Skip to content

Bump the pip group across 7 directories with 8 updates#686

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/cli/pip-a02adc5ce3
Closed

Bump the pip group across 7 directories with 8 updates#686
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/cli/pip-a02adc5ce3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 4, 2026

Copy link
Copy Markdown
Contributor

Bumps the pip group with 1 update in the /cli directory: cryptography.
Bumps the pip group with 1 update in the /examples/cc/rano/implementation directory: onnx.
Bumps the pip group with 1 update in the /examples/chestxray_tutorial/model_custom_cnn/project directory: torch.
Bumps the pip group with 1 update in the /examples/fl/fl/project directory: onnx.
Bumps the pip group with 1 update in the /examples/fl/prep/project directory: pillow.
Bumps the pip group with 1 update in the /examples/fl_post/fl/project directory: onnx.
Bumps the pip group with 4 updates in the /server directory: djangorestframework, pyopenssl, werkzeug and djangorestframework-simplejwt.

Updates cryptography from 46.0.3 to 46.0.7

Changelog

Sourced from cryptography's changelog.

46.0.7 - 2026-04-07


* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.

.. _v46-0-6:


46.0.6 - 2026-03-25

  • SECURITY ISSUE: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to Oleh Konko (1seal) for reporting the issue. CVE-2026-34073

.. _v46-0-5:

46.0.5 - 2026-02-10


* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.

.. v46-0-4:


46.0.4 - 2026-01-27

  • Dropped support for win_arm64 wheels_.
  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

Commits

Updates onnx from 1.16.2 to 1.21.0

Release notes

Sourced from onnx's releases.

v1.21.0

ONNX v1.21.0 is now available with exciting new features! We would like to thank everyone who contributed to this release! Please visit onnx.ai to learn more about ONNX and associated projects.

What's Changed

Breaking Changes and Deprecations

Spec and Operator

Reference Implementation

Utilities and Tools

Build, CI and Tests

... (truncated)

Commits

Updates torch from 2.0.1 to 2.7.1+cpu

Updates onnx from 1.13.0 to 1.21.0

Release notes

Sourced from onnx's releases.

v1.21.0

ONNX v1.21.0 is now available with exciting new features! We would like to thank everyone who contributed to this release! Please visit onnx.ai to learn more about ONNX and associated projects.

What's Changed

Breaking Changes and Deprecations

Spec and Operator

Reference Implementation

Utilities and Tools

Build, CI and Tests

... (truncated)

Commits

Updates pillow from 10.2.0 to 12.2.0

Release notes

Sourced from pillow's releases.

12.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

Documentation

Dependencies

Testing

Other changes

... (truncated)

Changelog

Sourced from pillow's changelog.

Changelog (Pillow)

11.1.0 and newer

See GitHub Releases:

11.0.0 (2024-10-15)

  • Update licence to MIT-CMU #8460 [hugovk]

  • Conditionally define ImageCms type hint to avoid requiring core #8197 [radarhere]

  • Support writing LONG8 offsets in AppendingTiffWriter #8417 [radarhere]

  • Use ImageFile.MAXBLOCK when saving TIFF images #8461 [radarhere]

  • Do not close provided file handles with libtiff when saving #8458 [radarhere]

  • Support ImageFilter.BuiltinFilter for I;16* images #8438 [radarhere]

  • Use ImagingCore.ptr instead of ImagingCore.id #8341 [homm, radarhere, hugovk]

  • Updated EPS mode when opening images without transparency #8281 [Yay295, radarhere]

  • Use transparency when combining P frames from APNGs #8443 [radarhere]

  • Support all resampling filters when resizing I;16* images #8422 [radarhere]

  • Free memory on early return #8413 [radarhere]

  • Cast int before potentially exceeding INT_MAX #8402 [radarhere]

... (truncated)

Commits

Updates onnx from 1.13.0 to 1.21.0

Release notes

Sourced from onnx's releases.

v1.21.0

ONNX v1.21.0 is now available with exciting new features! We would like to thank everyone who contributed to this release! Please visit onnx.ai to learn more about ONNX and associated projects.

What's Changed

Breaking Changes and Deprecations

Spec and Operator

Reference Implementation

Utilities and Tools

Build, CI and Tests

... (truncated)

Commits

Updates djangorestframework from 3.14.0 to 3.15.2

Release notes

Sourced from djangorestframework's releases.

3.15.2

What's Changed

New Contributors

Full Changelog: encode/django-rest-framework@3.15.1...3.15.2

Version 3.15.1

What's Changed

New Contributors

... (truncated)

Commits
  • c7a7eae Version 3.15.2 (#9439)
  • 3b41f01 Fix potential XSS vulnerability in break_long_headers template filter (#9435)
  • fe92f0d Add __hash__ method for permissions.OperandHolder class (#9417)
  • fbdab09 docs: Correct some evaluation results and a httpie option in Tutorial1 (#9421)
  • 36d5c0e tests: Check urlpatterns after cleanups (#9400)
  • 9d4ed05 Don't use Windows line endings
  • b34bde4 Fix typo in setup.cfg setting
  • ab681f2 Update requirements in docs
  • 2237724 bump pygments (security hygiene)
  • d58b8da Update deprecation hints
  • Additional commits viewable in compare view

Updates pyopenssl from 25.3.0 to 26.0.0

Changelog

Sourced from pyopenssl's changelog.

26.0.0 (2026-03-15)

Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  • Dropped support for Python 3.7.
  • The minimum cryptography version is now 46.0.0.

Deprecations: ^^^^^^^^^^^^^

Changes: ^^^^^^^^

  • Added support for using aws-lc instead of OpenSSL.
  • Properly raise an error if a DTLS cookie callback returned a cookie longer than DTLS1_COOKIE_LENGTH bytes. Previously this would result in a buffer-overflow. Credit to dark_haxor for reporting the issue. CVE-2026-27459
  • Added OpenSSL.SSL.Connection.get_group_name to determine which group name was negotiated.
  • Context.set_tlsext_servername_callback now handles exceptions raised in the callback by calling sys.excepthook and returning a fatal TLS alert. Previously, e...

    Description has been truncated

@dependabot
Bump the pip group across 7 directories with 8 updates
57c8a20 
Bumps the pip group with 1 update in the /cli directory: [cryptography](https://github.com/pyca/cryptography).
Bumps the pip group with 1 update in the /examples/cc/rano/implementation directory: [onnx](https://github.com/onnx/onnx).
Bumps the pip group with 1 update in the /examples/chestxray_tutorial/model_custom_cnn/project directory: torch.
Bumps the pip group with 1 update in the /examples/fl/fl/project directory: [onnx](https://github.com/onnx/onnx).
Bumps the pip group with 1 update in the /examples/fl/prep/project directory: [pillow](https://github.com/python-pillow/Pillow).
Bumps the pip group with 1 update in the /examples/fl_post/fl/project directory: [onnx](https://github.com/onnx/onnx).
Bumps the pip group with 4 updates in the /server directory: [djangorestframework](https://github.com/encode/django-rest-framework), [pyopenssl](https://github.com/pyca/pyopenssl), [werkzeug](https://github.com/pallets/werkzeug) and [djangorestframework-simplejwt](https://github.com/jazzband/djangorestframework-simplejwt).


Updates `cryptography` from 46.0.3 to 46.0.7
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@46.0.3...46.0.7)

Updates `onnx` from 1.16.2 to 1.21.0
- [Release notes](https://github.com/onnx/onnx/releases)
- [Changelog](https://github.com/onnx/onnx/blob/main/docs/Changelog-ml.md)
- [Commits](onnx/onnx@v1.16.2...v1.21.0)

Updates `torch` from 2.0.1 to 2.7.1+cpu

Updates `onnx` from 1.13.0 to 1.21.0
- [Release notes](https://github.com/onnx/onnx/releases)
- [Changelog](https://github.com/onnx/onnx/blob/main/docs/Changelog-ml.md)
- [Commits](onnx/onnx@v1.16.2...v1.21.0)

Updates `pillow` from 10.2.0 to 12.2.0
- [Release notes](https://github.com/python-pillow/Pillow/releases)
- [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst)
- [Commits](python-pillow/Pillow@10.2.0...12.2.0)

Updates `onnx` from 1.13.0 to 1.21.0
- [Release notes](https://github.com/onnx/onnx/releases)
- [Changelog](https://github.com/onnx/onnx/blob/main/docs/Changelog-ml.md)
- [Commits](onnx/onnx@v1.16.2...v1.21.0)

Updates `djangorestframework` from 3.14.0 to 3.15.2
- [Release notes](https://github.com/encode/django-rest-framework/releases)
- [Commits](encode/django-rest-framework@3.14.0...3.15.2)

Updates `pyopenssl` from 25.3.0 to 26.0.0
- [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst)
- [Commits](pyca/pyopenssl@25.3.0...26.0.0)

Updates `werkzeug` from 3.0.6 to 3.1.6
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](pallets/werkzeug@3.0.6...3.1.6)

Updates `djangorestframework-simplejwt` from 5.3.1 to 5.5.1
- [Release notes](https://github.com/jazzband/djangorestframework-simplejwt/releases)
- [Changelog](https://github.com/jazzband/djangorestframework-simplejwt/blob/master/CHANGELOG.md)
- [Commits](jazzband/djangorestframework-simplejwt@v5.3.1...v5.5.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.7
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: onnx
  dependency-version: 1.21.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: torch
  dependency-version: 2.7.1+cpu
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: onnx
  dependency-version: 1.21.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pillow
  dependency-version: 12.2.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: onnx
  dependency-version: 1.21.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: djangorestframework
  dependency-version: 3.15.2
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pyopenssl
  dependency-version: 26.0.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: werkzeug
  dependency-version: 3.1.6
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: djangorestframework-simplejwt
  dependency-version: 5.5.1
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels May 4, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 4, 2026 22:39
@dependabot dependabot Bot mentioned this pull request May 4, 2026
Closed
@dependabot dependabot Bot had a problem deploying to testing-external-code May 4, 2026 22:40 Failure
@github-actions

github-actions Bot commented May 4, 2026

Copy link
Copy Markdown
Contributor

MLCommons CLA bot All contributors have signed the MLCommons CLA ✍️ ✅

@dependabot @github

dependabot Bot commented on behalf of github May 5, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #687.

@dependabot dependabot Bot closed this May 5, 2026
@dependabot dependabot Bot deleted the dependabot/pip/cli/pip-a02adc5ce3 branch May 5, 2026 12:03
@github-actions github-actions Bot locked and limited conversation to collaborators May 5, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants