chore(deps): bump the uv group across 1 directory with 12 updates by dependabot[bot] · Pull Request #40 · ComposioHQ/langflow

dependabot · 2026-06-08T18:41:05Z

Bumps the uv group with 12 updates in the / directory:

Package	From	To
python-multipart	`0.0.22`	`0.0.27`
pip	`25.3`	`26.1`
pypdf	`6.6.2`	`6.10.2`
chromadb	`1.5.5`	`1.5.9`
langsmith	`0.7.17`	`0.8.0`
smolagents	`1.24.0`	`1.25.0`
pyarrow	`19.0.0`	`23.0.1`
lxml	`6.0.2`	`6.1.0`
authlib	`1.6.9`	`1.6.12`
starlette	`0.52.1`	`1.0.1`
ujson	`5.12.0`	`5.12.1`
urllib3	`2.6.3`	`2.7.0`

Updates python-multipart from 0.0.22 to 0.0.27

Release notes

Sourced from python-multipart's releases.

Version 0.0.27

What's Changed

Pass parse offsets via constructors by @Kludex in Kludex/python-multipart#268

Add multipart header limits by @Kludex in Kludex/python-multipart#267

Full Changelog: Kludex/python-multipart@0.0.26...0.0.27

Version 0.0.26

What's Changed

Skip preamble before first multipart boundary by @Kludex in Kludex/python-multipart#262

Silently discard epilogue data after the closing boundary by @Kludex in Kludex/python-multipart#259

Full Changelog: Kludex/python-multipart@0.0.25...0.0.26

Version 0.0.25

What's Changed

Apply Apache-2.0 properly by @Kludex in Kludex/python-multipart#247

Handle multipart headers case-insensitively by @Kludex in Kludex/python-multipart#252

Emit field_end for trailing bare field names on finalize by @bysiber in Kludex/python-multipart#230

Add UPLOAD_DELETE_TMP to FormParser config by @Kludex in Kludex/python-multipart#254

Remove custom FormParser classes by @Kludex in Kludex/python-multipart#257

Handle CTE values case-insensitively by @Kludex in Kludex/python-multipart#258

Add MIME content type info to File by @jhnstrk in Kludex/python-multipart#143

Full Changelog: Kludex/python-multipart@0.0.24...0.0.25

Version 0.0.24

What's Changed

Validate chunk_size in parse_form() by @Kludex in Kludex/python-multipart#244

Full Changelog: Kludex/python-multipart@0.0.23...0.0.24

Version 0.0.23

What's Changed

Remove unused trust_x_headers parameter and X-File-Name fallback by @jhnstrk in Kludex/python-multipart#196

Return processed length from QuerystringParser._internal_write by @bysiber in Kludex/python-multipart#229

Cleanup metadata dunders from __init__.py by @Chesars in Kludex/python-multipart#227

New Contributors

@Chesars made their first contribution in Kludex/python-multipart#227

@bysiber made their first contribution in Kludex/python-multipart#229

Full Changelog: Kludex/python-multipart@0.0.22...0.0.23

Changelog

Sourced from python-multipart's changelog.

0.0.27 (2026-04-27)

Add multipart header limits #267.

Pass parse offsets via constructors #268.

0.0.26 (2026-04-10)

Skip preamble before the first multipart boundary more efficiently #262.

Silently discard epilogue data after the closing multipart boundary #259.

0.0.25 (2026-04-10)

Add MIME content type info to File #143.

Handle CTE values case-insensitively #258.

Remove custom FormParser classes #257.

Add UPLOAD_DELETE_TMP to FormParser config #254.

Emit field_end for trailing bare field names on finalize #230.

Handle multipart headers case-insensitively #252.

Apply Apache-2.0 properly #247.

0.0.24 (2026-04-05)

Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

Remove unused trust_x_headers parameter and X-File-Name fallback #196.

Return processed length from QuerystringParser._internal_write #229.

Cleanup metadata dunders from __init__.py #227.

Commits

6d1d689 Version 0.0.27 (#272)
0b10220 Run CI on main branch pull requests (#271)
3e64f5f Add multipart header limits (#267)
eb109cc Pass parse offsets via constructors (#268)
78e29ab Bump pytest from 9.0.2 to 9.0.3 (#266)
b2ddd09 fuzz: Enhance fuzzing capabilities with new chunked and boundary tests (#264)
28f4785 Version 0.0.26 (#263)
d4452a7 Silently discard epilogue data after the closing boundary (#259)
6a7b76d Skip preamble before first multipart boundary (#262)
4addb60 Version 0.0.25 (#261)
Additional commits viewable in compare view

Updates pip from 25.3 to 26.1

Changelog

Sourced from pip's changelog.

26.1 (2026-04-26)

Deprecations and Removals

Drop support for Python 3.9. ([#13795](https://github.com/pypa/pip/issues/13795) <https://github.com/pypa/pip/issues/13795>_)

Features

Add experimental support to read requirements from standardized pylock.toml files (-r pylock.toml). ([#13876](https://github.com/pypa/pip/issues/13876) <https://github.com/pypa/pip/issues/13876>_)

Allow --uploaded-prior-to to accept a duration in days (e.g., P3D for 3 days ago). ([#13674](https://github.com/pypa/pip/issues/13674) <https://github.com/pypa/pip/issues/13674>_)

Enhancements

Speed up dependency resolution when there are complex conflicts. ([#13859](https://github.com/pypa/pip/issues/13859) <https://github.com/pypa/pip/issues/13859>_)

Reduce memory usage when resolving large dependency trees. ([#13843](https://github.com/pypa/pip/issues/13843) <https://github.com/pypa/pip/issues/13843>_)

Emit a deprecation warning when pip imports an unexpected module after installation of a distribution has started. ([#13912](https://github.com/pypa/pip/issues/13912) <https://github.com/pypa/pip/issues/13912>_)

Allow URL constraints to apply to requirements with extras. ([#12018](https://github.com/pypa/pip/issues/12018) <https://github.com/pypa/pip/issues/12018>_)

Allow unpinned requirements to use hashes from constraints. Constraints like {name}=={version} --hash=... feeds into hash verification for a corresponding requirement. ([#9243](https://github.com/pypa/pip/issues/9243) <https://github.com/pypa/pip/issues/9243>_)

Improve conflict reports that involve direct URLs. ([#13932](https://github.com/pypa/pip/issues/13932) <https://github.com/pypa/pip/issues/13932>_)

Show all errors instead of first error for faulty dependency_groups definitions. ([#13917](https://github.com/pypa/pip/issues/13917) <https://github.com/pypa/pip/issues/13917>_)

Bug Fixes

Fix recovery hint for missing RECORD file to use --ignore-installed instead of --force-reinstall. ([#12645](https://github.com/pypa/pip/issues/12645) <https://github.com/pypa/pip/issues/12645>_)

Fix misleading error message when a constraint file cannot be opened. ([#13226](https://github.com/pypa/pip/issues/13226) <https://github.com/pypa/pip/issues/13226>_)

Show the filename rather than the full URL when downloading files from non-PyPI indexes in non-verbose mode. ([#13494](https://github.com/pypa/pip/issues/13494) <https://github.com/pypa/pip/issues/13494>_)

Remove the adjacent __pycache__ directory when a .py file is removed. ([#13725](https://github.com/pypa/pip/issues/13725) <https://github.com/pypa/pip/issues/13725>_)

Force UTF-8 encoding for :pep:723 metadata. ([#13861](https://github.com/pypa/pip/issues/13861) <https://github.com/pypa/pip/issues/13861>_)

Minor performance improvement when filtering candidates during resolution. ([#13916](https://github.com/pypa/pip/issues/13916) <https://github.com/pypa/pip/issues/13916>_)

Fix a hang on Windows when stdout is closed during verbose output. ([#13927](https://github.com/pypa/pip/issues/13927) <https://github.com/pypa/pip/issues/13927>_)

Common path prefixes are determined by path segment, not character by character. ([#13847](https://github.com/pypa/pip/issues/13847) <https://github.com/pypa/pip/issues/13847>_)

Fix installing .tar.gz source distributions that look like a zip file. ([#13867](https://github.com/pypa/pip/issues/13867) <https://github.com/pypa/pip/issues/13867>_)

Vendored Libraries

Upgrade certifi to 2026.2.25

Upgrade packaging to 26.2

Upgrade requests to 2.33.1

Upgrade tomli to 2.3.1

Upgrade urllib3 to 2.6.3

... (truncated)

Commits

90b2b3e Bump for release
193f289 Update AUTHORS.txt
63c3709 Merge pull request #13876 from sbidoul/install-from-pylock-reqs-sbi
e5fe702 Merge pull request #13949 from pypa/revert-13888-resolver-editable-links
122a14a Revert "Allow editable installs to satisfy direct-URL dependencies (#13888)"
c335252 -r pylock.toml: add pip-wheel -r pylock.toml test
ba2fc12 -r pylock.toml: proper error with remote pylock.toml containing directory ent...
747c4ae Merge pull request #13948 from ichard26/reword-news
3517841 -r pylock: refine filename pylock-ness test
2f7ad8c -r pylock.toml: fix crash with pip wheel and pip lock
Additional commits viewable in compare view

Updates pypdf from 6.6.2 to 6.10.2

Release notes

Sourced from pypdf's releases.

Version 6.10.2, 2026-04-15

What's new

Security (SEC)

Do not rely on possibly invalid /Size for incremental cloning (#3735) by @stefan6419846

Introduce limits for FlateDecode parameters and image decoding (#3734) by @stefan6419846

Full Changelog

Version 6.10.1, 2026-04-14

What's new

Security (SEC)

Limit the allowed size of xref and object streams (#3733) by @stefan6419846

Robustness (ROB)

Consider strict mode setting for decryption errors (#3731) by @stefan6419846

Documentation (DOC)

Use new parameter names for compress_identical_objects by @stefan6419846

Full Changelog

Version 6.10.0, 2026-04-10

What's new

Security (SEC)

Disallow custom XML entity declarations for XMP metadata (#3724) by @stefan6419846

New Features (ENH)

Skip MD5 key derivation for AES-256 encrypted PDFs (#3694) by @Ygnas

Bug Fixes (BUG)

Use remove_orphans in compress_identical_objects (#3310) by @j-t-1

Fix PdfReadError when xref table contains comments before trailer (#3710) by @rassie

Correctly verify AES padding during decryption (#3699) by @stefan6419846

Fix stale object cache from non-authoritative object streams (#3698) by @astahlman

Fix extract_links pairing when annotations include non-links (#3687) by @ReinerBRO

Documentation (DOC)

Add AI policy (#3717) by @stefan6419846

Full Changelog

Version 6.9.2, 2026-03-23

What's new

Security (SEC)

Avoid infinite loop in read_from_stream for broken files (#3693) by @stefan6419846

... (truncated)

Changelog

Sourced from pypdf's changelog.

Version 6.10.2, 2026-04-15

Security (SEC)

Do not rely on possibly invalid /Size for incremental cloning (#3735)

Introduce limits for FlateDecode parameters and image decoding (#3734)

Full Changelog

Version 6.10.1, 2026-04-14

Security (SEC)

Limit the allowed size of xref and object streams (#3733)

Robustness (ROB)

Consider strict mode setting for decryption errors (#3731)

Documentation (DOC)

Use new parameter names for compress_identical_objects

Full Changelog

Version 6.10.0, 2026-04-10

Security (SEC)

Disallow custom XML entity declarations for XMP metadata (#3724)

New Features (ENH)

Skip MD5 key derivation for AES-256 encrypted PDFs (#3694)

Bug Fixes (BUG)

Use remove_orphans in compress_identical_objects (#3310)

Fix PdfReadError when xref table contains comments before trailer (#3710)

Correctly verify AES padding during decryption (#3699)

Fix stale object cache from non-authoritative object streams (#3698)

Fix extract_links pairing when annotations include non-links (#3687)

Documentation (DOC)

Add AI policy (#3717)

Full Changelog

Version 6.9.2, 2026-03-23

Security (SEC)

Avoid infinite loop in read_from_stream for broken files (#3693)

Robustness (ROB)

Resolve UnboundLocalError for xobjs in _get_image (#3684)

Full Changelog

... (truncated)

Commits

c476b4f REL: 6.10.2
c50a010 SEC: Do not rely on possibly invalid /Size for incremental cloning (#3735)
ac734da SEC: Introduce limits for FlateDecode parameters and image decoding (#3734)
b49e7eb REL: 6.10.1
62338e9 SEC: Limit the allowed size of xref and object streams (#3733)
5dcc0ae DEV: Update pytest-benchmark to 5.2.3
b42e4aa DEV: Update pinned pillow and pytest where possible (#3732)
717446b ROB: Consider strict mode setting for decryption errors (#3731)
9e461d3 DEV: Bump softprops/action-gh-release from 2 to 3 (#3730)
500d09d TST: Update test_embedded_file__basic to use tmp_path fixture (#3726)
Additional commits viewable in compare view

Updates chromadb from 1.5.5 to 1.5.9

Release notes

Sourced from chromadb's releases.

1.5.9

Version: 1.5.9 Git ref: refs/tags/1.5.9 Build Date: 2026-05-05T05:55 PIP Package: chroma-1.5.9.tar.gz Github Container Registry Image: :1.5.9 DockerHub Image: :1.5.9

What's Changed

ENH: block functions on topology dbs by @rescrv in chroma-core/chroma#6836

ENH: Add Tilt fault injection CLI by @rescrv in chroma-core/chroma#6881

[CHORE] Debug TimeoutError in test_add.py by @rescrv in chroma-core/chroma#6905

[ENH]: Enable rebuilds for sharded collections by @tanujnay112 in chroma-core/chroma#6916

[ENH]: Group by support with sharding by @sanketkedia in chroma-core/chroma#6909

[CHORE]: Denormalize tenant and database into collection_compaction_cursors table by @tanujnay112 in chroma-core/chroma#6940

[CHORE] Use normalized record sets for test add by @rescrv in chroma-core/chroma#6935

[ENH]: Add workflow to build and publish service container images by @jasonvigil in chroma-core/chroma#6944

[ENH] - Updates language around Chroma Cloud to be more representative. by @tjkrusinskichroma in chroma-core/chroma#6952

[ENH]: Add change stream to collection compaction cursors by @tanujnay112 in chroma-core/chroma#6955

[BUG] Switch to storing DOCKERHUB_USERNAME as var by @jasonvigil in chroma-core/chroma#6962

[CHORE]: Standardize Tilt CI image build on root docker-bake.hcl by @jasonvigil in chroma-core/chroma#6958

[BUG]: Rename database on soft delete by @tanujnay112 in chroma-core/chroma#6943

Revert "[CHORE]: Standardize Tilt CI image build on root docker-bake.hcl" by @jasonvigil in chroma-core/chroma#6965

ENH: name and size all worker threads by @rescrv in chroma-core/chroma#6936

BUG: simplify flaky indexing progress test by @rescrv in chroma-core/chroma#6968

[CHORE] stabilize Tilt dev environment configs by @rescrv in chroma-core/chroma#6937

BUG: use correct version file per collection in ancestor walk by @rescrv in chroma-core/chroma#6970

[ENH] Add SparsePostingBlock by @HammadB in chroma-core/chroma#6823

[ENH] Add basic maxscore writer/reader by @HammadB in chroma-core/chroma#6825

[ENH] Add maxscore lazy cursor by @HammadB in chroma-core/chroma#6829

[ENH] Add SIMD for maxscore by @Sicheng-Pan in chroma-core/chroma#6865

[ENH] Benchmark maxscore by @Sicheng-Pan in chroma-core/chroma#6866

[ENH] Add maxscore option in schema by @Sicheng-Pan in chroma-core/chroma#6878

[ENH] Add maxscore index to metadata segment by @Sicheng-Pan in chroma-core/chroma#6880

[ENH] Wire maxscore reader in search by @Sicheng-Pan in chroma-core/chroma#6899

[PERF] Batch load lazy cursor by @Sicheng-Pan in chroma-core/chroma#6974

ENH: add MCMR support for log GC by @rescrv in chroma-core/chroma#6946

ENH: parameterize multi-region config by @rescrv in chroma-core/chroma#6951

[CHORE] fix merge conflict in main by @rescrv in chroma-core/chroma#6986

[ENH]: Refactor offset_id to be a mutable AtomicU32 in record by @tanujnay112 in chroma-core/chroma#6922

ENH: add spanner-cli wrapper binary by @rescrv in chroma-core/chroma#6959

BUG: preserve legacy hnsw: metadata keys by @rescrv in chroma-core/chroma#6953

[TST] refactor repair collection log offset test by @rescrv in chroma-core/chroma#6954

TST: add MCMR hard delete test by @rescrv in chroma-core/chroma#6947

ENH: defer Spanner init to first use by @rescrv in chroma-core/chroma#6915

[CHORE]: Denormalize is_deleted in mcmr by @tanujnay112 in chroma-core/chroma#6989

[BUG] Reject NaN/Infinity in base64-encoded embeddings by @philipithomas in chroma-core/chroma#6664

Revert "TST: add MCMR hard delete test" by @rescrv in chroma-core/chroma#6992

[ENH] Verify file path for compaction by @Sicheng-Pan in chroma-core/chroma#6991

[DOC]: Document file-upload sync API, AWS credential reuse, and EU region by @philipithomas in chroma-core/chroma#6988

... (truncated)

Commits

11f3c74 [RELEASE] CLI 1.4.4 Python 1.5.9 JS 3.4.5 (#7018)
f16d06a [ENH]: add client header to Gemini embedding functions (#6990)
b7cb6ac [CHORE]: Remove foundation/ from chroma (#7017)
bec3105 ENH: Add login, logout, and whoami commands (#7007)
1251ff7 [DOC] Add CLAUDE.md, AGENTS.md, scoped Rust rule (#7010)
f4bbbf2 [BLD] Add foundation CLI install script (#7005)
2c8f49f ENH: move foundation/ to top-level so rust/** filters skip it (#7008)
51eebdb [ENH] scaffold foundation CLI project (#6999)
874b700 ENH: GC empty MCMR collections (#6961)
aedf9a6 ENH: Add read-only backend failover (#6985)
Additional commits viewable in compare view

Updates langsmith from 0.7.17 to 0.8.0

Release notes

Sourced from langsmith's releases.

v0.8.0

What's Changed

feat(js,py): JS 0.6.0, Py 0.8.0 by @jacoblee93 in langchain-ai/langsmith-sdk#2831

release(js): 0.6.0 by @jacoblee93 in langchain-ai/langsmith-sdk#2832

release(py): 0.8.0 by @jacoblee93 in langchain-ai/langsmith-sdk#2833

Full Changelog: langchain-ai/langsmith-sdk@v0.7.38...v0.8.0

v0.7.38

What's Changed

feat(js): add tracing of opencode by @dqbd in langchain-ai/langsmith-sdk#2776

chore(js): Remove types/uuid by @jacoblee93 in langchain-ai/langsmith-sdk#2814

docs(sandbox): document default idle TTL of 10 minutes by @DanielKneipp in langchain-ai/langsmith-sdk#2788

ci(py): Bump pytest timeout to 2m by @jacoblee93 in langchain-ai/langsmith-sdk#2815

chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 4 updates by @dependabot[bot] in langchain-ai/langsmith-sdk#2803

chore(deps): update sphinx-autobuild requirement from >=2024 to >=2024.10.3 in /python by @dependabot[bot] in langchain-ai/langsmith-sdk#2809

chore(deps): update myst-nb requirement from >=1.1.1 to >=1.4.0 in /python by @dependabot[bot] in langchain-ai/langsmith-sdk#2810

chore(deps-dev): bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /python by @dependabot[bot] in langchain-ai/langsmith-sdk#2812

chore(deps-dev): bump @langchain/openai from 0.5.18 to 0.6.17 in /js by @dependabot[bot] in langchain-ai/langsmith-sdk#2806

chore(deps): bump the py-minor-and-patch group across 1 directory with 18 updates by @dependabot[bot] in langchain-ai/langsmith-sdk#2808

feat(py): Adds strands OTEL exporter by @jacoblee93 in langchain-ai/langsmith-sdk#2817

chore(js): Switch to oxfmt and oxlint by @jacoblee93 in langchain-ai/langsmith-sdk#2819

fix(py): fix RunTree ValidationError when inputs or outputs is a Pydantic BaseModel by @QuentinBrosse in langchain-ai/langsmith-sdk#2820

chore: add apac support by @joaquin-borggio-lc in langchain-ai/langsmith-sdk#2821

fix(js): Pull Claude Agent SDK subagent runs from transcript, add tool span for subagents, merge message blocks by id by @jacoblee93 in langchain-ai/langsmith-sdk#2816

release(js): 0.5.26 by @jacoblee93 in langchain-ai/langsmith-sdk#2824

release(py): 0.7.38 by @jacoblee93 in langchain-ai/langsmith-sdk#2825

Full Changelog: langchain-ai/langsmith-sdk@v0.7.37...v0.7.38

v0.7.37

What's Changed

perf(js): Offload serialize to worker thread at flush time by @jacoblee93 in langchain-ai/langsmith-sdk#2781

release(js): 0.5.24 by @emil-lc in langchain-ai/langsmith-sdk#2790

chore(js): Fix perf test flagging by @jacoblee93 in langchain-ai/langsmith-sdk#2792

feat(js,python): Adds hub model config and provider to schemas by @jacoblee93 in langchain-ai/langsmith-sdk#2793

fix(js): minor test improvements by @christian-bromann in langchain-ai/langsmith-sdk#2429

fix(js): Include auth headers on info requests by @jacoblee93 in langchain-ai/langsmith-sdk#2800

release(js): 0.5.25 by @jacoblee93 in langchain-ai/langsmith-sdk#2801

fix(python): flush both tracing_queue and compressed_traces in flush() by @angus-langchain in langchain-ai/langsmith-sdk#2796

chore(deps): bump postcss from 8.5.8 to 8.5.10 in /js/internal/environment_tests/test-exports-vite in the npm_and_yarn group across 1 directory by @dependabot[bot] in langchain-ai/langsmith-sdk#2791

chore(deps-dev): bump google-adk from 1.10.0 to 1.28.1 in /python by @dependabot[bot] in langchain-ai/langsmith-sdk#2794

fix(python): flush pending traces during Client.cleanup() by @angus-langchain in langchain-ai/langsmith-sdk#2799

fix(py): Fix concurrency for multiple Claude Agent SDK sessions by @jacoblee93 in langchain-ai/langsmith-sdk#2795

release(py): 0.7.37 by @jacoblee93 in langchain-ai/langsmith-sdk#2802

Full Changelog: langchain-ai/langsmith-sdk@v0.7.36...v0.7.37

... (truncated)

Commits

cf01c87 release(py): 0.8.0 (#2833)
fd049c8 release(js): 0.6.0 (#2832)
092a886 feat(js,py): JS 0.6.0, Py 0.8.0 (#2831)
ff180c0 release(py): 0.7.38 (#2825)
d9de3ca release(js): 0.5.26 (#2824)
1428394 fix(js): Pull Claude Agent SDK subagent runs from transcript, add tool span f...
838e957 chore: add apac support (#2821)
003f22a fix(py): fix RunTree ValidationError when inputs or outputs is a Pydantic Bas...
8f5ef27 chore(js): Switch to oxfmt and oxlint (#2819)
9873633 feat(py): Adds strands OTEL exporter (#2817)
Additional commits viewable in compare view

Updates smolagents from 1.24.0 to 1.25.0

Release notes

Sourced from smolagents's releases.

v1.25.0

What's Changed

Bump dev version: v1.25.0.dev0 by @albertvillanova in huggingface/smolagents#1939

Fix import of TokenUsage by @albertvillanova in huggingface/smolagents#1943

Add MLflow integration doc by @B-Step62 in huggingface/smolagents#1884

Refactor agent/model deserialization: Replace importlib with registry pattern by @albertvillanova in huggingface/smolagents#1944

Update _function_type_hints_utils.py: CohereForAI -> CohereLabs by @Michellehbn in huggingface/smolagents#1946

Fix High impact vulnerability on remote executors by @nnfrog in huggingface/smolagents#1637

Fix SafeSerializer.get_deserializer_code by @albertvillanova in huggingface/smolagents#1983

Fix RemotePythonExecutor._deserialize_final_answer for legacy no-prefix pickle by @albertvillanova in huggingface/smolagents#1984

Test 'pickle:...' payloads are properly decoded by @albertvillanova in huggingface/smolagents#1985

Remove support for legacy no-prefix pickle by @albertvillanova in huggingface/smolagents#1986

Create docs reference page for Python executors by @albertvillanova in huggingface/smolagents#1987

Isolate WasmExecutor Deno cache to per-instance temp directory by @albertvillanova in huggingface/smolagents#1995

Switch wildcard bind to loopback-only endpoint in WasmExecutor by @albertvillanova in huggingface/smolagents#2025

Use token in DockerExecutor by @albertvillanova in huggingface/smolagents#2027

Remove allow_origin from Docker and Modal executors by @albertvillanova in huggingface/smolagents#2028

Use token in WasmExecutor by @albertvillanova in huggingface/smolagents#2031

Fix evaluate_with() calling exit on wrong object by @dubin555 in huggingface/smolagents#2029

Fix evaluate_with by suppressing exception if truthy exit by @albertvillanova in huggingface/smolagents#2033

Use requests.Session in WasmExecutor by @albertvillanova in huggingface/smolagents#2032

Fix Rich MarkupError in AgentLogger.log_task by rendering untrusted text safely by @Barcavin in huggingface/smolagents#1894

Emphasise sandboxing is required; LocalPythonExecutor is not a security tool by @zsims in huggingface/smolagents#2039

Fix log_error rendering brackets as Rich markup by @albertvillanova in huggingface/smolagents#2077

Support huggingface-hub >= 1 by @merveenoyan in huggingface/smolagents#2075

Remove unused safe_serialization param from _websocket_run_code_raise_errors by @albertvillanova in huggingface/smolagents#2131

Set allow_pickle default to False in internal calls by @albertvillanova in huggingface/smolagents#2132

🔒 Pin GitHub Actions to commit SHAs by @paulinebm in huggingface/smolagents#2149

chore: bump doc-builder SHA for PR upload workflow by @rtrompier in huggingface/smolagents#2194

chore: bump doc-builder SHA for main doc build workflow by @rtrompier in huggingface/smolagents#2219

New Contributors

@B-Step62 made their first contribution in huggingface/smolagents#1884

@Michellehbn made their first contribution in huggingface/smolagents#1946

@dubin555 made their first contribution in huggingface/smolagents#2029

@zsims made their first contribution in huggingface/smolagents#2039

@paulinebm made their first contribution in huggingface/smolagents#2149

@rtrompier made their first contribution in huggingface/smolagents#2194

Full Changelog: huggingface/smolagents@v1.24.0...v1.25.0

Commits

See full diff in compare view

Updates pyarrow from 19.0.0 to 23.0.1

Release notes

Sourced from pyarrow's releases.

Apache Arrow 23.0.1

Release Notes URL: https://arrow.apache.org/release/23.0.1.html

Apache Arrow 23.0.1 RC0

Release Notes: Release Candidate: 23.0.1 RC0

Apache Arrow 23.0.0

Release Notes URL: https://arrow.apache.org/release/23.0.0.html

Apache Arrow 23.0.0 RC2

Release Notes: Release Candidate: 23.0.0 RC2

Apache Arrow 22.0.0

Release Notes URL: https://arrow.apache.org/release/22.0.0.html

Apache Arrow 22.0.0 RC1

Release Notes: Release Candidate: 22.0.0 RC1

Apache Arrow 22.0.0 RC0

Release Notes: Release Candidate: 22.0.0 RC0

Apache Arrow 21.0.0

Release Notes URL: https://arrow.apache.org/release/21.0.0.html

Apache Arrow 21.0.0 RC6

Release Notes: Release Candidate: 21.0.0 RC6

Apache Arrow 21.0.0 RC5

Release Notes: Release Candidate: 21.0.0 RC5

Apache Arrow 21.0.0 RC4

Release Notes: Release Candidate: 21.0.0 RC4

Apache Arrow 21.0.0 RC3

Release Notes: Release Candidate: 21.0.0 RC3

Apache Arrow 21.0.0 RC2

Release Notes: Release Candidate: 21.0.0 RC2

Apache Arrow 20.0.0

Release Notes URL: https://arrow.apache.org/release/20.0.0.html

Apache Arrow 20.0.0 RC2

Release Notes: Release Candidate: 20.0.0 RC2

Apache Arrow 20.0.0 RC1

Release Notes: Release Candidate: 20.0.0 RC1

Apache Arrow 20.0.0 RC0

Release Notes: Release Candidate: 20.0.0 RC0

... (truncated)

Commits

82a374e MINOR: [Release] Update versions for 23.0.1
c1ae37c MINOR: [Release] Update .deb/.rpm changelogs for 23.0.1
8f6e557 MINOR: [Release] Update CHANGELOG.md for 23.0.1
4e16a1a GH-49159: [C++][Gandiva] Detect overflow in repeat() (#49160)
985621d Description has been truncated

Bumps the uv group with 12 updates in the / directory: | Package | From | To | | --- | --- | --- | | [python-multipart](https://github.com/Kludex/python-multipart) | `0.0.22` | `0.0.27` | | [pip](https://github.com/pypa/pip) | `25.3` | `26.1` | | [pypdf](https://github.com/py-pdf/pypdf) | `6.6.2` | `6.10.2` | | [chromadb](https://github.com/chroma-core/chroma) | `1.5.5` | `1.5.9` | | [langsmith](https://github.com/langchain-ai/langsmith-sdk) | `0.7.17` | `0.8.0` | | [smolagents](https://github.com/huggingface/smolagents) | `1.24.0` | `1.25.0` | | [pyarrow](https://github.com/apache/arrow) | `19.0.0` | `23.0.1` | | [lxml](https://github.com/lxml/lxml) | `6.0.2` | `6.1.0` | | [authlib](https://github.com/authlib/authlib) | `1.6.9` | `1.6.12` | | [starlette](https://github.com/Kludex/starlette) | `0.52.1` | `1.0.1` | | [ujson](https://github.com/ultrajson/ultrajson) | `5.12.0` | `5.12.1` | | [urllib3](https://github.com/urllib3/urllib3) | `2.6.3` | `2.7.0` | Updates `python-multipart` from 0.0.22 to 0.0.27 - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.22...0.0.27) Updates `pip` from 25.3 to 26.1 - [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst) - [Commits](pypa/pip@25.3...26.1) Updates `pypdf` from 6.6.2 to 6.10.2 - [Release notes](https://github.com/py-pdf/pypdf/releases) - [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md) - [Commits](py-pdf/pypdf@6.6.2...6.10.2) Updates `chromadb` from 1.5.5 to 1.5.9 - [Release notes](https://github.com/chroma-core/chroma/releases) - [Changelog](https://github.com/chroma-core/chroma/blob/main/RELEASE_PROCESS.md) - [Commits](chroma-core/chroma@1.5.5...1.5.9) Updates `langsmith` from 0.7.17 to 0.8.0 - [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases) - [Commits](langchain-ai/langsmith-sdk@v0.7.17...v0.8.0) Updates `smolagents` from 1.24.0 to 1.25.0 - [Release notes](https://github.com/huggingface/smolagents/releases) - [Commits](huggingface/smolagents@v1.24.0...v1.25.0) Updates `pyarrow` from 19.0.0 to 23.0.1 - [Release notes](https://github.com/apache/arrow/releases) - [Commits](apache/arrow@apache-arrow-19.0.0...apache-arrow-23.0.1) Updates `lxml` from 6.0.2 to 6.1.0 - [Release notes](https://github.com/lxml/lxml/releases) - [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt) - [Commits](lxml/lxml@lxml-6.0.2...lxml-6.1.0) Updates `authlib` from 1.6.9 to 1.6.12 - [Release notes](https://github.com/authlib/authlib/releases) - [Changelog](https://github.com/authlib/authlib/blob/1.6.12/docs/changelog.rst) - [Commits](authlib/authlib@v1.6.9...1.6.12) Updates `starlette` from 0.52.1 to 1.0.1 - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@0.52.1...1.0.1) Updates `ujson` from 5.12.0 to 5.12.1 - [Release notes](https://github.com/ultrajson/ultrajson/releases) - [Commits](ultrajson/ultrajson@5.12.0...5.12.1) Updates `urllib3` from 2.6.3 to 2.7.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) --- updated-dependencies: - dependency-name: python-multipart dependency-version: 0.0.27 dependency-type: direct:production dependency-group: uv - dependency-name: pip dependency-version: '26.1' dependency-type: direct:production dependency-group: uv - dependency-name: pypdf dependency-version: 6.10.2 dependency-type: direct:production dependency-group: uv - dependency-name: chromadb dependency-version: 1.5.9 dependency-type: direct:production dependency-group: uv - dependency-name: langsmith dependency-version: 0.8.0 dependency-type: direct:production dependency-group: uv - dependency-name: smolagents dependency-version: 1.25.0 dependency-type: direct:production dependency-group: uv - dependency-name: pyarrow dependency-version: 23.0.1 dependency-type: direct:production dependency-group: uv - dependency-name: lxml dependency-version: 6.1.0 dependency-type: direct:development dependency-group: uv - dependency-name: authlib dependency-version: 1.6.12 dependency-type: indirect dependency-group: uv - dependency-name: starlette dependency-version: 1.0.1 dependency-type: indirect dependency-group: uv - dependency-name: ujson dependency-version: 5.12.1 dependency-type: indirect dependency-group: uv - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-06-08T18:46:48Z

Superseded by #41.

dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 8, 2026

dependabot Bot closed this Jun 8, 2026

dependabot Bot deleted the dependabot/uv/uv-cbfc828f24 branch June 8, 2026 18:46

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the uv group across 1 directory with 12 updates#40

chore(deps): bump the uv group across 1 directory with 12 updates#40
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-cbfc828f24

dependabot Bot commented on behalf of github Jun 8, 2026

Uh oh!

dependabot Bot commented on behalf of github Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 8, 2026

Version 0.0.27

What's Changed

Version 0.0.26

What's Changed

Version 0.0.25

What's Changed

Version 0.0.24

What's Changed

Version 0.0.23

What's Changed

New Contributors

0.0.27 (2026-04-27)

0.0.26 (2026-04-10)

0.0.25 (2026-04-10)

0.0.24 (2026-04-05)

0.0.23 (2026-04-05)

26.1 (2026-04-26)

Deprecations and Removals

Features

Enhancements

Bug Fixes

Vendored Libraries

Version 6.10.2, 2026-04-15

What's new

Security (SEC)

Version 6.10.1, 2026-04-14

What's new

Security (SEC)

Robustness (ROB)

Documentation (DOC)

Version 6.10.0, 2026-04-10

What's new

Security (SEC)

New Features (ENH)

Bug Fixes (BUG)

Documentation (DOC)

Version 6.9.2, 2026-03-23

What's new

Security (SEC)

Version 6.10.2, 2026-04-15

Security (SEC)

Version 6.10.1, 2026-04-14

Security (SEC)

Robustness (ROB)

Documentation (DOC)

Version 6.10.0, 2026-04-10

Security (SEC)

New Features (ENH)

Bug Fixes (BUG)

Documentation (DOC)

Version 6.9.2, 2026-03-23

Security (SEC)

Robustness (ROB)

1.5.9

What's Changed

v0.8.0

What's Changed

v0.7.38

What's Changed

v0.7.37

What's Changed

v1.25.0

What's Changed

New Contributors

Apache Arrow 23.0.1

Apache Arrow 23.0.1 RC0

Apache Arrow 23.0.0

Apache Arrow 23.0.0 RC2

Apache Arrow 22.0.0

Apache Arrow 22.0.0 RC1

Apache Arrow 22.0.0 RC0

Apache Arrow 21.0.0

Apache Arrow 21.0.0 RC6

Apache Arrow 21.0.0 RC5

Apache Arrow 21.0.0 RC4

Apache Arrow 21.0.0 RC3

Apache Arrow 21.0.0 RC2

Apache Arrow 20.0.0