Skip to content

chore(deps): Update#38

Open
williaby wants to merge 1 commit into
mainfrom
renovate/lock-file-maintenance
Open

chore(deps): Update#38
williaby wants to merge 1 commit into
mainfrom
renovate/lock-file-maintenance

Conversation

@williaby

Copy link
Copy Markdown
Contributor

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Change Update
All locks refreshed lockFileMaintenance

Impact

  • ✅ Patch update: bug fixes and security patches only
  • ✅ No breaking changes

Acceptance Criteria

  • All CI checks pass

Testing

  • CI gates pass (tests, lint, type checking, security scan)

Notes

🔧 This Pull Request updates lock files to use the latest dependency versions.


Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • "before 5am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot AI review requested due to automatic review settings June 15, 2026 05:17
@williaby williaby self-assigned this Jun 15, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock, !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 15e3a274-2571-4794-af7f-771fa317dcea

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/lock-file-maintenance

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 84 package(s) with unknown licenses.
See the Details below.

License Issues

uv.lock

PackageVersionLicenseIssue Type
alembic1.18.5NullUnknown License
anyio4.14.1NullUnknown License
basedpyright1.39.9NullUnknown License
beautifulsoup44.15.0NullUnknown License
click8.4.2NullUnknown License
cryptography49.0.0NullUnknown License
cuda-bindings13.3.1NullUnknown License
cuda-pathfinder1.5.5NullUnknown License
cyclonedx-python-lib11.11.0NullUnknown License
debugpy1.8.21NullUnknown License
fastapi0.138.2NullUnknown License
filelock3.29.4NullUnknown License
fsspec2026.6.0NullUnknown License
google-api-core2.31.0NullUnknown License
googleapis-common-protos1.75.0NullUnknown License
greenlet3.5.3NullUnknown License
griffelib2.1.0NullUnknown License
grpcio1.81.1NullUnknown License
httptools0.8.0NullUnknown License
hypothesis6.155.7NullUnknown License
idna3.18NullUnknown License
ipykernel7.3.0NullUnknown License
ipython9.15.0NullUnknown License
jaraco-functools4.5.0NullUnknown License
joserfc1.7.2NullUnknown License
json50.15.0NullUnknown License
jupyter-builder1.0.2NullUnknown License
jupyter-client8.9.1NullUnknown License
jupyter-server2.20.0NullUnknown License
jupyterlab4.6.1NullUnknown License
matplotlib-inline0.2.2NullUnknown License
mdit-py-plugins0.6.1NullUnknown License
mistune3.3.2NullUnknown License
mkdocs-git-revision-date-localized-plugin1.5.3NullUnknown License
mkdocstrings-python2.0.5NullUnknown License
msgpack1.2.1NullUnknown License
mutmut3.6.0NullUnknown License
narwhals2.22.1NullUnknown License
nbclient0.11.0NullUnknown License
nodejs-wheel-binaries24.16.0NullUnknown License
notebook7.6.0NullUnknown License
nox-uv0.8.0NullUnknown License
numpy2.5.0NullUnknown License
nvidia-cublas13.1.1.3NullUnknown License
nvidia-cudnn-cu139.20.0.48NullUnknown License
nvidia-cusparselt-cu130.8.1NullUnknown License
nvidia-nccl-cu132.29.7NullUnknown License
pip-audit2.10.1NullUnknown License
platformdirs4.10.0NullUnknown License
prettytable3.18.0NullUnknown License
proto-plus1.28.0NullUnknown License
pydantic-settings2.14.2NullUnknown License
pydoclint0.9.0NullUnknown License
pymdown-extensions11.0NullUnknown License
pytest9.1.1NullUnknown License
pytest-asyncio1.4.0NullUnknown License
python-discovery1.4.2NullUnknown License
python-frontmatter1.3.0NullUnknown License
python-multipart0.0.32NullUnknown License
pywinpty3.0.5NullUnknown License
regex2026.6.28NullUnknown License
rpds-py2026.5.1NullUnknown License
ruff0.15.20NullUnknown License
safety3.8.1NullUnknown License
scikit-learn1.9.0NullUnknown License
scipy1.18.0NullUnknown License
soupsieve2.8.4NullUnknown License
sqlalchemy2.0.51NullUnknown License
starlette1.3.1NullUnknown License
stevedore5.8.0NullUnknown License
structlog26.1.0NullUnknown License
textual8.2.7NullUnknown License
tomlkit0.15.0NullUnknown License
torch2.12.1NullUnknown License
tornado6.5.7NullUnknown License
tqdm4.68.3NullUnknown License
traitlets5.15.1NullUnknown License
uvicorn0.49.0NullUnknown License
virtualenv21.5.1NullUnknown License
wcwidth0.8.2NullUnknown License
zipp4.1.0NullUnknown License
bleach6.4.0NullUnknown License
certifi2026.6.17NullUnknown License
distlib0.4.3NullUnknown License
Denied Licenses: GPL-2.0, GPL-3.0

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
pip/alembic 1.18.5 UnknownUnknown
pip/anyio 4.14.1 UnknownUnknown
pip/authlib 1.7.2 UnknownUnknown
pip/basedpyright 1.39.9 UnknownUnknown
pip/beautifulsoup4 4.15.0 UnknownUnknown
pip/bleach 6.4.0 🟢 4.9
Details
CheckScoreReason
Maintained⚠️ 0project is archived
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Code-Review⚠️ 0Found 0/17 approved changesets -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies🟢 4dependency not pinned by hash detected -- score normalized to 4
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing🟢 10project is fuzzed
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/certifi 2026.6.17 🟢 5.9
Details
CheckScoreReason
Code-Review⚠️ 0Found 0/2 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 810 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8
Pinned-Dependencies🟢 5dependency not pinned by hash detected -- score normalized to 5
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
License🟢 9license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/click 8.4.2 UnknownUnknown
pip/coverage 7.14.3 UnknownUnknown
pip/cryptography 49.0.0 UnknownUnknown
pip/cuda-bindings 13.3.1 UnknownUnknown
pip/cuda-pathfinder 1.5.5 UnknownUnknown
pip/cyclonedx-python-lib 11.11.0 UnknownUnknown
pip/debugpy 1.8.21 UnknownUnknown
pip/decorator 5.3.1 UnknownUnknown
pip/distlib 0.4.3 UnknownUnknown
pip/fastapi 0.138.2 UnknownUnknown
pip/filelock 3.29.4 UnknownUnknown
pip/fsspec 2026.6.0 UnknownUnknown
pip/google-api-core 2.31.0 UnknownUnknown
pip/google-auth 2.55.1 🟢 6.9
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 10all changesets reviewed
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing🟢 10project is fuzzed
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
pip/googleapis-common-protos 1.75.0 UnknownUnknown
pip/greenlet 3.5.3 UnknownUnknown
pip/griffelib 2.1.0 UnknownUnknown
pip/grpcio 1.81.1 UnknownUnknown
pip/httptools 0.8.0 UnknownUnknown
pip/hypothesis 6.155.7 UnknownUnknown
pip/idna 3.18 UnknownUnknown
pip/ipykernel 7.3.0 UnknownUnknown
pip/ipython 9.15.0 UnknownUnknown
pip/jaraco-functools 4.5.0 UnknownUnknown
pip/joserfc 1.7.2 UnknownUnknown
pip/json5 0.15.0 UnknownUnknown
pip/jupyter-builder 1.0.2 UnknownUnknown
pip/jupyter-client 8.9.1 UnknownUnknown
pip/jupyter-server 2.20.0 UnknownUnknown
pip/jupyterlab 4.6.1 UnknownUnknown
pip/lxml 6.1.1 UnknownUnknown
pip/markdown-it-py 4.2.0 UnknownUnknown
pip/matplotlib-inline 0.2.2 UnknownUnknown
pip/mdit-py-plugins 0.6.1 UnknownUnknown
pip/mistune 3.3.2 UnknownUnknown
pip/mkdocs-git-revision-date-localized-plugin 1.5.3 UnknownUnknown
pip/mkdocstrings-python 2.0.5 UnknownUnknown
pip/more-itertools 11.1.0 UnknownUnknown
pip/msgpack 1.2.1 UnknownUnknown
pip/mutmut 3.6.0 UnknownUnknown
pip/narwhals 2.22.1 UnknownUnknown
pip/nbclient 0.11.0 UnknownUnknown
pip/nest-asyncio2 1.7.2 UnknownUnknown
pip/nodejs-wheel-binaries 24.16.0 UnknownUnknown
pip/notebook 7.6.0 UnknownUnknown
pip/nox-uv 0.8.0 UnknownUnknown
pip/numpy 2.4.6 UnknownUnknown
pip/numpy 2.5.0 UnknownUnknown
pip/nvidia-cublas 13.1.1.3 UnknownUnknown
pip/nvidia-cudnn-cu13 9.20.0.48 UnknownUnknown
pip/nvidia-cusparselt-cu13 0.8.1 UnknownUnknown
pip/nvidia-nccl-cu13 2.29.7 UnknownUnknown
pip/pip-audit 2.10.1 UnknownUnknown
pip/platformdirs 4.10.0 UnknownUnknown
pip/prettytable 3.18.0 UnknownUnknown
pip/proto-plus 1.28.0 UnknownUnknown
pip/protobuf 7.35.1 UnknownUnknown
pip/pydantic 2.13.4 UnknownUnknown
pip/pydantic-core 2.46.4 🟢 7.4
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
License🟢 10license file detected
Fuzzing🟢 10project is fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 4branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/pydantic-settings 2.14.2 UnknownUnknown
pip/pydoclint 0.9.0 UnknownUnknown
pip/pymdown-extensions 11.0 UnknownUnknown
pip/pytest 9.1.1 UnknownUnknown
pip/pytest-asyncio 1.4.0 UnknownUnknown
pip/python-discovery 1.4.2 UnknownUnknown
pip/python-frontmatter 1.3.0 UnknownUnknown
pip/python-multipart 0.0.32 UnknownUnknown
pip/pywinpty 3.0.5 UnknownUnknown
pip/regex 2026.6.28 UnknownUnknown
pip/requests 2.34.2 UnknownUnknown
pip/rpds-py 2026.5.1 UnknownUnknown
pip/ruff 0.15.20 UnknownUnknown
pip/safety 3.8.1 UnknownUnknown
pip/scikit-learn 1.9.0 UnknownUnknown
pip/scipy 1.18.0 UnknownUnknown
pip/soupsieve 2.8.4 UnknownUnknown
pip/sqlalchemy 2.0.51 UnknownUnknown
pip/starlette 1.3.1 UnknownUnknown
pip/stevedore 5.8.0 UnknownUnknown
pip/structlog 26.1.0 UnknownUnknown
pip/textual 8.2.7 UnknownUnknown
pip/tinycss2 1.5.1 UnknownUnknown
pip/tomlkit 0.15.0 UnknownUnknown
pip/torch 2.12.1 UnknownUnknown
pip/torchvision 0.27.1 🟢 4.5
Details
CheckScoreReason
Maintained🟢 1027 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 5Found 17/30 approved changesets -- score normalized to 5
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Security-Policy⚠️ 0security policy file not detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 2branch protection is not maximal on development and all release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/tornado 6.5.7 UnknownUnknown
pip/tqdm 4.68.3 UnknownUnknown
pip/traitlets 5.15.1 UnknownUnknown
pip/triton 3.7.1 UnknownUnknown
pip/truststore 0.10.4 UnknownUnknown
pip/uvicorn 0.49.0 UnknownUnknown
pip/virtualenv 21.5.1 UnknownUnknown
pip/watchfiles 1.2.0 🟢 4
Details
CheckScoreReason
Maintained🟢 57 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Code-Review🟢 3Found 9/26 approved changesets -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/wcwidth 0.8.2 UnknownUnknown
pip/zipp 4.1.0 UnknownUnknown

Scanned Files

  • uv.lock

@socket-security

socket-security Bot commented Jun 15, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi nodejs-wheel-binaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: uv.lockpypi/basedpyright@1.39.9pypi/nodejs-wheel-binaries@24.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi numpy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pyproject.tomlpypi/numpy@2.4.6

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/numpy@2.4.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: pypi numpy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pyproject.tomlpypi/numpy@2.5.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/numpy@2.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@williaby williaby force-pushed the renovate/lock-file-maintenance branch from afd566b to e3a1388 Compare June 29, 2026 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants