found 22/24 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/pytz	2026.2	Unknown	Unknown
pip/rsl-rl-lib	5.2.0	Unknown	Unknown
pip/setuptools	82.0.1	Unknown	Unknown
pip/skops	0.14.0	Unknown	Unknown
pip/tensordict	0.12.2	Unknown	Unknown
pip/tzdata	2026.2	🟢 7.3	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 18/23 approved changesets -- score normalized to 7 Maintained 🟢 10 12 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/uvicorn	0.46.0	Unknown	Unknown
pip/wcwidth	0.7.0	Unknown	Unknown
pip/wrapt	2.1.2	Unknown	Unknown

Scanned Files

• training/rl/pyproject.toml
• training/rl/requirements.txt

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.70%. Comparing base (83384d2) to head (3717aa2).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #608      +/-   ##
==========================================
+ Coverage   65.16%   67.70%   +2.53%     
==========================================
  Files         251      263      +12     
  Lines       15597    16827    +1230     
  Branches     2152     2290     +138     
==========================================
+ Hits        10164    11392    +1228     
  Misses       5142     5142              
- Partials      291      293       +2     

Flag	Coverage Δ		*Carryforward flag
pester	83.13% <ø> (ø)		Carriedforward from 83384d2
pytest-data-pipeline	100.00% <ø> (ø)		Carriedforward from 83384d2
pytest-dataviewer	66.92% <ø> (ø)		Carriedforward from 83384d2
pytest-dm-tools	100.00% <ø> (ø)		Carriedforward from 83384d2
pytest-evaluation	99.83% <ø> (?)
pytest-fuzz	4.90% <ø> (ø)
pytest-inference	0.00% <ø> (ø)		Carriedforward from 83384d2
pytest-training	82.14% <ø> (ø)
vitest	53.02% <ø> (ø)		Carriedforward from 83384d2

*This pull request uses carry forward flags. Click here to find out more.
see 12 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

⚠️ Maintainer review recommended

Advisory Review Summary

This grouped Dependabot PR bumps 76 packages in training/rl/ (training-rl-abi surface). No GHSA or CVE advisories were referenced in the PR body. The Isaac Sim ABI guard in train.sh is violated by the numpy bump, and CI has not yet completed.

Affected surfaces: training-rl-abi (pip/uv under training/rl/)

Package	From	To	Risk	Surface
numpy	1.26.4	2.4.4	HIGH — ABI guard violation	training-rl-abi
pandas	2.3.3	3.0.2	Medium — major, breaking API changes	training-rl-abi
marshmallow	3.26.2	4.3.0	Medium — major, direct dep, breaking API changes	training-rl-abi
pyarrow	22.0.0	24.0.0	Medium — 2 major jumps, ABI-sensitive	training-rl-abi
protobuf	6.33.6	7.34.1	Low-Medium — major, C-extension ABI change	training-rl-abi
wrapt	1.17.3	2.1.2	Low — major, opentelemetry-instrumentation dep	training-rl-abi
cachetools	6.2.6	7.1.1	Low — major, mlflow dep	training-rl-abi
importlib-metadata	8.7.1	9.0.0	Low — major, mlflow/otel dep	training-rl-abi
huey	2.6.0	3.0.0	Low — major, mlflow dep	training-rl-abi
gunicorn	23.0.0	25.3.0	Low — 2 major jumps, mlflow dep	training-rl-abi
66 other packages	—	—	Info — minor/patch bumps	training-rl-abi

---

numpy

No advisory. Pure ABI risk.

NumPy 2.4.4 is a patch release within the 2.4.x series. The major breaking changes — revised C API, removal of np.bool, np.int, np.float aliases, new copy=False semantics — landed in NumPy 2.0.0.
Release: github.com/numpy/numpy/releases/tag/v2.4.4

Repo-specific risk — Isaac Sim ABI guard broken:

training/rl/scripts/train.sh enforces numpy>=1.26.0,<2.0.0 (lines 80–86) to preserve Isaac Sim 4.x C-extension compatibility. The subsequent step (lines 94–96) runs:

uv pip install --no-cache-dir --no-deps --requirement requirements.txt

Because requirements.txt now pins numpy==2.4.4, this step silently overrides the 1.x pin installed in lines 80–86. Isaac Sim ships pre-compiled extensions against NumPy 1.x ABI. Loading those extensions under NumPy 2.x will produce ImportError or silent data corruption at runtime.

The train.sh ABI guard must be updated to <3.0.0 only after Isaac Sim 4.x validates NumPy 2.x support, or this bump must be reverted.

Validation Signal

• PR Validation: in_progress:in_progress — CI not yet complete. ⚠️ Deterministic CI conclusion not yet available; verdict is advisory only.
• Static impact: training/rl/requirements.txt pins numpy==2.4.4; training/rl/scripts/train.sh line 80 pins numpy>=1.26.0,<2.0.0. These are directly contradictory. The runtime install order means 2.4.4 wins — the ABI guard is bypassed.

---

marshmallow

No advisory. Direct dependency bump (pyproject.toml line 12 and requirements.txt line 205).

marshmallow 4.0 removed all APIs deprecated in the 3.x series: strict kwarg, Schema.Meta field ordering, @pre_load(pass_many=True) signature, dump/load positional many argument. Code using any deprecated 3.x patterns will raise AttributeError or TypeError.

azure-ai-ml==1.32.0 (also a direct dep) internally imports marshmallow — verify it pins marshmallow<4 or explicitly supports 4.x.

Changelog: github.com/marshmallow-code/marshmallow/blob/dev/CHANGELOG.rst

Validation Signal

• PR Validation: in_progress:in_progress
• Static impact: Direct dep — any training code using marshmallow 3.x deprecated APIs will fail at import or first schema use.

---

pandas

No advisory. Transitive via mlflow.

pandas 3.0 breaking changes:

• Copy-on-Write is now the default — mutating a slice no longer mutates the parent DataFrame
• StringDtype is the new default for string columns (changes dtype comparisons)
• datetime inference resolution changed from ns to us
• All pandas 2.x deprecations removed

Release: github.com/pandas-dev/pandas/releases/tag/v3.0.0

Validation Signal

• PR Validation: in_progress:in_progress
• Static impact: Transitive via mlflow; low direct-usage risk in RL training code, but any evaluation or logging code reading mlflow artifacts as DataFrames may see unexpected dtype or timestamp behaviour.

---

pyarrow

No advisory. Transitive via mlflow. Two major version jump (22 → 24). pyarrow's C-extension ABI is tightly coupled to the NumPy version it was compiled against. The combined numpy 1.x → 2.x and pyarrow 22 → 24 bump compounds ABI risk.

Validation Signal

• PR Validation: in_progress:in_progress
• Static impact: Transitive via mlflow; no direct usage detected in training/rl/. ABI risk is elevated when combined with the numpy 2.x change.

---

Other notable major bumps

Package	From	To	Note
protobuf	6.33.6	7.34.1	C-extension ABI; used by tensorboard, databricks-sdk, grpcio, mlflow
wrapt	1.17.3	2.1.2	Dropped Python < 3.8 support; opentelemetry-instrumentation dependency chain
cachetools	6.2.6	7.1.1	Removed LRUCache.popitem; mlflow-skinny dep
importlib-metadata	8.7.1	9.0.0	Removed deprecated packages_distributions; mlflow-skinny dep
huey	2.6.0	3.0.0	Task queue API changes; mlflow dep
gunicorn	23.0.0	25.3.0	Two major jumps; worker lifecycle changes; mlflow dep
onnxscript	0.6.2	0.7.0	Minor bump; pre-1.0, rsl-rl-lib dep
cryptography	46.0.7	47.0.0	Major bump; azure-identity, pyjwt dep
gymnasium	1.2.3	1.3.0	Minor; skrl dep
rsl-rl-lib	5.0.1	5.2.0	Minor; direct dep
tensordict	0.12.1	0.12.2	Patch; GPU-sensitive direct dep

---

Transitive-only lockfile note

The majority of the 76 packages are transitive — they appear in requirements.txt but not in pyproject.toml direct dependencies. The requirements.txt is autogenerated by uv pip compile pyproject.toml -o requirements.txt. These are lockfile-only updates for transitive packages; all manifest-level changes are confined to training/rl/pyproject.toml.

---

Advisory verdict: COMMENT — CI is still in progress; numpy 2.4.4 violates the Isaac Sim ABI guard enforced by training/rl/scripts/train.sh (lines 80–86), and train.sh must be updated or the numpy bump reverted before this PR is safe to merge. Multiple other major version bumps (marshmallow 4, pandas 3, pyarrow 24, protobuf 7) warrant targeted smoke-test validation on GPU nodes.

🔍 - Generated by Copilot

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• #608 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by AW Dependabot PR Review for issue #608 · ● 857.9K

[github-actions]

⚠️ Isaac Sim ABI Guard Violation — numpy 1.26.4 → 2.4.4

training/rl/scripts/train.sh enforces numpy>=1.26.0,<2.0.0 at runtime (lines 80–86) to preserve Isaac Sim 4.x C-extension ABI compatibility. NumPy 2.0 introduced a revised C API that is incompatible with pre-compiled Isaac Sim extensions.

However, train.sh subsequently installs requirements.txt with --no-deps (lines 94–96), which will install numpy==2.4.4 and override the 1.x pin. The net result is that the Isaac Sim ABI guard is silently bypassed at training time.

Action required before merging:

• Update the pin in train.sh lines 80–86 from <2.0.0 to <3.0.0 only if Isaac Sim 4.x has been validated against NumPy 2.x, or
• Revert this bump until Isaac Sim confirms NumPy 2.x support.

References: [NumPy 2.0 migration guide]((numpy.org/redacted), training/rl/scripts/train.sh lines 80–86.

[github-actions]

marshmallow 3.26.2 → 4.3.0 — major version bump (direct dependency)

marshmallow is a direct dependency in pyproject.toml. marshmallow 4.0 removed all APIs deprecated in the 3.x series, including Schema.Meta field ordering, strict mode, pre/post decorator variants, and changed dump / load to no longer accept positional arguments.

azure-ai-ml (also in requirements.txt) vendors marshmallow internally — verify it declares compatibility with marshmallow 4.x via its own metadata before merging.

Changelog: github.com/marshmallow-code/marshmallow/blob/dev/CHANGELOG.rst

[github-actions]

pyarrow 22.0.0 → 24.0.0 — two major version jumps (ABI-sensitive)

pyarrow is in the high-risk surface list for python-runtime. Crossing two major versions increases the likelihood of C-extension ABI incompatibilities, particularly when pyarrow is used alongside NumPy (both share native memory interfaces). This bump is transitive via mlflow.

Verify that mlflow==3.11.1 (the version already pinned) declares support for pyarrow>=24.

[github-actions]

pandas 2.3.3 → 3.0.2 — major version bump (transitive via mlflow)

pandas 3.0 breaking changes:

• Copy-on-Write is now the default (removes SettingWithCopyWarning; mutating a slice no longer mutates the original)
• Dedicated StringDtype is the new default for string columns
• datetime resolution inference changed (ns → us by default)
• All 2.x deprecations removed

Any mlflow logging code or evaluation scripts that use DataFrame.copy() semantics or rely on ns-resolution timestamps may behave differently.

Release notes: github.com/pandas-dev/pandas/releases/tag/v3.0.0

[github-actions]

numpy 2.4.4 in lockfile conflicts with train.sh ABI guard

This lockfile entry sets numpy==2.4.4 (NumPy 2.x). The runtime script training/rl/scripts/train.sh attempts to enforce numpy>=1.26.0,<2.0.0 (lines 80–86) for Isaac Sim ABI safety, but the uv pip install --no-deps --requirement requirements.txt step (lines 94–96) will overwrite that install with this 2.4.4 pin.

NumPy 2.0 release notes: github.com/numpy/numpy/releases/tag/v2.4.4 — patch release only; the major breaking changes landed in 2.0.0.