chore(deps): bump gradio from 6.13.0 to 6.15.0 in /envs/agent_world_model_env#900
chore(deps): bump gradio from 6.13.0 to 6.15.0 in /envs/agent_world_model_env#900dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [gradio](https://github.com/gradio-app/gradio) from 6.13.0 to 6.15.0. - [Release notes](https://github.com/gradio-app/gradio/releases) - [Changelog](https://github.com/gradio-app/gradio/blob/main/CHANGELOG.md) - [Commits](https://github.com/gradio-app/gradio/compare/gradio@6.13.0...gradio@6.15.0) --- updated-dependencies: - dependency-name: gradio dependency-version: 6.15.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
There was a problem hiding this comment.
Alignment Review Report
Dependabot bump gradio 6.13.0 → 6.15.0 in envs/agent_world_model_env/. Touches pyproject.toml (direct-dep floor) and uv.lock.
Automated Checks
- Lint: PASS (for this PR). No
.pyfiles change here, so nothing PR-specific to lint.ruff check src/ tests/passes;ruff formatflags 20 pre-existing reformat candidates but all are in other envs (chat_env, opencode_env, terminus_env, …) — none inagent_world_model_env. (.claude/hooks/lint.shneedsuv, which wasn't preinstalled in the review VM; I installed uv 0.11.26 to run the checks.) - Debug code: CLEAN (for this PR).
check-debug.shscans onlysrc/; every hit is pre-existing (CLI/doctest prints, deferred-serveTODOs) and unrelated to this env-only change. - Lockfile: consistent + hash-verified.
uv lock --checkpasses. gradio 6.15.0 sdist/wheel sha256 + sizes match the published PyPI artifacts, and hashes remain throughout (2747), so installs stay hash-pinned.requires-python = ">=3.10"satisfies gradio 6.15.0 (>=3.10). Package set is unchanged (only gradio's version moved; no adds/removes).
Open RFCs Context
All RFCs are early-stage — 000/001/002/003/005 In Review, 010 Draft, 004 has no status header. None cover Python packaging, dependency management, or package-index selection, so there is no RFC surface for this change.
Tier 1: Fixes Required
- None. No code changed; the lockfile is internally consistent and hash-verified; no lint/debug/security regressions are introduced.
Tier 2: Alignment Discussion
Process / repo-policy conflict (headline)
ALIGNMENT FLAG: A native Dependabot PR modifies envs/**, which repo config deliberately excludes.
- Policy at stake:
.github/dependabot.ymlscopes theuvupdater todirectory: "/"withexclude-paths: ["envs/**"]. This was a deliberate, repeated decision —5f499da9"chore: stop dependabot in envs (#566)",62a81aa0(#577),b4a57fb9"Match Dependabot root-only config (#644)". - The concern: This PR's branch (
dependabot/uv/envs/agent_world_model_env/…, a native Dependabot branch) editsenvs/agent_world_model_env/pyproject.toml+uv.lockanyway, so theexclude-pathsguard is not actually keeping Dependabot out ofenvs/. Reviewers should decide whether to close this (in favor of the intended root-only / aggregate path) and/or fix the exclusion so native env bumps stop being opened. - Suggested reviewer: @burtenshaw (author of the Dependabot-scoping commits)
Principle conflicts
ALIGNMENT FLAG: The whole lockfile's package index flips from the HF internal mirror to public PyPI.
- Principle at stake: PRINCIPLES.md "Container isolation for reproducibility and security" (declared provenance of dependencies).
- The concern: Beyond the gradio bump, all 174
source = { registry = … }entries fliphttps://pypi.registries.huggingface.tech/→https://pypi.org/simple(andrevision2→3). 29 other env locks still pin the HF mirror vs only 6 on pypi.org, so this widens a cross-env split. No committed config pins either index (the mirror URL appears only insideuv.lockfiles — not independabot.yml, rootpyproject, CI, or docs), so this is just Dependabot re-resolving against public PyPI. Likely benign — artifact URLs stayfiles.pythonhosted.organd hashes are intact — but it silently changes declared provenance, and the two indexes are not identical (the re-resolution also dropped 6greenlets390x wheels; harmless for x86_64/arm64 deploy targets). Worth a deliberate team call on the canonical index rather than letting bots flip it per-PR. Please don't hand-revert — index choice is a team decision. - Suggested reviewer: @Darktex (author of the reproducibility principle), cc @burtenshaw
RFC conflicts
None identified.
Summary
- 0 mechanical issues to fix (Tier 1)
- 2 alignment points for human review (Dependabot-in-
envs/policy bypass; whole-lock index flip) - 0 RFC conflicts
Non-blocking notes: (1) The pyproject.toml floor gradio>=4.0.0 → >=6.15.0 is expected here because gradio is a direct dep of this env (used by server/web_ui.py); the env already resolved to gradio 6.13.0, so the effective change is a low-risk 6.13→6.15 minor bump (not a security fix). (2) revision = 3 requires the deploy base image's uv to be new enough to read lock revision 3 (Dockerfile installs via uv sync --frozen).
Sent by Cursor Automation: Pre-review
| "mcp-agent==0.2.6", | ||
| # Used by the custom Gradio web UI (server/web_ui.py). | ||
| "gradio>=4.0.0", | ||
| "gradio>=6.15.0", |
There was a problem hiding this comment.
Floor raised gradio>=4.0.0 → >=6.15.0. This is expected for a direct dependency bump (gradio powers server/web_ui.py), and the env already resolved to gradio 6.13.0, so the real-world change is a low-risk 6.13→6.15 minor bump.
Heads-up though: this file lives under envs/**, which .github/dependabot.yml intends to exclude from the uv updater (exclude-paths: ["envs/**"], added in #566/#644). A native Dependabot PR editing it means that guard isn't holding — see the process flag in the review summary. cc @burtenshaw
| @@ -61,7 +61,7 @@ provides-extras = ["dev"] | |||
| [[package]] | |||
| name = "aiofile" | |||
| version = "3.9.0" | |||
| source = { registry = "https://pypi.registries.huggingface.tech/" } | |||
| source = { registry = "https://pypi.org/simple" } | |||
There was a problem hiding this comment.
First of 174 entries where this PR flips the package index pypi.registries.huggingface.tech → pypi.org/simple (paired with revision 2→3 at line 2). This is much broader than the gradio bump and diverges from the 29 other env locks still on the HF mirror.
Artifact URLs stay on files.pythonhosted.org and hashes are intact, so it's likely benign, but it changes the declared provenance of every dependency. Flagging for a deliberate decision on the canonical index (reproducibility principle) — please don't hand-edit the lock to revert, that's a team call. cc @Darktex @burtenshaw
|
Superseded by aggregate maintainer PR #902. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |


Bumps gradio from 6.13.0 to 6.15.0.
Release notes
Sourced from gradio's releases.
Changelog
Sourced from gradio's changelog.
Commits
0528c2cchore: update versions (#13352)6a0b417Stabilize image editor examples test (#13418)51497aedocs: add MiniMax example to ChatInterface providers guide (#13411)9acecd2Warn when gr.Tabs() has non-Tab direct children (#9832) (#13383)6b0c8afMarkdown link fix (#13408)df56862[js-client] close submit iterator on next/close race (#13403)1cbeb4fCi previews cdn (#13410)0fbdc49JS client cdn preview (#13409)14c8870Add UploadButton unit tests (#13336)10f43e0Offload traffic to static workers and use node as the proxy (#13366)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Low Risk
Single-line dependency constraint change with no code edits; minor version bump within Gradio 6.x, though UI behavior should be smoke-tested after upgrade.
Overview
Raises the Gradio floor in
envs/agent_world_model_env/pyproject.tomlfrom>=4.0.0to>=6.15.0, so installs resolve to Gradio 6.15.x for the custom web UI (server/web_ui.py). No application code changes—dependency constraint only.Reviewed by Cursor Bugbot for commit 6516d59. Bugbot is set up for automated code reviews on this repo. Configure here.