Skip to content

chore(deps): bump gradio from 6.9.0 to 6.15.0 in /envs/echo_env#901

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/echo_env/gradio-6.15.0
Closed

chore(deps): bump gradio from 6.9.0 to 6.15.0 in /envs/echo_env#901
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/echo_env/gradio-6.15.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor

Bumps gradio from 6.9.0 to 6.15.0.

Release notes

Sourced from gradio's releases.

gradio@6.15.0

Features

Fixes

Changelog

Sourced from gradio's changelog.

6.15.0

Features

Fixes

6.14.0

Features

Fixes

6.13.0

Features

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Medium Risk
Upgrades the Gradio UI stack used by echo_env with no app code changes; verify Gradio-based flows still work. Registry URL changes affect install source but not runtime logic.

Overview
Updates envs/echo_env/uv.lock only: bumps gradio from 6.9.0 to 6.15.0 and gradio-client from 2.3.0 to 2.5.0, and refreshes the resolved graph for that env.

The lockfile also switches package registry entries from the Hugging Face PyPI mirror to https://pypi.org/simple, and adjusts Gradio’s transitive deps: hf-gradio 0.4.1 is added, while aiofiles and ffmpy drop out of the Gradio dependency list (aligned with upstream 6.15 packaging).

Reviewed by Cursor Bugbot for commit 985b4d3. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [gradio](https://github.com/gradio-app/gradio) from 6.9.0 to 6.15.0.
- [Release notes](https://github.com/gradio-app/gradio/releases)
- [Changelog](https://github.com/gradio-app/gradio/blob/main/CHANGELOG.md)
- [Commits](https://github.com/gradio-app/gradio/compare/gradio@6.9.0...gradio@6.15.0)

---
updated-dependencies:
- dependency-name: gradio
  dependency-version: 6.15.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Dependencies python:uv Pull requests that update python:uv code labels Jul 2, 2026
@burtenshaw burtenshaw added environment size: small Small pull request labels Jul 2, 2026 — with Cursor
@bot-ci-comment

bot-ci-comment Bot commented Jul 2, 2026

Copy link
Copy Markdown

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alignment Review Report

PR #901chore(deps): bump gradio 6.9.0 → 6.15.0 in /envs/echo_env (Dependabot). The diff is envs/echo_env/uv.lock only — a generated lockfile, 0 .py/API changes.

Automated Checks

  • Lint: N/A.claude/hooks/lint.sh lints Python only (src/ tests/ envs/) and this diff changes no .py files, so no formatting/lint regression is possible. (The hook also couldn't execute in this review VM because uv isn't installed there.)
  • Debug code: CLEANcheck-debug.sh matches (prints/TODOs in src/openenv/core/mcp_client.py, src/openenv/cli/…) are all pre-existing files untouched by this PR.

Open RFCs Context

000/001/002/003/005 = In Review, 010-echo-env-token-world-model = Draft (004 has no status header). None cover Python packaging or dependency indexes. RFC 010 concerns echo_env's token/world-model design, which a transitive lockfile bump does not touch. → No RFC relevance.

Dependency verification (lock-only)

  • gradio is transitive via openenv's optional Gradio web UI — echo_env pyproject.toml pins only openenv/fastapi/pydantic/uvicorn/requests (no gradio). Lock-only is correct; no pyproject.toml edit needed. (Note: echo_env's Dockerfile sets ENABLE_WEB_INTERFACE=true, so the UI is actually used at runtime.)
  • Correct, consistent dep changes for gradio 6.15.0: gradio-client 2.3.0 → 2.5.0; adds hf-gradio 0.4.1 (gradio now requires >=0.4.1); drops aiofiles and ffmpy (no longer gradio deps).
  • Hashes/sizes match PyPI (verified) for gradio, gradio-client, and hf-gradio; all requires-python >=3.10, not yanked, no known vulns. Neutral maintenance bump (not a security fix).

Tier 1: Fixes Required

None. Generated lockfile; unchanged packages are byte-identical (only source metadata changed) — no syntax/type/import/security issues.

Tier 2: Alignment Discussion

Principle Conflicts

ALIGNMENT FLAG: Lockfile silently re-points all 124 packages from the internal HF mirror to public PyPI (scope creep beyond a gradio bump)

  • Principle at stake: reproducibility / dependency provenance (PRINCIPLES.md — "Performance for isolation… acceptable for reproducibility").
  • The concern: Beyond gradio, every source = { registry = "https://pypi.registries.huggingface.tech/" } was rewritten to https://pypi.org/simple (base 125 mirror → new 124 pypi.org, 0 mirror left). Dependabot regenerated the lock against public PyPI. Likely benign — all artifact URLs stay files.pythonhosted.org and every unchanged package's hash is identical (verified: no artifact line changed outside the bumped/removed pkgs) — but it makes echo_env the lone outlier (the other 29 env locks still use the HF mirror) and silently changes declared provenance. Worth a deliberate decision on the canonical index rather than per-PR drift. Please don't hand-edit the lock to revert — registry choice is a team call and can't be re-locked without the HF index.
  • Suggested reviewers: @Darktex (reproducibility), @burtenshaw (dependency/index setup)

RFC Conflicts

None identified.

Additional notes (not Tier 1/2)

  • Dependabot config mismatch (cc @burtenshaw): .github/dependabot.yml configures the uv updater with directory: "/" + exclude-paths: ["envs/**"], yet this native dependabot/uv/envs/echo_env/… PR still edits envs/echo_env/uv.lock. Either the exclusion isn't taking effect or these native env PRs are unintended noise. (Aggregate codex/dependabot-envs-* roll-ups are the intended path.)
  • Lockfile revision 2 → 3: requires uv ≥ 0.8. This PR's CI (validate-env-locks, uv 0.9.3) is fine. Heads-up: the echo_env Docker/HF-Space build uses openenv-base, whose source pins uv 0.5.27 and only installs a newer uv if none is present, so a rebuild could fail to parse a revision-3 lock. docker-build.yml won't fire on a uv.lock-only change (it triggers on Dockerfile/*.py), so this is latent, and 5 other envs already ship revision 3 — worth confirming the base image's uv handles it.

Summary

  • 0 mechanical issues to fix
  • 1 alignment point for human review (index-source flip → canonical-index decision)
  • 0 RFC conflicts
  • Plus 2 non-blocking notes (dependabot exclude-paths mismatch; lock revision 2→3 vs base-image uv 0.5.27)

Verdict: benign, correct transitive lock-only bump. No blockers — the one item that needs a human is the whole-file index-source flip.

Open in Web View Automation 

Sent by Cursor Automation: Pre-review

Comment thread envs/echo_env/uv.lock
version = "6.9.0"
source = { registry = "https://pypi.registries.huggingface.tech/" }
version = "6.15.0"
source = { registry = "https://pypi.org/simple" }

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Index-source flip — Tier 2 (likely benign, but out of scope). This PR rewrites the source of all 124 packages from the internal mirror https://pypi.registries.huggingface.tech/ to public PyPI (https://pypi.org/simple): base 125 mirror entries → 124 pypi.org, 0 mirror left. Verified benign — artifact URLs stay files.pythonhosted.org and unchanged packages' hashes are identical (no artifact line changed outside the bumped/removed pkgs). But the other 29 env lockfiles still use the HF mirror, so this makes echo_env the outlier and silently changes declared provenance. Suggest a deliberate call on the canonical index rather than per-PR drift; don't hand-revert the lock. cc @Darktex @burtenshaw

Comment thread envs/echo_env/uv.lock
@@ -1,5 +1,5 @@
version = 1
revision = 2
revision = 3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lockfile revision 2 → 3 (requires uv ≥ 0.8). PR CI validate-env-locks uses uv 0.9.3, so it passes. Heads-up: the echo_env Docker / HF-Space build uses openenv-base, whose source Dockerfile pins uv 0.5.27 and only installs a newer uv if none is present — a rebuild could fail to parse a revision-3 lock. docker-build.yml won't fire on a uv.lock-only change (it triggers on Dockerfile/*.py), so this is latent; still worth confirming the base image's uv handles revision 3.

Comment thread envs/echo_env/uv.lock
name = "gradio"
version = "6.9.0"
source = { registry = "https://pypi.registries.huggingface.tech/" }
version = "6.15.0"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified: gradio is transitive via openenv's Gradio web UI (no pin in echo_env pyproject.toml), so a lock-only bump is correct. sdist dce1…270b (36,424,891 B) and wheel c71b…9fc8 (20,091,423 B) match PyPI; requires-python >=3.10; not yanked; no known vulns. Neutral maintenance bump.

Comment thread envs/echo_env/uv.lock
]

[[package]]
name = "hf-gradio"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New transitive dep hf-gradio 0.4.1 is required by gradio 6.15.0 (>=0.4.1) — correctly added alongside gradio-client 2.5.0, with aiofiles/ffmpy correctly dropped (no longer gradio deps). Hashes match PyPI (sdist a017…fa7b, wheel 76b8…eab3).

@burtenshaw

Copy link
Copy Markdown
Collaborator

Superseded by aggregate maintainer PR #902.

@burtenshaw burtenshaw closed this Jul 2, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/uv/envs/echo_env/gradio-6.15.0 branch July 2, 2026 07:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Dependencies environment python:uv Pull requests that update python:uv code size: small Small pull request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant