Skip to content

Bump the python-production group in /pydatalab with 7 updates#1891

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/pydatalab/main/python-production-5143f8ebb2
Open

Bump the python-production group in /pydatalab with 7 updates#1891
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/pydatalab/main/python-production-5143f8ebb2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the python-production group in /pydatalab with 7 updates:

Package From To
matplotlib 3.10.8 3.10.9
pymongo 4.16.0 4.17.0
tomlkit 0.14.0 0.15.0
flask-cors 6.0.2 6.0.5
pyjwt 2.12.1 2.13.0
tiktoken 0.12.0 0.13.0
transformers 5.5.4 5.12.1

Updates matplotlib from 3.10.8 to 3.10.9

Release notes

Sourced from matplotlib's releases.

v3.10.9

This is a micro release of the v3.10.x series. Highlights of this release include:

  • Various minor bug and doc fixes
  • Security hardening validation of cyclers - Removing eval usage
  • Security hardening in Latex and PS calls - Removing shell escapes
Commits
  • dd8d78b REL: v3.10.9
  • 2fb1891 REL: Release prep v3.10.9
  • d0e923a Merge branch 'v3.10.8-doc' into v3.10.x
  • 1637932 Merge pull request #31558 from meeseeksmachine/auto-backport-of-pr-31556-on-v...
  • a83faac Backport PR #31556: FIX: Inverted PyErr_Occurred check in enum type caster (_...
  • a4f57ab Merge pull request #31545 from ksunden/backport-of-pr-31282-on-v3.10.x
  • 063288d Merge pull request #31544 from ksunden/backport-of-pr-31248-on-v3.10.x
  • b2ed196 Backport PR #31248: SEC: Remove eval() from validate_cycler
  • acc6024 Merge pull request #31282 from scottshambaugh/tex_no_shell
  • e3fb541 Merge pull request #31078 from meeseeksmachine/auto-backport-of-pr-31075-on-v...
  • Additional commits viewable in compare view

Updates pymongo from 4.16.0 to 4.17.0

Release notes

Sourced from pymongo's releases.

PyMongo 4.17.0

Community notes

What's Changed

... (truncated)

Changelog

Sourced from pymongo's changelog.

Changes in Version 4.17.0 (2026/04/20)

PyMongo 4.17 brings a number of changes including:

  • has_key, iterkeys and itervalues in :class:bson.son.SON have been deprecated and will be removed in PyMongo 5.0. These methods were deprecated in favor of the standard dictionary containment operator in and the keys() and values() methods, respectively.
  • Added the :meth:~pymongo.asynchronous.client_session.AsyncClientSession.bind and :meth:~pymongo.client_session.ClientSession.bind methods that allow users to bind a session to all database operations within the scope of a context manager instead of having to explicitly pass the session to each individual operation. See the Transactions docs <https://www.mongodb.com/docs/languages/python/pymongo-driver/current/crud/transactions/#methods>_ for examples and more information.
  • Added support for MongoDB's Intelligent Workload Management (IWM) and ingress connection rate limiting features in MongoDB server version 9.0. The driver will gracefully handle write-blocking scenarios and optimizes connection establishment during high-load conditions to maintain application availability.
Commits
  • f2103a9 Prep branch v4.17
  • 3491c08 PYTHON-5801 - Update changelog for 4.17 release (#2762)
  • 912ef33 PYTHON-5798 - Overload retargeting prose tests do not ensure that sec… (#2760)
  • b4e2c03 PYTHON-5800 - Simple collation is included in index information (#2761)
  • f31ba09 PYTHON-5797 - Add IWM and Overload Error links to changelog (#2757)
  • 5da9183 PYTHON-5794 - Add prose tests to verify correct retry behavior when a… (#2755)
  • 35e51a5 Revert "PYTHON-5768 Add AGENTS.md w/copilot instructions" (#2744) (#2754)
  • f41dd5c PYTHON-5772 Increase _gcp_helpers.py coverage (#2749)
  • 49e7a05 PYTHON-5760 Increase _azure_helpers.py coverage (#2747)
  • a2b0cd8 PYTHON-5795 Fix absolute link to CONTRIBUTING.md in README.md (#2756)
  • Additional commits viewable in compare view

Updates tomlkit from 0.14.0 to 0.15.0

Release notes

Sourced from tomlkit's releases.

0.15.0

What's Changed

New Contributors

Full Changelog: python-poetry/tomlkit@0.14.0...0.15.0

Changelog

Sourced from tomlkit's changelog.

[0.15.0] - 2026-05-10

Changed

  • Update parser to support TOML spec v1.1.0. (#456)
Commits
  • 8694e4d chore: bump version to 0.15.0 and update changelog for release (#473)
  • e636a51 [pre-commit.ci] pre-commit autoupdate (#472)
  • 96a4d22 fix: fix a parser hang (#470)
  • 843f799 [pre-commit.ci] pre-commit autoupdate (#469)
  • 2c87eaf Honor sort_keys for parsed TOML documents (#471)
  • 8e32f9c Type annotations (#460)
  • df98af4 [pre-commit.ci] pre-commit autoupdate (#461)
  • 4bd97db chore(deps): bump requests from 2.32.4 to 2.33.0 in /docs (#462)
  • b2d7030 chore(deps-dev): bump pygments from 2.17.2 to 2.20.0 (#463)
  • 87d98b1 chore(deps): bump pygments from 2.18.0 to 2.20.0 in /docs (#464)
  • Additional commits viewable in compare view

Updates flask-cors from 6.0.2 to 6.0.5

Release notes

Sourced from flask-cors's releases.

6.0.5

Supersedes 6.0.4

What's Changed

Full Changelog: corydolphin/flask-cors@6.0.3...6.0.5

6.0.4

What's Changed

Full Changelog: corydolphin/flask-cors@6.0.3...6.0.4

6.0.3

What's Changed

Full Changelog: corydolphin/flask-cors@6.0.2...6.0.3

6.0.3-pre

What's Changed

Full Changelog: corydolphin/flask-cors@6.0.2...6.0.3

Commits
  • 91ebc49 Typing Hotfix: support blueprints in the type system
  • d601665 Add strict MyPy Typing
  • c8e8871 Harden release publishing workflow (#406)
  • e1d4034 Derive package version from git tag via setuptools-scm (#405)
  • See full diff in compare view

Updates pyjwt from 2.12.1 to 2.13.0

Release notes

Sourced from pyjwt's releases.

2.13.0

PyJWT 2.13.0 — Security Release

This release bundles five security fixes plus three additional hardening / spec-compliance changes. We recommend all users upgrade.

Security

  • GHSA-xgmm-8j9v-c9wx — JWK JSON accepted as HMAC secret (algorithm confusion). HMACAlgorithm.prepare_key previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in algorithms=[…] and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. Reported by @​aradona91.

  • GHSA-jq35-7prp-9v3f — Algorithm allow-list bypass with PyJWK / PyJWKClient. When verifying with a PyJWK, the caller's algorithms=[…] allow-list was checked against the token header alg as a string only; actual verification used the algorithm bound to the PyJWK. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header alg to match the PyJWK's algorithm before verification. Reported by @​sushi-gif.

  • GHSA-w7vc-732c-9m39 — DoS via base64 decode of unused payload segment when b64=false. For detached-payload JWS (b64=false), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied detached_payload. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. Reported by @​thesmartshadow.

  • GHSA-993g-76c3-p5m4PyJWKClient accepts non-HTTP(S) URIs. PyJWKClient.fetch_data passed its URI to urllib.request.urlopen, which by default also handles file://, ftp://, and data: schemes. An application that fed an attacker-influenced URI into PyJWKClient could be coerced into reading local files or reaching other unintended schemes. PyJWKClient now rejects any URI whose scheme isn't http or https. Reported by @​KEIJOT.

  • GHSA-fhv5-28vv-h8m8PyJWKClient cache wiped on fetch error. A finally-block put(jwk_set=None) cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application-wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. Reported by @​eddieran.

Fixed

  • Reject empty HMAC keys outright in HMACAlgorithm.prepare_key with InvalidKeyError instead of accepting them with only a warning. Defends against the os.getenv("JWT_SECRET", "") footgun. Thanks to @​SnailSploit and @​spartan8806 for the reports.
  • Forward per-call options (including enforce_minimum_key_length) from PyJWT.decode through to PyJWS._verify_signature. The option was previously silently dropped between the two layers, so it only took effect when set on the PyJWT instance. Thanks to @​WLUB for the report.
  • RFC 7797 §3 compliance for b64=false: the encoder now auto-adds "b64" to crit, and the decoder rejects tokens that set b64=false without listing it in crit. Thanks to @​MachineLearning-Nerd for the report.

Changed

  • Migrate the dev, docs, and tests package extras to dependency groups, by @​kurtmckee in #1152.

Upgrade notes

Most fixes are invisible to correctly-configured callers. A few behavioral changes you may encounter:

  • Empty HMAC keys now raise. If your app passed "" or b"" as a secret (often via a missing env var, e.g. os.getenv("JWT_SECRET", "")), encode/decode will now raise InvalidKeyError. This is the intended behavior — fix the configuration.
  • PyJWK decoding now requires the token's alg to match the JWK's algorithm. Previously a mismatch was silently honored if the header alg appeared in the allow-list. Tokens that relied on this mismatch will now fail with InvalidAlgorithmError.
  • PyJWKClient now rejects non-HTTP(S) URIs at construction time. Tests or dev environments that fetched JWKS from file:// URIs need to switch to a local HTTP server or load the JWKS by other means (e.g. construct PyJWKSet.from_dict(...) directly).
  • b64=false tokens are now strictly RFC 7515 / 7797 compliant. Tokens with a non-empty compact-form payload segment, or that omit "b64" from crit, will be rejected. PyJWT-produced tokens always satisfy both invariants, so round-trips through PyJWT are unaffected.
  • enforce_minimum_key_length set per-call now takes effect. Callers who passed options={"enforce_minimum_key_length": True} to jwt.decode() previously got no enforcement; they will now get InvalidKeyError on undersized keys, as documented.

Full changelog: jpadilla/pyjwt@2.12.1...2.13.0

Changelog

Sourced from pyjwt's changelog.

v2.13.0 <https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0>__

Security


- Reject JWK JSON documents passed as raw HMAC secrets in
  ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that
  the existing PEM/SSH guard did not cover. Reported by @aradona91 in
  `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__.
- Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during
  verification so the caller's ``algorithms=[...]`` allow-list cannot be
  bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported
  by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__.
- Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker-
  influenced URIs cannot read local files or reach unintended schemes via
  urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported
  by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__.
- Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``.
  The previous ``finally``-block ``put(None)`` pattern cleared the cache
  on any transient outage, turning one bad JWKS request into application-
  wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__.
- Skip the unconditional base64 decode of the compact-form payload segment
  when ``b64=false`` is set in the protected header, and require that
  segment to be empty (RFC 7515 Appendix F detached form). Closes an
  unauthenticated DoS amplifier. Reported by @thesmartshadow in
  `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__.

Fixed


- Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with
  ``InvalidKeyError`` instead of accepting them with only a warning.
  Thanks to @SnailSploit and @spartan8806 for independently flagging the
  footgun.
- Forward per-call ``options`` (including ``enforce_minimum_key_length``)
  from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the
  option actually takes effect when set at the call site rather than only
  on the ``PyJWT`` instance. Thanks to @WLUB for the report.
- RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds
  ``&quot;b64&quot;`` to the ``crit`` header parameter, and the decoder rejects
  tokens that set ``b64=false`` without listing it in ``crit``. Thanks to
  @MachineLearning-Nerd for the report.

Changed

  • Migrate the dev, docs, and tests package extras to dependency groups by @​kurtmckee in [#1152](https://github.com/jpadilla/pyjwt/issues/1152) &lt;https://github.com/jpadilla/pyjwt/pull/1152&gt;__
Commits
  • 7144e45 Apply ruff format
  • d2f4bec Restore cast() calls with cross-version type: ignore for prepare_key
  • 22f478c Remove redundant casts in RSAAlgorithm.prepare_key and `ECAlgorithm.prepare...
  • 95791b1 Bundle security fixes and hardening into 2.13.0
  • dcc27a9 [pre-commit.ci] pre-commit autoupdate (#1155)
  • 9d08a9a [pre-commit.ci] pre-commit autoupdate (#1146)
  • b87c100 Bump codecov/codecov-action from 5 to 6 (#1154)
  • 40e3147 Migrate development extras to dependency groups (#1152)
  • See full diff in compare view

Updates tiktoken from 0.12.0 to 0.13.0

Changelog

Sourced from tiktoken's changelog.

[v0.13.0]

  • Update fancy-regex for significantly increased performance
  • Branch byte pair encoding to fix performance on unusual input
  • Fix AttributeError caused by incomplete redaction of experimental code
  • Update version of pyo3
  • Update version of optional dependency blobfile
Commits

Updates transformers from 5.5.4 to 5.12.1

Release notes

Sourced from transformers's releases.

Patch release v5.12.1

Updated the lower bound for PEFT and a fix for auto tokenizer to properly resolve the mistral tokenizer (when mistral-common is installed). This is similar to v.5.10.3 minus the fixes that were already included in the main release - vLLM will first target 5.10.3 🤗

Full Changelog: huggingface/transformers@v5.12.0...v5.12.1

Patch release v5.10.4

Update: Note that on pypi 5.10.3 doesn't exist and this this saved under 5.10.4 (so essentially a minor version skipped). Sorry about that, that's on me. Just wanted to clarify to make this less confusing!

A few fixes needed for vLLM to sync with transformers 🤗

Full Changelog: huggingface/transformers@v5.10.2...v5.10.3

Release v5.12.0

New Model additions

MiniMax-M3-VL

MiniMax-M3-VL is the vision-language member of the MiniMax-M3 family that pairs a CLIP-style vision tower with 3D rotary position embeddings with the MiniMax-M3 text backbone. It uses a mixed dense/sparse Mixture-of-Experts decoder with SwiGLU-OAI gated experts and a lightning indexer for block-sparse attention. The model processes images through a Conv3d patch embedding system and includes specialized components for efficient multimodal understanding and generation.

Links: Documentation

PP-OCRv6: update documentation and slow tests (#46576)

The official weights for PP-OCRv6 are out: PP-OCRv6 is a lightweight OCR system that combines architectural innovation with data-centric optimization. It redesigns the backbone, detection neck, and recognition neck around a unified MetaFormer-style building block with structural reparameterization. Three model tiers (medium, small, tiny) share the same block primitives, covering deployment scenarios from server to edge.

  • PP-OCRv6: update documentation and slow tests (#46576) by @ zhang-prog

Add Parakeet-RNNT (#46331)

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the python-production group in /pydatalab with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [matplotlib](https://github.com/matplotlib/matplotlib) | `3.10.8` | `3.10.9` |
| [pymongo](https://github.com/mongodb/mongo-python-driver) | `4.16.0` | `4.17.0` |
| [tomlkit](https://github.com/python-poetry/tomlkit) | `0.14.0` | `0.15.0` |
| [flask-cors](https://github.com/corydolphin/flask-cors) | `6.0.2` | `6.0.5` |
| [pyjwt](https://github.com/jpadilla/pyjwt) | `2.12.1` | `2.13.0` |
| [tiktoken](https://github.com/openai/tiktoken) | `0.12.0` | `0.13.0` |
| [transformers](https://github.com/huggingface/transformers) | `5.5.4` | `5.12.1` |


Updates `matplotlib` from 3.10.8 to 3.10.9
- [Release notes](https://github.com/matplotlib/matplotlib/releases)
- [Commits](matplotlib/matplotlib@v3.10.8...v3.10.9)

Updates `pymongo` from 4.16.0 to 4.17.0
- [Release notes](https://github.com/mongodb/mongo-python-driver/releases)
- [Changelog](https://github.com/mongodb/mongo-python-driver/blob/master/doc/changelog.rst)
- [Commits](mongodb/mongo-python-driver@4.16.0...4.17.0)

Updates `tomlkit` from 0.14.0 to 0.15.0
- [Release notes](https://github.com/python-poetry/tomlkit/releases)
- [Changelog](https://github.com/python-poetry/tomlkit/blob/master/CHANGELOG.md)
- [Commits](python-poetry/tomlkit@0.14.0...0.15.0)

Updates `flask-cors` from 6.0.2 to 6.0.5
- [Release notes](https://github.com/corydolphin/flask-cors/releases)
- [Changelog](https://github.com/corydolphin/flask-cors/blob/main/CHANGELOG.md)
- [Commits](corydolphin/flask-cors@6.0.2...6.0.5)

Updates `pyjwt` from 2.12.1 to 2.13.0
- [Release notes](https://github.com/jpadilla/pyjwt/releases)
- [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst)
- [Commits](jpadilla/pyjwt@2.12.1...2.13.0)

Updates `tiktoken` from 0.12.0 to 0.13.0
- [Release notes](https://github.com/openai/tiktoken/releases)
- [Changelog](https://github.com/openai/tiktoken/blob/main/CHANGELOG.md)
- [Commits](openai/tiktoken@0.12.0...0.13.0)

Updates `transformers` from 5.5.4 to 5.12.1
- [Release notes](https://github.com/huggingface/transformers/releases)
- [Commits](huggingface/transformers@v5.5.4...v5.12.1)

---
updated-dependencies:
- dependency-name: matplotlib
  dependency-version: 3.10.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-production
- dependency-name: pymongo
  dependency-version: 4.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-production
- dependency-name: tomlkit
  dependency-version: 0.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-production
- dependency-name: flask-cors
  dependency-version: 6.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-production
- dependency-name: pyjwt
  dependency-version: 2.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-production
- dependency-name: tiktoken
  dependency-version: 0.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-production
- dependency-name: transformers
  dependency-version: 5.12.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependency_updates For issues/PRs that update the dependencies of the package Python labels Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependency_updates For issues/PRs that update the dependencies of the package Python

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants