Skip to content

chore(deps): Update#48

Open
williaby wants to merge 1 commit into
mainfrom
renovate/lock-file-maintenance
Open

chore(deps): Update#48
williaby wants to merge 1 commit into
mainfrom
renovate/lock-file-maintenance

Conversation

@williaby

@williaby williaby commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Change Update
All locks refreshed lockFileMaintenance

Impact

  • ✅ Patch update: bug fixes and security patches only
  • ✅ No breaking changes

Acceptance Criteria

  • All CI checks pass

Testing

  • CI gates pass (tests, lint, type checking, security scan)

Notes

🔧 This Pull Request updates lock files to use the latest dependency versions.


Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • "before 5am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot AI review requested due to automatic review settings June 1, 2026 05:09

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@coderabbitai

coderabbitai Bot commented Jun 1, 2026

Copy link
Copy Markdown

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • DeQA-Score/uv.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4d197608-afaf-4e5c-b856-e31f39c33524

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/lock-file-maintenance

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jun 1, 2026

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 20 package(s) with unknown licenses.
See the Details below.

License Issues

DeQA-Score/uv.lock

PackageVersionLicenseIssue Type
anthropic0.113.0NullUnknown License
anyio4.14.1NullUnknown License
click8.4.2NullUnknown License
cmake4.3.4NullUnknown License
filelock3.29.4NullUnknown License
fsspec2026.6.0NullUnknown License
hf-xet1.5.1NullUnknown License
idna3.18NullUnknown License
latex2mathml3.81.0NullUnknown License
nvidia-ml-py13.610.43NullUnknown License
openai2.44.0NullUnknown License
platformdirs4.10.0NullUnknown License
pytest9.1.1NullUnknown License
regex2026.6.28NullUnknown License
ruff0.15.20NullUnknown License
safetensors0.8.0NullUnknown License
tqdm4.68.3NullUnknown License
uvicorn0.49.0NullUnknown License
wandb0.26.1NullUnknown License
certifi2026.6.17NullUnknown License

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
pip/anthropic 0.113.0 UnknownUnknown
pip/anyio 4.14.1 UnknownUnknown
pip/certifi 2026.6.17 🟢 5.9
Details
CheckScoreReason
Code-Review⚠️ 0Found 0/2 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 810 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8
Pinned-Dependencies🟢 5dependency not pinned by hash detected -- score normalized to 5
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
License🟢 9license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/charset-normalizer 3.4.7 UnknownUnknown
pip/click 8.4.2 UnknownUnknown
pip/cmake 4.3.4 UnknownUnknown
pip/docstring-parser 0.18.0 UnknownUnknown
pip/filelock 3.29.4 UnknownUnknown
pip/fsspec 2026.6.0 UnknownUnknown
pip/hf-xet 1.5.1 UnknownUnknown
pip/icecream 2.2.0 🟢 3.8
Details
CheckScoreReason
Maintained🟢 98 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 9
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review⚠️ 1Found 4/22 approved changesets -- score normalized to 1
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
License🟢 10license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/idna 3.18 UnknownUnknown
pip/jiter 0.16.0 UnknownUnknown
pip/latex2mathml 3.81.0 UnknownUnknown
pip/numpy 2.4.6 UnknownUnknown
pip/nvidia-ml-py 13.610.43 UnknownUnknown
pip/openai 2.44.0 UnknownUnknown
pip/packaging 26.2 UnknownUnknown
pip/platformdirs 4.10.0 UnknownUnknown
pip/protobuf 7.35.1 UnknownUnknown
pip/pytest 9.1.1 UnknownUnknown
pip/regex 2026.6.28 UnknownUnknown
pip/ruff 0.15.20 UnknownUnknown
pip/safetensors 0.8.0 UnknownUnknown
pip/sentry-sdk 2.63.0 🟢 5.8
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 24/28 approved changesets -- score normalized to 8
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies🟢 9dependency not pinned by hash detected -- score normalized to 9
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection🟢 4branch protection is not maximal on development and all release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Security-Policy🟢 10security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/smmap 5.0.3 🟢 5.3
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained⚠️ 12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Security-Policy🟢 9security policy file detected
Code-Review🟢 6Found 6/9 approved changesets -- score normalized to 6
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 3SAST tool is not run on all commits -- score normalized to 3
pip/tomli 2.4.1 UnknownUnknown
pip/tqdm 4.68.3 UnknownUnknown
pip/uvicorn 0.49.0 UnknownUnknown
pip/wandb 0.26.1 UnknownUnknown

Scanned Files

  • DeQA-Score/uv.lock

@socket-security

socket-security Bot commented Jun 1, 2026

Copy link
Copy Markdown

@williaby williaby force-pushed the renovate/lock-file-maintenance branch from 86a3c18 to 7861b26 Compare June 29, 2026 17:59
@sonarqubecloud

Copy link
Copy Markdown

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: pypi numpy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: DeQA-Score/pyproject.tomlpypi/numpy@2.4.6

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/numpy@2.4.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants