Skip to content

Bump the python-deps group across 1 directory with 9 updates#2541

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/sample-applications/chat-question-and-answer-core/python-deps-418d790032
Open

Bump the python-deps group across 1 directory with 9 updates#2541
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/sample-applications/chat-question-and-answer-core/python-deps-418d790032

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Contributor

Updates the requirements on langchain-classic, langchain-core, uvicorn, huggingface-hub, langchain-huggingface, langchain-ollama, pytest-cov, httpx and torch to permit the latest version.
Updates langchain-classic from 1.0.7 to 1.0.8

Release notes

Sourced from langchain-classic's releases.

langchain-classic==1.0.8

Changes since langchain-classic==1.0.7

release(langchain-classic): 1.0.8 (#38033) hotfix(core): bump lockfile(s) (#38032) fix(core): support content block tokens in callbacks (#34739) chore(core): improve typing of Runnable __or__ (#34530) hotfix(openai): min core dep (#37990) chore: bump pyarrow from 21.0.0 to 23.0.1 in /libs/langchain (#37929) chore: bump starlette from 0.49.1 to 1.0.1 in /libs/langchain (#37899) test(langchain,partners): disable pytest-benchmark under xdist to silence PytestBenchmarkWarning (#37901) chore: bump aiohttp from 3.13.4 to 3.14.0 in /libs/langchain (#37889) chore(infra): bump langchain-tests floor to 1.1.9 (#37610) release(standard-tests): 1.1.9 (#37609) chore: bump idna from 3.10 to 3.15 in /libs/langchain (#37537) ci(infra): harden Dependabot version-bound preservation (#37510) hotfix: bump lockfiles (#37508) chore: bump langsmith from 0.7.31 to 0.8.0 in /libs/langchain (#37393) chore(infra): merge v1.4 into master (#37350) chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/langchain (#37327) chore: bump mistune from 3.1.4 to 3.2.1 in /libs/langchain (#37236)

Commits

Updates langchain-core from 1.4.5 to 1.4.9

Release notes

Sourced from langchain-core's releases.

langchain-core==1.4.9

Changes since langchain-core==1.4.8

release(core): 1.4.9 (#38728) fix(core): improve langsmith loader error messages (#35648) fix(core): output parser bugs in xml.py and pydantic.py (#35641) style(core): fix some ruff preview rules (#38656) fix(core): avoid dict shadowing in language models (#38480) fix(core): _parse_google_docstring mishandling continuation lines with colons (#35680) fix(core): add messages to bare raise ValueError calls (#38158) fix(core): use asyncio.get_running_loop() in async contexts (#38157) chore: bump langsmith from 0.8.0 to 0.8.18 in /libs/core (#38319) chore: bump jupyterlab from 4.5.7 to 4.5.9 in /libs/core (#38326) chore: bump vcrpy from 8.1.1 to 8.2.1 in /libs/core (#38327)

langchain-core==1.4.8

Changes since langchain-core==1.4.7

chore: bump jupyter-server from 2.18.0 to 2.20.0 in /libs/core (#38252) chore: bump tornado from 6.5.6 to 6.5.7 in /libs/core (#38184) chore: bump bleach from 6.3.0 to 6.4.0 in /libs/core (#38198) release(core): 1.4.8 (#38254) refactor(langchain-classic): remove code for Python < 3.10 (#38194) perf(core): memoize BaseTool.tool_call_schema subset model and cache model_json_schema (#38073) style(core): fix style in langchain_core/_security (#38189) fix(core): preserve usage token details in v3 streaming events (#38021) fix(core): disallow_any_generics (#38156) chore(core): add mypy warn_unreachable (#38109) docs: refresh README installation and resources (#38119) test(core,langchain): update tests for explicit deserialization allowlists (#38118)

langchain-core==1.4.7

Changes since langchain-core==1.4.6

chore: bump tornado from 6.5.5 to 6.5.6 in /libs/core (#38115) release(core): 1.4.7 (#38111) fix(core,partners): rename package version trace metadata (#38110) fix(core): fix Pydantic v1 support in tools/runnable (#33698) style(core,langchain,langchain-classic,partners): replace double backticks in docstrings (#38095)

langchain-core==1.4.6

Changes since langchain-core==1.4.5

release(core): 1.4.6 (#38061) feat(core,partners): add package version tracking to tracing metadata (#35295) fix(core,openai): normalize v1 streamed tool calls (#35983) chore(infra): bump mypy to 2.1 and unify type-check config across the monorepo (#36470)

Commits
  • 1c3a418 release(core): 1.4.9 (#38728)
  • 1619f3d chore(standard-tests): fix some typings detected by ty (#38707)
  • a6f0369 chore(qdrant): bump fastembed to latest (#38726)
  • fca0a97 fix(langchain): propagate interrupts through ToolRetryMiddleware (#38722)
  • 874bada chore(model-profiles): refresh model profile data (#38712)
  • 6e51a7e chore(model-profiles): refresh model profile data (#38699)
  • 2d8100c fix(langchain-classic): fix Chain.save() regression from dict-to-`model_dum...
  • b08c391 test(openai): skip Codex VCR tests before cassette setup (#38690)
  • 83386b5 chore(model-profiles): refresh model profile data (#38689)
  • 701cc0e test(deps): Include Python 3.14 in integration test matrix (#34993)
  • Additional commits viewable in compare view

Updates uvicorn to 0.51.0

Release notes

Sourced from uvicorn's releases.

Version 0.51.0

What's Changed

Full Changelog: Kludex/uvicorn@0.50.2...0.51.0

Changelog

Sourced from uvicorn's changelog.

0.51.0 (July 8, 2026)

Added

  • Restart workers one at a time on SIGHUP, bringing each replacement up before retiring the old worker, so reloads no longer drop requests (#3025)

Removed

  • Remove colorama from the standard extra (#3027)

0.50.2 (July 6, 2026)

Fixed

  • Require websockets>=13.0, which the default websockets-sansio implementation needs (#3021)

0.50.1 (July 6, 2026)

Fixed

  • Split comma-separated Sec-WebSocket-Protocol values in the websockets-sansio implementation (#3019)

0.50.0 (July 4, 2026)

If you use WebSockets, note that --ws auto now picks the websockets-sansio implementation. You shouldn't need it, but you can pin --ws websockets to get the deprecated legacy one back.

Changed

  • Exit with the dedicated code 3 on any startup failure: app loading, socket bind and lifespan startup errors previously exited with a mix of 0, 1 and 3 (#3001)
  • Stop the multiprocess supervisor when a worker exits with code 3 instead of restarting it forever (#3001)
  • Default --ws auto to websockets-sansio when websockets is installed (#2985)
  • Skip the eager app import in the parent process with --reload or --workers, fixing a memory regression introduced in 0.47.0 (#3012)
  • Build a fresh asgi scope dict per request (#2977)
  • Cache the asgi scope sub-dict per connection (#2976)
  • Avoid copying single-frame WebSocket payloads in websockets-sansio (#2983)
  • Memoize trusted host checks in ProxyHeadersMiddleware (#2970)
  • Replace click.style with an internal ANSI style helper (#2981)

Deprecated

  • Deprecate the legacy websockets implementation; use websockets-sansio or wsproto instead (#2985)

0.49.0 (June 3, 2026)

Changed

  • Bump httptools minimum version to 0.8.0 (#2962)
  • Consume duplicate forwarding headers in ProxyHeadersMiddleware (reverses the 0.48.0 behavior of ignoring them) (#2971)

0.48.0 (May 24, 2026)

... (truncated)

Commits
  • e4d0b05 Version 0.51.0 (#3028)
  • 944e43d Remove colorama from the standard extra (#3027)
  • 2e78770 Restart workers with overlap on SIGHUP for near-zero-downtime reloads (#3025)
  • a1b570c Version 0.50.2 (#3022)
  • 83c7da7 Require websockets>=13.0 for the default sansio implementation (#3021)
  • b4d0116 Version 0.50.1 (#3020)
  • 2a9151d Split comma-separated Sec-WebSocket-Protocol values in the websockets-sansi...
  • 1bf3ab4 Cover the excluded-directory branch in FileFilter with a direct test (#3014)
  • 837b5f9 Deflake multiprocess, reload, and signal supervisor tests (#2975)
  • 21d2c16 Version 0.50.0 (#3013)
  • Additional commits viewable in compare view

Updates huggingface-hub from 1.19.0 to 1.22.0

Release notes

Sourced from huggingface-hub's releases.

[v1.22.0] Sandboxes, faster downloads, and a rebuilt CLI

🖥️ Sandboxes: isolated cloud machines on top of Jobs

Sandboxes are isolated cloud machines you can spin up in seconds, run commands in with live-streamed output, and move files in and out of — all from Python or the CLI. They are built entirely on top of Jobs: under the hood a sandbox is just a Job running a tiny static server, so any Docker image with /bin/sh works and it inherits Jobs' billing, hardware flavors, and namespace permissions for free. Two flavors are available: Sandbox.create for a dedicated VM (GPU workloads, untrusted code, full isolation) and SandboxPool to pack many cheap CPU sandboxes into a few shared host VMs for fan-out workloads like RL rollouts. This release also adds background processes (sbx.run(..., background=True) / hf sandbox spawn) and a port proxy (Sandbox.proxy_url_for) so you can reach a server running inside a sandbox from the outside over HTTP or WebSocket.

from huggingface_hub import Sandbox
with Sandbox.create(image="python:3.12") as sbx:   # ready in ~6s
sbx.files.write("/app/main.py", "print(40 + 2)")
print(sbx.run("python /app/main.py").stdout)    # 42

# Create, run, copy files, and terminate from the terminal
hf sandbox create
hf sandbox exec <id> -- python -c "print('hi')"
hf sandbox cp data.csv <id>:/data/data.csv
hf sandbox kill <id>
  • [Sandbox] Add Sandbox API and hf sandbox CLI on top of Jobs by @​Wauplin in #4350
  • [Sandbox] Background processes + proxy to reach in-sandbox servers by @​Wauplin in #4444

📚 Documentation: Sandboxes guide, Sandbox reference

⚡ Faster snapshot downloads with a tree cache

snapshot_download now caches a repository's file listing on disk under a new trees/ folder, so re-downloading a commit that's already cached costs a single network call — resolving the branch or tag to a commit hash — instead of one metadata request per file. The listing is immutable per commit and shared by both snapshot_download and hf_hub_download; for Xet-enabled files it also skips the per-file HEAD /resolve request entirely, rebuilding the metadata from the cached listing. As a deliberate side effect of the completeness check, when the Hub can't be reached and the local snapshot is missing requested files, snapshot_download now raises IncompleteSnapshotError instead of silently returning a partial folder.

  • [Download] Cache repo tree listing on disk in snapshot_download by @​Wauplin in #4394

📚 Documentation: Manage your cache

🛠️ CLI rebuilt on Click (drops Typer)

The entire hf CLI now runs on a small in-house layer over Click 8.x instead of Typer, which had vendored Click in a way that broke the CLI's custom help rendering, error enrichment, and shell completion — and forced capping typer<0.26. The migration preserves existing behavior: --help output is byte-identical, the generated cli.md reference is unchanged apart from a header comment, and shell completion now uses Click's native completion. The public typer_factory helper is kept so downstream libraries like transformers that register their own commands keep working.

💔 Breaking Change

  • [Upload] Deprecate upload_large_folder (API + CLI) by @​Wauplin in #4414upload_large_folder and hf upload-large-folder are now deprecated in favor of upload_folder / hf upload, which handle very large and resumable uploads out of the box.
  • Make filter_repo_objects pattern matching case-sensitive on all platforms by @​Sreekant13 in #4435allow_patterns/ignore_patterns now match case-sensitively on every OS (aligned with case-sensitive Hub paths). On Windows this is a behavior change: patterns like *.PDF no longer match file.pdf.
  • [Inference Providers] Remove dead inference providers by @​hanouticelina in #4447 — removes six providers no longer routed by the Hub (black-forest-labs, clarifai, hyperbolic, nebius, nvidia, sambanova) — docs

🖥️ CLI

  • [CLI] Add hf discussions edit by @​Wauplin in #4415docs
  • [CLI] hf cache: surface & prune incomplete downloads by @​Wauplin in #4416hf cache ls now flags leftover .incomplete files and hf cache prune removes them automatically — docs

... (truncated)

Commits
  • 5db966a Release: v1.22.0
  • 1d6e7d0 Release: v1.22.0.rc0
  • 8f03d83 Expose base_model filter param on get_dataset_leaderboard (#4474)
  • cc4e7cc [Http] Support standard Retry-After header in http_backoff (#4460)
  • 7b53d23 [CLI] Add a minimal Click framework for the CLI (#4462)
  • 4db84d0 Docs: Jobs are no longer Pro-only — update availability note in jobs guide (#...
  • a139277 Accept two-letter byte units (KB/MB/GB/TB/PB) in parse_size (#4468)
  • 28aecd9 Fix KeyError in get_dataset_leaderboard when entry has no source (#4473)
  • f70f00d Remove Usage command lists from CLI module docstrings (#4472)
  • 031d002 [CLI] Expose out singleton publicly + add out.log method (#4471)
  • Additional commits viewable in compare view

Updates langchain-huggingface from 1.2.1 to 1.2.2

Release notes

Sourced from langchain-huggingface's releases.

langchain-huggingface==1.2.2

Changes since langchain-huggingface==1.2.1

release(huggingface): 1.2.2 (#36832) fix(huggingface): harden hostname validation and reject URLs in repo_id (#36831) chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/partners/huggingface (#36802) chore(deps): bump pytest to 9.0.3 (#36801) chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/partners/huggingface (#36794) chore(model-profiles): refresh model profile data (#36720) chore(model-profiles): refresh model profile data (#36596) chore: add comment explaining pygments>=2.20.0 (#36570) chore: bump aiohttp from 3.13.3 to 3.13.4 in /libs/partners/huggingface (#36436) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) fix(huggingface): avoid hf api calls when using local HuggingFaceEndpoint (#35633) chore: bump requests from 2.32.5 to 2.33.0 in /libs/partners/huggingface (#36252) chore(partners): bump langchain-core min to 1.2.21 (#36183) fix(core,model-profiles): add missing ModelProfile fields, warn on schema drift (#36129) ci: suppress pytest streaming output in CI (#36092) ci: avoid unnecessary dep installs in lint targets (#36046) chore: bump orjson from 3.11.5 to 3.11.6 in /libs/partners/huggingface (#35861) feat(model-profiles): new fields + Makefile target (#35788) chore: bump tornado from 6.5.2 to 6.5.5 in /libs/partners/huggingface (#35776) docs(huggingface): add [full] install guidance and sentence-transformers>=5.2.0 migration note (#35713) chore: bump langgraph from 1.0.8 to 1.0.10rc1 in /libs/partners/huggingface (#35613)

Commits
  • 6fb37db release(huggingface): 1.2.2 (#36832)
  • a029c7b fix(huggingface): harden hostname validation and reject URLs in repo_id (#36831)
  • af0e174 release(core): 1.3.0a3 (#36829)
  • b00646d chore(core): keep checkpoint_ns behavior in streaming metadata for backwards ...
  • c04e05f feat(core): Add chat model and LLM invocation params to traceable metadata (#...
  • 92a6e57 release(langchain-classic): 1.0.4 (#36827)
  • 1749eb8 chore(langchain-classic): add deprecations (#36826)
  • 58c4e5b release(text-splitters): 1.1.2 (#36822)
  • c289bf1 fix(text-splitters): deprecate and use SSRF-safe transport in split_text_from...
  • b7447c6 fix(infra): skip serdes tests in min-version release step (#36818)
  • Additional commits viewable in compare view

Updates langchain-ollama from 1.0.1 to 1.1.0

Release notes

Sourced from langchain-ollama's releases.

langchain-deepseek==1.1.0

Changes since langchain-deepseek==1.0.1

chore(infra): bump langchain-tests floor to 1.1.9 (#37610) chore: bump idna from 3.10 to 3.15 in /libs/partners/deepseek (#37560) ci(infra): harden Dependabot version-bound preservation (#37510) chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/deepseek (#37341) chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/deepseek (#37282) chore: bump langsmith from 0.7.31 to 0.8.3 in /libs/partners/deepseek (#37283) chore(docs): update x handle references (#37081) chore(model-profiles): refresh model profile data (#37015) chore(model-profiles): refresh model profile data (#37005) hotfix: bump min core versions (#36996) feat(core): add content-block-centric streaming (v2) (#36834) ci(infra): add pytest-xdist to partner test groups (#36988) chore(model-profiles): refresh model profile data (#36982) hotfix(ci): remove nobenchmark flag (#36959) chore(partners): standardize integration test invocation (#36958) chore(deps): bump pytest to 9.0.3 (#36801) chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/partners/deepseek (#36787) chore: add comment explaining pygments>=2.20.0 (#36570) chore(model-profiles): refresh model profile data (#36554) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) chore: bump requests from 2.32.5 to 2.33.0 in /libs/partners/deepseek (#36256) chore(partners): bump langchain-core min to 1.2.21 (#36183) fix(core,model-profiles): add missing ModelProfile fields, warn on schema drift (#36129) ci: suppress pytest streaming output in CI (#36092) ci: avoid unnecessary dep installs in lint targets (#36046) chore: bump orjson from 3.11.5 to 3.11.6 in /libs/partners/deepseek (#35868) fix(deepseek): accept base_url as alias for api_base (#35789) feat(model-profiles): new fields + Makefile target (#35788) chore(model-profiles): refresh model profile data (#35646) fix(deepseek): use proper URL parsing for azure endpoint detection (#35455) fix(deepseek): Tool Choice to required for Azure Deployment in case specific function dict is given (#34848) fix(model-profiles): sort generated profiles by model ID for stable diffs (#35344) fix(infra): fix trailing comma regex in profile generation script (#35333) chore: bump model profiles (#35294) chore(deps): bump langsmith from 0.4.31 to 0.6.3 in /libs/partners/deepseek (#35156) feat(model-profiles): add text_inputs and text_outputs (#35084) chore: add make type target (#35015) revert: "chore: add typing target in Makefile" (#35013) chore: add typing target in Makefile (#35012) chore: enrich pyproject.toml files (#34980) chore(deps): bump the uv group across 20 directories with 3 updates (#34941) chore: upgrade urllib3 to 2.6.3 (#34940) chore: update twitter URLs (#34736) chore: ban relative imports on all packages (#34691) fix(openai): filter function_call blocks in token counting (#34396) release(openai): 1.1.6: update max input tokens for gpt-5 series (#34419) release(openai): 1.1.5 (#34409)

... (truncated)

Commits

Updates pytest-cov to 7.1.0

Changelog

Sourced from pytest-cov's changelog.

7.1.0 (2026-03-21)

  • Fixed total coverage computation to always be consistent, regardless of reporting settings. Previously some reports could produce different total counts, and consequently can make --cov-fail-under behave different depending on reporting options. See [#641](https://github.com/pytest-dev/pytest-cov/issues/641) <https://github.com/pytest-dev/pytest-cov/issues/641>_.

  • Improve handling of ResourceWarning from sqlite3.

    The plugin adds warning filter for sqlite3 ResourceWarning unclosed database (since 6.2.0). It checks if there is already existing plugin for this message by comparing filter regular expression. When filter is specified on command line the message is escaped and does not match an expected message. A check for an escaped regular expression is added to handle this case.

    With this fix one can suppress ResourceWarning from sqlite3 from command line::

    pytest -W "ignore:unclosed database in <sqlite3.Connection object at:ResourceWarning" ...

  • Various improvements to documentation. Contributed by Art Pelling in [#718](https://github.com/pytest-dev/pytest-cov/issues/718) <https://github.com/pytest-dev/pytest-cov/pull/718>_ and "vivodi" in [#738](https://github.com/pytest-dev/pytest-cov/issues/738) <https://github.com/pytest-dev/pytest-cov/pull/738>. Also closed [#736](https://github.com/pytest-dev/pytest-cov/issues/736) <https://github.com/pytest-dev/pytest-cov/issues/736>.

  • Fixed some assertions in tests. Contributed by in Markéta Machová in [#722](https://github.com/pytest-dev/pytest-cov/issues/722) <https://github.com/pytest-dev/pytest-cov/pull/722>_.

  • Removed unnecessary coverage configuration copying (meant as a backup because reporting commands had configuration side-effects before coverage 5.0).

7.0.0 (2025-09-09)

  • Dropped support for subprocesses measurement.

    It was a feature added long time ago when coverage lacked a nice way to measure subprocesses created in tests. It relied on a .pth file, there was no way to opt-out and it created bad interations with coverage's new patch system <https://coverage.readthedocs.io/en/latest/config.html#run-patch>_ added in 7.10 <https://coverage.readthedocs.io/en/7.10.6/changes.html#version-7-10-0-2025-07-24>_.

    To migrate to this release you might need to enable the suprocess patch, example for .coveragerc:

    .. code-block:: ini

    [run] patch = subprocess

    This release also requires at least coverage 7.10.6.

  • Switched packaging to have metadata completely in pyproject.toml and use hatchling <https://pypi.org/project/hatchling/>_ for building. Contributed by Ofek Lev in [#551](https://github.com/pytest-dev/pytest-cov/issues/551) <https://github.com/pytest-dev/pytest-cov/pull/551>_ with some extras in [#716](https://github.com/pytest-dev/pytest-cov/issues/716) <https://github.com/pytest-dev/pytest-cov/pull/716>_.

  • Removed some not really necessary testing deps like six.

... (truncated)

Commits
  • 66c8a52 Bump version: 7.0.0 → 7.1.0
  • f707662 Make the examples use pypy 3.11.
  • 6049a78 Make context test use the old ctracer (seems the new sysmon tracer behaves di...
  • 8ebf20b Update changelog.
  • 861d30e Remove the backup context manager - shouldn't be needed since coverage 5.0, ...
  • fd4c956 Pass the precision on the nulled total (seems that there's some caching goion...
  • 78c9c4e Only run the 3.9 on older deps.
  • 4849a92 Punctuation.
  • 197c35e Update changelog and hopefully I don't forget to publish release again :))
  • 14dc1c9 Update examples to use 3.11 and make the adhoc layout example look a bit more...
  • Additional commits viewable in compare view

Updates httpx to 0.28.1

Release notes

Sourced from httpx's releases.

Version 0.28.1

0.28.1 (6th December, 2024)

  • Fix SSL case where verify=False together with client side certificates.
Changelog

Sourced from httpx's changelog.

0.28.1 (6th December, 2024)

  • Fix SSL case where verify=False together with client side certificates.

0.28.0 (28th November, 2024)

Be aware that the default JSON request bodies now use a more compact representation. This is generally considered a prefered style, tho may require updates to test suites.

The 0.28 release includes a limited set of deprecations...

Deprecations:

We are working towards a simplified SSL configuration API.

For users of the standard verify=True or verify=False cases, or verify=<ssl_context> case this should require no changes. The following cases have been deprecated...

  • The verify argument as a string argument is now deprecated and will raise warnings.
  • The cert argument is now deprecated and will raise warnings.

Our revised SSL documentation covers how to implement the same behaviour with a more constrained API.

The following changes are also included:

  • The deprecated proxies argument has now been removed.
  • The deprecated app argument has now been removed.
  • JSON request bodies use a compact representation. (#3363)
  • Review URL percent escape sets, based on WHATWG spec. (#3371, #3373)
  • Ensure certifi and httpcore are only imported if required. (#3377)
  • Treat socks5h as a valid proxy scheme. (#3178)
  • Cleanup Request() method signature in line with client.request() and httpx.request(). (#3378)
  • Bugfix: When passing params={}, always strictly update rather than merge with an existing querystring. (#3364)

0.27.2 (27th August, 2024)

Fixed

  • Reintroduced supposedly-private URLTypes shortcut. (#2673)

0.27.1 (27th August, 2024)

Added

  • Support for zstd content decoding using the python zstandard package is added. Installable using httpx[zstd]. (#3139)

Fixed

  • Improved error messaging for InvalidURL exceptions. (#3250)
  • Fix app type signature in ASGITransport. (#3109)

0.27.0 (21st February, 2024)

... (truncated)

Commits

Updates torch from 2.9.1 to 2.13.0

Release notes

Sourced from torch's releases.

PyTorch 2.13.0 Release Notes

Highlights

For more details about these highlighted features, you can look at the release blogpost. Below are the full release notes for this release.

Tracked Regressions

ROCm wheels break torch.compile on CPU in environments without a GPU

Running a torch==2.13.0+rocm7.2 wheel in an environment where no GPU is available (torch.cuda.is_available() is False) breaks torch.compile on the CPU path: the first compile raises RuntimeError: Can't detect vectorized ISA for CPU (#189194). This is a regression from torch==2.12.1+rocm7.2, which compiles CPU code fine (detecting e.g. VecAVX2) in the same setup. The 2.13 ROCm wheel appears to rely on something present in the ROCm builder image to detect the CPU vectorized ISA, so it works when run on a ROCm image but fails on a plain CPU-only image.

Workaround: run the +rocm wheel on a ROCm image, or install a standard CPU/CUDA build for GPU-less environments.

Backwards Incompatible Changes

  • Stop building CPython 3.13t (free-threaded) binaries (#182951)

    Upstream pypa/manylinux removed CPython 3.13t (free-threaded) on 2026-05-07, because 3.13t was experimental and has been superseded by the now-non-experimental CPython 3.14t. As a result, PyTorch 2.13 no longer ships cp313t wheels (Linux, Triton, and related artifacts). Users on the free-threaded interpreter should move to Python 3.14t.

    PyTorch 2.12:

    # cp313t (free-threaded 3.13) wheels were available
    python3.13t -m pip install torch

    PyTorch 2.13:

... (truncated)

Commits
  • cf30153 [release/2.13] Strip +PTX from CUDA arch list on release/RC builds (#188914) ...
  • 3e3e24b [release/2.13] Restrict cuda-bindings to Python < 3.15 for CUDA 12.9 builds (...
  • 7986b06 [release/2.13] Bump binary build timeout 280 -> 400 minutes (#188551)
  • 0bdbc26 [release/2.13] Add CUDA 12.9 to TORCH_CUDA_ARCH_LIST tables (#188443)
  • 9cabb45 [release/2.13] Update manywheel docker image pin to 78e737ad (#188409)
  • 78e737a [release/2.13] Revert "Tighten generalized scatter graph target (#184075)" (#...
  • 0bb9b5b [release/2.13] Revert "dynamo: round-trip torch.cuda.stream ctx mgr across gr...
  • aaac2bf [release/2.13] ...

    Description has been truncated

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jul 10, 2026
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jul 10, 2026
Updates the requirements on [langchain-classic](https://github.com/langchain-ai/langchain), [langchain-core](https://github.com/langchain-ai/langchain), [uvicorn](https://github.com/Kludex/uvicorn), [huggingface-hub](https://github.com/huggingface/huggingface_hub), [langchain-huggingface](https://github.com/langchain-ai/langchain), [langchain-ollama](https://github.com/langchain-ai/langchain), [pytest-cov](https://github.com/pytest-dev/pytest-cov), [httpx](https://github.com/encode/httpx) and [torch](https://github.com/pytorch/pytorch) to permit the latest version.

Updates `langchain-classic` from 1.0.7 to 1.0.8
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-classic==1.0.7...langchain-classic==1.0.8)

Updates `langchain-core` from 1.4.5 to 1.4.9
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-core==1.4.5...langchain-core==1.4.9)

Updates `uvicorn` to 0.51.0
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](Kludex/uvicorn@0.21.0...0.51.0)

Updates `huggingface-hub` from 1.19.0 to 1.22.0
- [Release notes](https://github.com/huggingface/huggingface_hub/releases)
- [Commits](huggingface/huggingface_hub@v1.19.0...v1.22.0)

Updates `langchain-huggingface` from 1.2.1 to 1.2.2
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-huggingface==1.2.1...langchain-huggingface==1.2.2)

Updates `langchain-ollama` from 1.0.1 to 1.1.0
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-ollama==1.0.1...langchain-ollama==1.1.0)

Updates `pytest-cov` to 7.1.0
- [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst)
- [Commits](pytest-dev/pytest-cov@v6.0.0...v7.1.0)

Updates `httpx` to 0.28.1
- [Release notes](https://github.com/encode/httpx/releases)
- [Changelog](https://github.com/encode/httpx/blob/master/CHANGELOG.md)
- [Commits](encode/httpx@0.27.2...0.28.1)

Updates `torch` from 2.9.1 to 2.13.0
- [Release notes](https://github.com/pytorch/pytorch/releases)
- [Changelog](https://github.com/pytorch/pytorch/blob/main/RELEASE.md)
- [Commits](pytorch/pytorch@v2.9.1...v2.13.0)

---
updated-dependencies:
- dependency-name: httpx
  dependency-version: 0.28.1
  dependency-type: direct:development
  dependency-group: python-deps
- dependency-name: huggingface-hub
  dependency-version: 1.21.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: langchain-classic
  dependency-version: 1.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-deps
- dependency-name: langchain-core
  dependency-version: 1.4.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-deps
- dependency-name: langchain-huggingface
  dependency-version: 1.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-deps
- dependency-name: langchain-ollama
  dependency-version: 1.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: pytest-cov
  dependency-version: 7.1.0
  dependency-type: direct:development
  dependency-group: python-deps
- dependency-name: torch
  dependency-version: 2.12.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: uvicorn
  dependency-version: 0.49.0
  dependency-type: direct:production
  dependency-group: python-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/pip/sample-applications/chat-question-and-answer-core/python-deps-418d790032 branch from 3d40dd5 to 3553754 Compare July 15, 2026 23:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants