Skip to content

chore(deps): bump gradio from 6.13.0 to 6.15.0 in /envs/agent_world_model_env#900

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/agent_world_model_env/gradio-6.15.0
Closed

chore(deps): bump gradio from 6.13.0 to 6.15.0 in /envs/agent_world_model_env#900
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/agent_world_model_env/gradio-6.15.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor

Bumps gradio from 6.13.0 to 6.15.0.

Release notes

Sourced from gradio's releases.

gradio@6.15.0

Features

Fixes

Changelog

Sourced from gradio's changelog.

6.15.0

Features

Fixes

6.14.0

Features

Fixes

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Low Risk
Single-line dependency constraint change with no code edits; minor version bump within Gradio 6.x, though UI behavior should be smoke-tested after upgrade.

Overview
Raises the Gradio floor in envs/agent_world_model_env/pyproject.toml from >=4.0.0 to >=6.15.0, so installs resolve to Gradio 6.15.x for the custom web UI (server/web_ui.py). No application code changes—dependency constraint only.

Reviewed by Cursor Bugbot for commit 6516d59. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [gradio](https://github.com/gradio-app/gradio) from 6.13.0 to 6.15.0.
- [Release notes](https://github.com/gradio-app/gradio/releases)
- [Changelog](https://github.com/gradio-app/gradio/blob/main/CHANGELOG.md)
- [Commits](https://github.com/gradio-app/gradio/compare/gradio@6.13.0...gradio@6.15.0)

---
updated-dependencies:
- dependency-name: gradio
  dependency-version: 6.15.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Dependencies python:uv Pull requests that update python:uv code labels Jul 2, 2026
@burtenshaw burtenshaw added environment size: small Small pull request labels Jul 2, 2026 — with Cursor
@bot-ci-comment

bot-ci-comment Bot commented Jul 2, 2026

Copy link
Copy Markdown

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alignment Review Report

Dependabot bump gradio 6.13.0 → 6.15.0 in envs/agent_world_model_env/. Touches pyproject.toml (direct-dep floor) and uv.lock.

Automated Checks

  • Lint: PASS (for this PR). No .py files change here, so nothing PR-specific to lint. ruff check src/ tests/ passes; ruff format flags 20 pre-existing reformat candidates but all are in other envs (chat_env, opencode_env, terminus_env, …) — none in agent_world_model_env. (.claude/hooks/lint.sh needs uv, which wasn't preinstalled in the review VM; I installed uv 0.11.26 to run the checks.)
  • Debug code: CLEAN (for this PR). check-debug.sh scans only src/; every hit is pre-existing (CLI/doctest prints, deferred-serve TODOs) and unrelated to this env-only change.
  • Lockfile: consistent + hash-verified. uv lock --check passes. gradio 6.15.0 sdist/wheel sha256 + sizes match the published PyPI artifacts, and hashes remain throughout (2747), so installs stay hash-pinned. requires-python = ">=3.10" satisfies gradio 6.15.0 (>=3.10). Package set is unchanged (only gradio's version moved; no adds/removes).

Open RFCs Context

All RFCs are early-stage — 000/001/002/003/005 In Review, 010 Draft, 004 has no status header. None cover Python packaging, dependency management, or package-index selection, so there is no RFC surface for this change.

Tier 1: Fixes Required

  • None. No code changed; the lockfile is internally consistent and hash-verified; no lint/debug/security regressions are introduced.

Tier 2: Alignment Discussion

Process / repo-policy conflict (headline)

ALIGNMENT FLAG: A native Dependabot PR modifies envs/**, which repo config deliberately excludes.

  • Policy at stake: .github/dependabot.yml scopes the uv updater to directory: "/" with exclude-paths: ["envs/**"]. This was a deliberate, repeated decision — 5f499da9 "chore: stop dependabot in envs (#566)", 62a81aa0 (#577), b4a57fb9 "Match Dependabot root-only config (#644)".
  • The concern: This PR's branch (dependabot/uv/envs/agent_world_model_env/…, a native Dependabot branch) edits envs/agent_world_model_env/pyproject.toml + uv.lock anyway, so the exclude-paths guard is not actually keeping Dependabot out of envs/. Reviewers should decide whether to close this (in favor of the intended root-only / aggregate path) and/or fix the exclusion so native env bumps stop being opened.
  • Suggested reviewer: @burtenshaw (author of the Dependabot-scoping commits)

Principle conflicts

ALIGNMENT FLAG: The whole lockfile's package index flips from the HF internal mirror to public PyPI.

  • Principle at stake: PRINCIPLES.md "Container isolation for reproducibility and security" (declared provenance of dependencies).
  • The concern: Beyond the gradio bump, all 174 source = { registry = … } entries flip https://pypi.registries.huggingface.tech/https://pypi.org/simple (and revision 2→3). 29 other env locks still pin the HF mirror vs only 6 on pypi.org, so this widens a cross-env split. No committed config pins either index (the mirror URL appears only inside uv.lock files — not in dependabot.yml, root pyproject, CI, or docs), so this is just Dependabot re-resolving against public PyPI. Likely benign — artifact URLs stay files.pythonhosted.org and hashes are intact — but it silently changes declared provenance, and the two indexes are not identical (the re-resolution also dropped 6 greenlet s390x wheels; harmless for x86_64/arm64 deploy targets). Worth a deliberate team call on the canonical index rather than letting bots flip it per-PR. Please don't hand-revert — index choice is a team decision.
  • Suggested reviewer: @Darktex (author of the reproducibility principle), cc @burtenshaw

RFC conflicts

None identified.

Summary

  • 0 mechanical issues to fix (Tier 1)
  • 2 alignment points for human review (Dependabot-in-envs/ policy bypass; whole-lock index flip)
  • 0 RFC conflicts

Non-blocking notes: (1) The pyproject.toml floor gradio>=4.0.0 → >=6.15.0 is expected here because gradio is a direct dep of this env (used by server/web_ui.py); the env already resolved to gradio 6.13.0, so the effective change is a low-risk 6.13→6.15 minor bump (not a security fix). (2) revision = 3 requires the deploy base image's uv to be new enough to read lock revision 3 (Dockerfile installs via uv sync --frozen).

Open in Web View Automation 

Sent by Cursor Automation: Pre-review

"mcp-agent==0.2.6",
# Used by the custom Gradio web UI (server/web_ui.py).
"gradio>=4.0.0",
"gradio>=6.15.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Floor raised gradio>=4.0.0 → >=6.15.0. This is expected for a direct dependency bump (gradio powers server/web_ui.py), and the env already resolved to gradio 6.13.0, so the real-world change is a low-risk 6.13→6.15 minor bump.

Heads-up though: this file lives under envs/**, which .github/dependabot.yml intends to exclude from the uv updater (exclude-paths: ["envs/**"], added in #566/#644). A native Dependabot PR editing it means that guard isn't holding — see the process flag in the review summary. cc @burtenshaw

@@ -61,7 +61,7 @@ provides-extras = ["dev"]
[[package]]
name = "aiofile"
version = "3.9.0"
source = { registry = "https://pypi.registries.huggingface.tech/" }
source = { registry = "https://pypi.org/simple" }

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First of 174 entries where this PR flips the package index pypi.registries.huggingface.techpypi.org/simple (paired with revision 2→3 at line 2). This is much broader than the gradio bump and diverges from the 29 other env locks still on the HF mirror.

Artifact URLs stay on files.pythonhosted.org and hashes are intact, so it's likely benign, but it changes the declared provenance of every dependency. Flagging for a deliberate decision on the canonical index (reproducibility principle) — please don't hand-edit the lock to revert, that's a team call. cc @Darktex @burtenshaw

@burtenshaw

Copy link
Copy Markdown
Collaborator

Superseded by aggregate maintainer PR #902.

@burtenshaw burtenshaw closed this Jul 2, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/uv/envs/agent_world_model_env/gradio-6.15.0 branch July 2, 2026 07:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Dependencies environment python:uv Pull requests that update python:uv code size: small Small pull request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant