chore(deps): bump the version-updates group across 1 directory with 4 updates#2281
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Dependency ReviewThe following issues were found:
License Issuesscripts/evals/moderation/uv.lock
OpenSSF ScorecardScorecard details
Scanned Files
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2281 +/- ##
==========================================
+ Coverage 81.64% 81.72% +0.07%
==========================================
Files 130 120 -10
Lines 19470 19394 -76
Branches 12 0 -12
==========================================
- Hits 15897 15849 -48
+ Misses 3570 3545 -25
+ Partials 3 0 -3
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Eval Execution✅ Status: Passed
No changed AI artifacts required evaluation. |
There was a problem hiding this comment.
Dependency Review — scripts/evals/moderation
This PR bumps 4 Python dependencies in scripts/evals/moderation/pyproject.toml. Safety check results below.
Dependency Changes
| Dependency | Old | New | Classification | License |
|---|---|---|---|---|
transformers |
>=4.40,<5 (installed: 4.57.6) |
>=5.12.1,<6 |
Major | Apache-2.0 ✅ |
pytest |
>=8.0 |
>=9.1.1 |
Major | MIT ✅ |
ruff |
>=0.6 |
>=0.15.20 |
Minor (0.x series) | MIT ✅ |
atheris |
>=3.0 |
>=3.1.0 |
Minor | Apache-2.0 ✅ |
Safety Check Results
| Check | Result |
|---|---|
| License compatibility | ✅ All licenses (Apache-2.0, MIT) are compatible with project MIT |
| SHA pinning (GitHub Actions) | ✅ N/A — no workflow files modified |
Environment synchronization (.devcontainer / copilot-setup-steps.yml) |
✅ N/A — no devcontainer changes |
| Known vulnerabilities | ✅ Dependabot reports none |
| New top-level dependencies introduced | ✅ None — all are Dependabot bumps of existing deps |
New Transitive Dependencies (from transformers 5.x)
The uv.lock adds annotated-doc 0.0.4 and anyio 4.14.1 as new transitive dependencies pulled in by transformers 5.x. Both are widely used packages with permissive licenses.
Flags for Human Review
Two major version bumps require human verification before merge:
transformers4.x → 5.x: Breaking API changes are possible. The inline comment at line 9 calls out what to verify.pytest8.x → 9.x: Breaking fixture/plugin changes are possible. The inline comment at line 42 calls out what to verify.
The ruff and atheris minor bumps carry low risk of compatibility issues.
This review does not approve the PR. Human merge approval remains required.
Generated by Dependabot PR Review for issue #2281 · 372.3 AIC · ⌖ 21.9 AIC · ⊞ 46.2K
| "detoxify==0.5.2", | ||
| "torch==2.12.1", | ||
| "transformers>=4.40,<5", | ||
| "transformers>=5.12.1,<6", |
There was a problem hiding this comment.
transformers 4.x → 5.x
This is a major version change (4.57.6 → 5.12.1) that may include breaking API changes. Please verify that the moderation eval scripts in scripts/evals/moderation/ remain compatible with the transformers 5.x API before merging.
Key areas to check: model loading APIs, tokenizer interfaces, and pipeline constructors may have changed between major versions.
| [dependency-groups] | ||
| dev = [ | ||
| "pytest>=8.0", | ||
| "pytest>=9.1.1", |
There was a problem hiding this comment.
pytest 8.x → 9.x
This is a major version change (>=8.0 → >=9.1.1). Pytest 9.x includes breaking changes to some fixtures and plugins. Please ensure the test suite in scripts/evals/moderation/tests/ runs cleanly against pytest 9.x before merging.
|
@dependabot recreate |
… updates Bumps the version-updates group with 4 updates in the /scripts/evals/moderation directory: [transformers](https://github.com/huggingface/transformers), [pytest](https://github.com/pytest-dev/pytest), [ruff](https://github.com/astral-sh/ruff) and [atheris](https://github.com/google/atheris). Updates `transformers` from 4.57.6 to 5.12.1 - [Release notes](https://github.com/huggingface/transformers/releases) - [Commits](huggingface/transformers@v4.57.6...v5.12.1) Updates `pytest` from 9.0.3 to 9.1.1 - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@9.0.3...9.1.1) Updates `ruff` from 0.15.15 to 0.15.20 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.15.15...0.15.20) Updates `atheris` from 3.0.0 to 3.1.0 - [Commits](https://github.com/google/atheris/commits) --- updated-dependencies: - dependency-name: atheris dependency-version: 3.1.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: version-updates - dependency-name: pytest dependency-version: 9.1.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: version-updates - dependency-name: ruff dependency-version: 0.15.20 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: version-updates - dependency-name: transformers dependency-version: 5.12.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: version-updates ... Signed-off-by: dependabot[bot] <support@github.com>
c0f15ec to
192f669
Compare
There was a problem hiding this comment.
Dependency Review — scripts/evals/moderation/pyproject.toml
Automated dependency review for this Dependabot bump. Only pyproject.toml and uv.lock were changed (lock file excluded from review per policy).
Changes at a glance
| Dependency | Old constraint | New constraint | Installed bump | Classification |
|---|---|---|---|---|
transformers |
>=4.40,<5 |
>=5.12.1,<6 |
4.57.6 → 5.12.1 | MAJOR |
pytest |
>=8.0 |
>=9.1.1 |
9.0.3 → 9.1.1 | Minor |
ruff |
>=0.6 |
>=0.15.20 |
0.15.15 → 0.15.20 | Patch |
atheris |
>=3.0 |
>=3.1.0 |
3.0.0 → 3.1.0 | Minor |
Safety checks
| Check | Result |
|---|---|
| License compatibility (all MIT) | ✅ All Apache 2.0 or MIT — compatible with project MIT license |
| No new dependencies introduced | ✅ All bumps are to existing dependencies |
| SHA pinning (GitHub Actions) | ✅ Not applicable — no workflow files changed |
| Devcontainer / setup sync | ✅ Not applicable — no devcontainer or copilot-setup-steps.yml changes |
| Known vulnerabilities (Dependabot) | ✅ None reported |
Findings
transformers — MAJOR version bump (4.57.6 → 5.12.1): This requires human verification. The 5.x series introduced changes to model loading APIs, tokenizer handling, and pipeline interfaces. Please confirm the moderation eval script is compatible with the new major version before merging. See inline comment.
pytest 9.0 → 9.1 (minor): The 9.1.x changelog notes some deprecation warnings for class-scoped fixtures defined as instance methods and request.getfixturevalue() during teardown — these become errors in pytest 10. No blockers, but worth a quick scan of the test suite if pytest 10 is in the near future.
ruff and atheris: Routine patch/minor bumps. No breaking changes noted. ✅
Verdict
COMMENT — The transformers major version bump warrants human review of the eval before merging. All other safety checks passed.
Generated by Dependabot PR Review for issue #2281 · 249.6 AIC · ⌖ 13.3 AIC · ⊞ 46.5K
| "detoxify==0.5.2", | ||
| "torch==2.12.1", | ||
| "transformers>=4.40,<5", | ||
| "transformers>=5.12.1,<6", |
There was a problem hiding this comment.
transformers 4.x → 5.x
This constraint change (from >=4.40,<5 to >=5.12.1,<6) is a major version bump from the HuggingFace Transformers library. The v5.x series introduced new model architectures, updated tokenizer APIs, and changed several pipeline internals.
Before merging, please verify that the moderation eval still loads and runs correctly — specifically that the transformers pipeline/model calls in scripts/evals/moderation/ are compatible with the 5.x API.
License: Apache 2.0 ✅ (compatible with MIT). No known vulnerabilities reported by Dependabot ✅.
Bumps the version-updates group with 4 updates in the /scripts/evals/moderation directory: transformers, pytest, ruff and atheris.
Updates
transformersfrom 4.57.6 to 5.12.1Release notes
Sourced from transformers's releases.
... (truncated)
Commits
ddb849av5.12.1d81db16mistral common backend fix (#46667)07c294cFixpeftlower bound (#46605)e0e7504Revert "fix security issue with allow all kernels"7904f30fix security issue with allow all kernelsd77d573fix kernel pathf7999c7v5.12.04c5d4fdAdd minimax m3vl (#46600)5957e6f[CI] capture checkers output in OTEL (#46601)2d68208Lfm2: threadseq_idxthrough ShortConv for packed/varlen inputs (#46588)Updates
pytestfrom 9.0.3 to 9.1.1Release notes
Sourced from pytest's releases.
... (truncated)
Commits
cf470ecPrepare release version 9.1.1e0c8ce6Merge pull request #14625 from pytest-dev/patchback/backports/9.1.x/a07c31a97...1b82d16Merge pull request #14624 from pytest-dev/patchback/backports/9.1.x/b375b79ec...501c4bcMerge pull request #14596 from bluetech/doc-classmethodb61f588Merge pull request #14622 from chrisburr/fix-14608-initial-conftest-test-subdir9a567e0[automated] Update plugin list (#14617) (#14618)ef8b299Merge pull request #14620 from pytest-dev/patchback/backports/9.1.x/680f9f3ed...66abd07Merge pull request #14220 from bysiber/fix-stale-iexp-raisesgroup79fbf93Merge pull request #14612 from pytest-dev/patchback/backports/9.1.x/974ed48b6...0d312ebMerge pull request #14611 from bluetech/parametrize-argvalues-typingUpdates
rufffrom 0.15.15 to 0.15.20Release notes
Sourced from ruff's releases.
... (truncated)
Changelog
Sourced from ruff's changelog.
... (truncated)
Commits
f82a36bBump 0.15.20 (#26376)af32943Improve the summarise-ecosystem-results skill (#26378)485ebabRemoveRUF076name from schema (#26371)ef81835[ty] Implement rust-analyzer's "Click for full compiler diagnostic" feature (...572b31e[ruff] Removepytest-fixture-autouse(RUF076) (#26240)f703f21Allow human-readable names in rule selectors (#25887)0d726b2[ty] Reuse equality semantics for membership compatibility (#25955)dbe6e98[ty] Infer definite equality comparison results (#26337)e700ea3[ty] Prove TypedDict structural patterns exhaustive (#26285)6a0d2ec[ty] Widen inferred class-valued instance attributes (#26338)Updates
atherisfrom 3.0.0 to 3.1.0Commits