chore(deps): bump gradio from 6.9.0 to 6.15.0 in /envs/echo_env#901
chore(deps): bump gradio from 6.9.0 to 6.15.0 in /envs/echo_env#901dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [gradio](https://github.com/gradio-app/gradio) from 6.9.0 to 6.15.0. - [Release notes](https://github.com/gradio-app/gradio/releases) - [Changelog](https://github.com/gradio-app/gradio/blob/main/CHANGELOG.md) - [Commits](https://github.com/gradio-app/gradio/compare/gradio@6.9.0...gradio@6.15.0) --- updated-dependencies: - dependency-name: gradio dependency-version: 6.15.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
There was a problem hiding this comment.
Alignment Review Report
PR #901 — chore(deps): bump gradio 6.9.0 → 6.15.0 in /envs/echo_env (Dependabot). The diff is envs/echo_env/uv.lock only — a generated lockfile, 0 .py/API changes.
Automated Checks
- Lint: N/A —
.claude/hooks/lint.shlints Python only (src/ tests/ envs/) and this diff changes no.pyfiles, so no formatting/lint regression is possible. (The hook also couldn't execute in this review VM becauseuvisn't installed there.) - Debug code: CLEAN —
check-debug.shmatches (prints/TODOs insrc/openenv/core/mcp_client.py,src/openenv/cli/…) are all pre-existing files untouched by this PR.
Open RFCs Context
000/001/002/003/005 = In Review, 010-echo-env-token-world-model = Draft (004 has no status header). None cover Python packaging or dependency indexes. RFC 010 concerns echo_env's token/world-model design, which a transitive lockfile bump does not touch. → No RFC relevance.
Dependency verification (lock-only)
- gradio is transitive via
openenv's optional Gradio web UI — echo_envpyproject.tomlpins onlyopenenv/fastapi/pydantic/uvicorn/requests(no gradio). Lock-only is correct; nopyproject.tomledit needed. (Note: echo_env's Dockerfile setsENABLE_WEB_INTERFACE=true, so the UI is actually used at runtime.) - Correct, consistent dep changes for gradio 6.15.0:
gradio-client2.3.0 → 2.5.0; addshf-gradio0.4.1 (gradio now requires>=0.4.1); dropsaiofilesandffmpy(no longer gradio deps). - Hashes/sizes match PyPI (verified) for gradio, gradio-client, and hf-gradio; all
requires-python >=3.10, not yanked, no known vulns. Neutral maintenance bump (not a security fix).
Tier 1: Fixes Required
None. Generated lockfile; unchanged packages are byte-identical (only source metadata changed) — no syntax/type/import/security issues.
Tier 2: Alignment Discussion
Principle Conflicts
ALIGNMENT FLAG: Lockfile silently re-points all 124 packages from the internal HF mirror to public PyPI (scope creep beyond a gradio bump)
- Principle at stake: reproducibility / dependency provenance (PRINCIPLES.md — "Performance for isolation… acceptable for reproducibility").
- The concern: Beyond gradio, every
source = { registry = "https://pypi.registries.huggingface.tech/" }was rewritten tohttps://pypi.org/simple(base 125 mirror → new 124 pypi.org, 0 mirror left). Dependabot regenerated the lock against public PyPI. Likely benign — all artifact URLs stayfiles.pythonhosted.organd every unchanged package's hash is identical (verified: no artifact line changed outside the bumped/removed pkgs) — but it makesecho_envthe lone outlier (the other 29 env locks still use the HF mirror) and silently changes declared provenance. Worth a deliberate decision on the canonical index rather than per-PR drift. Please don't hand-edit the lock to revert — registry choice is a team call and can't be re-locked without the HF index. - Suggested reviewers: @Darktex (reproducibility), @burtenshaw (dependency/index setup)
RFC Conflicts
None identified.
Additional notes (not Tier 1/2)
- Dependabot config mismatch (cc @burtenshaw):
.github/dependabot.ymlconfigures theuvupdater withdirectory: "/"+exclude-paths: ["envs/**"], yet this nativedependabot/uv/envs/echo_env/…PR still editsenvs/echo_env/uv.lock. Either the exclusion isn't taking effect or these native env PRs are unintended noise. (Aggregatecodex/dependabot-envs-*roll-ups are the intended path.) - Lockfile
revision2 → 3: requires uv ≥ 0.8. This PR's CI (validate-env-locks, uv 0.9.3) is fine. Heads-up: the echo_env Docker/HF-Space build usesopenenv-base, whose source pins uv 0.5.27 and only installs a newer uv if none is present, so a rebuild could fail to parse a revision-3 lock.docker-build.ymlwon't fire on auv.lock-only change (it triggers on Dockerfile/*.py), so this is latent, and 5 other envs already ship revision 3 — worth confirming the base image's uv handles it.
Summary
- 0 mechanical issues to fix
- 1 alignment point for human review (index-source flip → canonical-index decision)
- 0 RFC conflicts
- Plus 2 non-blocking notes (dependabot
exclude-pathsmismatch; lock revision 2→3 vs base-image uv 0.5.27)
Verdict: benign, correct transitive lock-only bump. No blockers — the one item that needs a human is the whole-file index-source flip.
Sent by Cursor Automation: Pre-review
| version = "6.9.0" | ||
| source = { registry = "https://pypi.registries.huggingface.tech/" } | ||
| version = "6.15.0" | ||
| source = { registry = "https://pypi.org/simple" } |
There was a problem hiding this comment.
Index-source flip — Tier 2 (likely benign, but out of scope). This PR rewrites the source of all 124 packages from the internal mirror https://pypi.registries.huggingface.tech/ to public PyPI (https://pypi.org/simple): base 125 mirror entries → 124 pypi.org, 0 mirror left. Verified benign — artifact URLs stay files.pythonhosted.org and unchanged packages' hashes are identical (no artifact line changed outside the bumped/removed pkgs). But the other 29 env lockfiles still use the HF mirror, so this makes echo_env the outlier and silently changes declared provenance. Suggest a deliberate call on the canonical index rather than per-PR drift; don't hand-revert the lock. cc @Darktex @burtenshaw
| @@ -1,5 +1,5 @@ | |||
| version = 1 | |||
| revision = 2 | |||
| revision = 3 | |||
There was a problem hiding this comment.
Lockfile revision 2 → 3 (requires uv ≥ 0.8). PR CI validate-env-locks uses uv 0.9.3, so it passes. Heads-up: the echo_env Docker / HF-Space build uses openenv-base, whose source Dockerfile pins uv 0.5.27 and only installs a newer uv if none is present — a rebuild could fail to parse a revision-3 lock. docker-build.yml won't fire on a uv.lock-only change (it triggers on Dockerfile/*.py), so this is latent; still worth confirming the base image's uv handles revision 3.
| name = "gradio" | ||
| version = "6.9.0" | ||
| source = { registry = "https://pypi.registries.huggingface.tech/" } | ||
| version = "6.15.0" |
There was a problem hiding this comment.
Verified: gradio is transitive via openenv's Gradio web UI (no pin in echo_env pyproject.toml), so a lock-only bump is correct. sdist dce1…270b (36,424,891 B) and wheel c71b…9fc8 (20,091,423 B) match PyPI; requires-python >=3.10; not yanked; no known vulns. Neutral maintenance bump.
| ] | ||
|
|
||
| [[package]] | ||
| name = "hf-gradio" |
There was a problem hiding this comment.
New transitive dep hf-gradio 0.4.1 is required by gradio 6.15.0 (>=0.4.1) — correctly added alongside gradio-client 2.5.0, with aiofiles/ffmpy correctly dropped (no longer gradio deps). Hashes match PyPI (sdist a017…fa7b, wheel 76b8…eab3).
|
Superseded by aggregate maintainer PR #902. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |


Bumps gradio from 6.9.0 to 6.15.0.
Release notes
Sourced from gradio's releases.
Changelog
Sourced from gradio's changelog.
... (truncated)
Commits
0528c2cchore: update versions (#13352)6a0b417Stabilize image editor examples test (#13418)51497aedocs: add MiniMax example to ChatInterface providers guide (#13411)9acecd2Warn when gr.Tabs() has non-Tab direct children (#9832) (#13383)6b0c8afMarkdown link fix (#13408)df56862[js-client] close submit iterator on next/close race (#13403)1cbeb4fCi previews cdn (#13410)0fbdc49JS client cdn preview (#13409)14c8870Add UploadButton unit tests (#13336)10f43e0Offload traffic to static workers and use node as the proxy (#13366)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Medium Risk
Upgrades the Gradio UI stack used by echo_env with no app code changes; verify Gradio-based flows still work. Registry URL changes affect install source but not runtime logic.
Overview
Updates
envs/echo_env/uv.lockonly: bumps gradio from 6.9.0 to 6.15.0 and gradio-client from 2.3.0 to 2.5.0, and refreshes the resolved graph for that env.The lockfile also switches package registry entries from the Hugging Face PyPI mirror to
https://pypi.org/simple, and adjusts Gradio’s transitive deps:hf-gradio0.4.1 is added, whileaiofilesandffmpydrop out of the Gradio dependency list (aligned with upstream 6.15 packaging).Reviewed by Cursor Bugbot for commit 985b4d3. Bugbot is set up for automated code reviews on this repo. Configure here.