Skip to content

Commit a3aa26f

Browse files
authored
Merge branch 'main' into add/nebius-cloud
2 parents 7f4b4d9 + 0b9495a commit a3aa26f

10 files changed

Lines changed: 1163 additions & 165 deletions

File tree

.github/dependabot.yml

Lines changed: 159 additions & 110 deletions
Original file line numberDiff line numberDiff line change
@@ -1,176 +1,225 @@
11
version: 2
22
updates:
33
# Root Electron + React app
4-
- package-ecosystem: "npm"
5-
directory: "/"
4+
- package-ecosystem: 'npm'
5+
directory: '/'
66
schedule:
7-
interval: "weekly"
8-
day: "monday"
7+
interval: 'weekly'
8+
day: 'monday'
99
open-pull-requests-limit: 10
1010
groups:
1111
minor-and-patch:
1212
update-types:
13-
- "minor"
14-
- "patch"
13+
- 'minor'
14+
- 'patch'
1515
ignore:
1616
# @nivo/* is pre-1.0 and each minor can ship breaking changes. 0.99.0 broke `<Bar>`
1717
# elements. Hold the nivo packages at 0.88.0 until they're upgraded deliberately.
1818
# See PR #2091 (reverted by dadmobile).
19-
- dependency-name: "@nivo/bar"
20-
versions: [">0.88.0"]
21-
- dependency-name: "@nivo/core"
22-
versions: [">0.88.0"]
23-
- dependency-name: "@nivo/line"
24-
versions: [">0.88.0"]
25-
- dependency-name: "@nivo/radar"
26-
versions: [">0.88.0"]
19+
- dependency-name: '@nivo/bar'
20+
versions: ['>0.88.0']
21+
- dependency-name: '@nivo/core'
22+
versions: ['>0.88.0']
23+
- dependency-name: '@nivo/line'
24+
versions: ['>0.88.0']
25+
- dependency-name: '@nivo/radar'
26+
versions: ['>0.88.0']
2727
# lucide-react is imported in ~78 renderer components. The 1.0 line is an ESM-only
2828
# rewrite (`.mjs` bundles, RSC/dynamic-import reshuffles) and lucide ships icon
2929
# renames as plain minors on the 0.x line, so neither `semver-major` gating nor
3030
# the grouped minor/patch flow is safe here. Hold at 0.477.0 and bump deliberately
3131
# with a build + smoke test of icon-heavy pages (ModelZoo, Settings, Welcome,
3232
# Team). See PR #2174.
33-
- dependency-name: "lucide-react"
34-
versions: [">0.477.0"]
33+
- dependency-name: 'lucide-react'
34+
versions: ['>0.477.0']
3535
# React 19 is a major API change (ref-as-prop, removed legacy APIs, new JSX
3636
# transform). `react`, `react-dom`, and their @types must move together, and
3737
# @testing-library/react must move in lockstep (see below). Hold the whole
3838
# React family at 18.x until a coordinated migration. See PR #2126.
39-
- dependency-name: "react"
40-
versions: [">=19"]
41-
- dependency-name: "react-dom"
42-
versions: [">=19"]
43-
- dependency-name: "@types/react"
44-
versions: [">=19"]
45-
- dependency-name: "@types/react-dom"
46-
versions: [">=19"]
39+
- dependency-name: 'react'
40+
versions: ['>=19']
41+
- dependency-name: 'react-dom'
42+
versions: ['>=19']
43+
- dependency-name: '@types/react'
44+
versions: ['>=19']
45+
- dependency-name: '@types/react-dom'
46+
versions: ['>=19']
4747
# @testing-library/react v15 dropped React 17 and v16 requires React 19. Bundle
4848
# this with the React 19 migration. See PR #2127.
49-
- dependency-name: "@testing-library/react"
50-
versions: [">=15"]
49+
- dependency-name: '@testing-library/react'
50+
versions: ['>=15']
5151
# jest-environment-jsdom v30 requires jest@30; we're on jest@29. Hold until a
5252
# coordinated jest 30 upgrade (which also affects ts-jest, @types/jest, etc.).
5353
# See PR #2130.
54-
- dependency-name: "jest-environment-jsdom"
55-
versions: [">=30"]
54+
- dependency-name: 'jest-environment-jsdom'
55+
versions: ['>=30']
5656
# @types/node majors track Node runtime majors. We're pinned to Node 22 (see
5757
# CLAUDE.md; conda env, scripts/dev.py, CI), and the renderer doesn't import
5858
# Node builtins directly — only build tooling under .erb/ and scripts/ does.
5959
# Holding at 22.x avoids a recurring PR with zero security exposure (types-only
6060
# package). Lift this in lockstep when Node itself moves.
61-
- dependency-name: "@types/node"
62-
versions: [">=23"]
61+
- dependency-name: '@types/node'
62+
versions: ['>=23']
6363
# Webpack loader / CLI family. These churn constantly and each major typically
6464
# requires coordinated changes across .erb/configs/* (webpack 5 config shape,
6565
# asset modules, postcss override compatibility — see the `overrides` note in
6666
# package.json). We're not chasing the bleeding edge on the build toolchain;
6767
# security fixes still land via minor/patch. Bump these deliberately as a
6868
# single toolchain-upgrade PR when it's worth a focused day.
69-
- dependency-name: "webpack-cli"
70-
update-types: ["version-update:semver-major"]
71-
- dependency-name: "webpack-dev-server"
72-
update-types: ["version-update:semver-major"]
73-
- dependency-name: "webpack-merge"
74-
update-types: ["version-update:semver-major"]
75-
- dependency-name: "webpack-bundle-analyzer"
76-
update-types: ["version-update:semver-major"]
77-
- dependency-name: "css-loader"
78-
update-types: ["version-update:semver-major"]
79-
- dependency-name: "sass-loader"
80-
update-types: ["version-update:semver-major"]
81-
- dependency-name: "style-loader"
82-
update-types: ["version-update:semver-major"]
83-
- dependency-name: "postcss-loader"
84-
update-types: ["version-update:semver-major"]
85-
- dependency-name: "esbuild-loader"
86-
update-types: ["version-update:semver-major"]
69+
- dependency-name: 'webpack-cli'
70+
update-types: ['version-update:semver-major']
71+
- dependency-name: 'webpack-dev-server'
72+
update-types: ['version-update:semver-major']
73+
- dependency-name: 'webpack-merge'
74+
update-types: ['version-update:semver-major']
75+
- dependency-name: 'webpack-bundle-analyzer'
76+
update-types: ['version-update:semver-major']
77+
- dependency-name: 'css-loader'
78+
update-types: ['version-update:semver-major']
79+
- dependency-name: 'sass-loader'
80+
update-types: ['version-update:semver-major']
81+
- dependency-name: 'style-loader'
82+
update-types: ['version-update:semver-major']
83+
- dependency-name: 'postcss-loader'
84+
update-types: ['version-update:semver-major']
85+
- dependency-name: 'esbuild-loader'
86+
update-types: ['version-update:semver-major']
8787
# file-loader and url-loader are abandoned upstream (replaced by webpack 5's
8888
# built-in asset modules). No future major will be worth taking — only here
8989
# for legacy compatibility.
90-
- dependency-name: "file-loader"
91-
update-types: ["version-update:semver-major"]
92-
- dependency-name: "url-loader"
93-
update-types: ["version-update:semver-major"]
94-
- dependency-name: "mini-css-extract-plugin"
95-
update-types: ["version-update:semver-major"]
96-
- dependency-name: "css-minimizer-webpack-plugin"
97-
update-types: ["version-update:semver-major"]
98-
- dependency-name: "html-webpack-plugin"
99-
update-types: ["version-update:semver-major"]
100-
- dependency-name: "tsconfig-paths-webpack-plugin"
101-
update-types: ["version-update:semver-major"]
102-
- dependency-name: "@svgr/webpack"
103-
update-types: ["version-update:semver-major"]
104-
- dependency-name: "@pmmmwh/react-refresh-webpack-plugin"
105-
update-types: ["version-update:semver-major"]
106-
- dependency-name: "@teamsupercell/typings-for-css-modules-loader"
107-
update-types: ["version-update:semver-major"]
90+
- dependency-name: 'file-loader'
91+
update-types: ['version-update:semver-major']
92+
- dependency-name: 'url-loader'
93+
update-types: ['version-update:semver-major']
94+
- dependency-name: 'mini-css-extract-plugin'
95+
update-types: ['version-update:semver-major']
96+
- dependency-name: 'css-minimizer-webpack-plugin'
97+
update-types: ['version-update:semver-major']
98+
- dependency-name: 'html-webpack-plugin'
99+
update-types: ['version-update:semver-major']
100+
- dependency-name: 'tsconfig-paths-webpack-plugin'
101+
update-types: ['version-update:semver-major']
102+
- dependency-name: '@svgr/webpack'
103+
update-types: ['version-update:semver-major']
104+
- dependency-name: '@pmmmwh/react-refresh-webpack-plugin'
105+
update-types: ['version-update:semver-major']
106+
- dependency-name: '@teamsupercell/typings-for-css-modules-loader'
107+
update-types: ['version-update:semver-major']
108108

109109
# Docs site (Docusaurus, managed with yarn classic — dependabot's npm ecosystem auto-detects yarn.lock)
110110
# Build runs on Node 22 via transformerlab-docs/netlify.toml. Major bumps are ignored across
111111
# the board (manual coordination needed); minor/patch updates flow through for security.
112-
- package-ecosystem: "npm"
113-
directory: "/transformerlab-docs"
112+
- package-ecosystem: 'npm'
113+
directory: '/transformerlab-docs'
114114
schedule:
115-
interval: "weekly"
116-
day: "monday"
115+
interval: 'weekly'
116+
day: 'monday'
117117
open-pull-requests-limit: 5
118118
commit-message:
119-
prefix: "docs-deps"
120-
include: "scope"
119+
prefix: 'docs-deps'
120+
include: 'scope'
121121
labels:
122-
- "dependencies"
123-
- "docs"
122+
- 'dependencies'
123+
- 'docs'
124124
groups:
125125
docusaurus:
126126
patterns:
127-
- "@docusaurus/*"
128-
- "@mdx-js/*"
127+
- '@docusaurus/*'
128+
- '@mdx-js/*'
129129
react:
130130
patterns:
131-
- "react"
132-
- "react-dom"
131+
- 'react'
132+
- 'react-dom'
133133
minor-and-patch:
134134
update-types:
135-
- "minor"
136-
- "patch"
135+
- 'minor'
136+
- 'patch'
137137
ignore:
138138
# Major bumps on docs deps need manual coordination; minor/patch is enough for security.
139-
- dependency-name: "*"
140-
update-types: ["version-update:semver-major"]
139+
- dependency-name: '*'
140+
update-types: ['version-update:semver-major']
141141

142142
# API (FastAPI, managed with uv)
143-
- package-ecosystem: "uv"
144-
directory: "/api"
143+
- package-ecosystem: 'uv'
144+
directory: '/api'
145145
schedule:
146-
interval: "weekly"
147-
day: "monday"
146+
interval: 'weekly'
147+
day: 'monday'
148148
open-pull-requests-limit: 10
149149
groups:
150+
# Core web/auth stack. These packages are mostly pre-1.0 (where
151+
# "minor" bumps ship breaking changes) or tightly coupled to
152+
# fastapi+fastapi-users. A regression in any of them can break
153+
# every request through the API.
154+
#
155+
# Plan:
156+
# - take patches automatically for security coverage
157+
# - hold minor bumps for a deliberate, manual PR
158+
#
159+
# Dependabot evaluates groups in order, so this one must come before
160+
# `minor-and-patch`.
161+
core-web-stack:
162+
patterns:
163+
- 'fastapi'
164+
- 'fastapi-users'
165+
- 'httpx-oauth'
166+
- 'uvicorn'
167+
- 'aiosqlite'
168+
- 'asyncpg'
169+
- 'python-multipart'
170+
update-types:
171+
- 'patch'
150172
minor-and-patch:
151173
update-types:
152-
- "minor"
153-
- "patch"
174+
- 'minor'
175+
- 'patch'
154176
ignore:
177+
# Core web/auth stack: block all minor and major bumps so they don't
178+
# leak into the `minor-and-patch` catch-all. Patches still flow through
179+
# the `core-web-stack` group above. Minors and majors require a
180+
# deliberate, human-driven PR — see the comment on `core-web-stack`
181+
# for the rationale.
182+
- dependency-name: 'fastapi'
183+
update-types:
184+
['version-update:semver-minor', 'version-update:semver-major']
185+
- dependency-name: 'fastapi-users'
186+
update-types:
187+
['version-update:semver-minor', 'version-update:semver-major']
188+
- dependency-name: 'httpx-oauth'
189+
update-types:
190+
['version-update:semver-minor', 'version-update:semver-major']
191+
- dependency-name: 'uvicorn'
192+
update-types:
193+
['version-update:semver-minor', 'version-update:semver-major']
194+
- dependency-name: 'aiosqlite'
195+
update-types:
196+
['version-update:semver-minor', 'version-update:semver-major']
197+
- dependency-name: 'asyncpg'
198+
update-types:
199+
['version-update:semver-minor', 'version-update:semver-major']
200+
- dependency-name: 'python-multipart'
201+
update-types:
202+
['version-update:semver-minor', 'version-update:semver-major']
203+
155204
# datasets 4.x removes loading-script support (`trust_remote_code` workflows) that
156205
# several gallery training scripts rely on. Deliberately pinned to 3.x; a datasets
157206
# upgrade needs its own dedicated PR with full validation. See PR #2090.
158-
- dependency-name: "datasets"
159-
versions: [">=4"]
207+
- dependency-name: 'datasets'
208+
versions: ['>=4']
160209
# azure-mgmt-resource 25.0.0 removed/relocated `SubscriptionClient`, which our
161210
# Azure compute provider imports from `azure.mgmt.resource`. Provider health check
162211
# fails immediately on import. Revisit after refactoring the import path. See PR #2083.
163-
- dependency-name: "azure-mgmt-resource"
164-
versions: [">=25"]
212+
- dependency-name: 'azure-mgmt-resource'
213+
versions: ['>=25']
165214
# boto3 patches beyond 1.40.70 are uninstallable. Each boto3 patch pins a
166215
# matching botocore patch, and aiobotocore's compatible window in the 1.40
167216
# line is botocore>=1.40.37,<1.40.71 — so boto3 1.40.71+ (and all of 1.41.x)
168217
# fall in a dead zone aiobotocore won't accept. aiobotocore is pulled in
169218
# transitively via s3fs, which is capped by fsspec, which is capped by the
170219
# `datasets` 3.x pin above. Hold boto3 at 1.40.70 until datasets is unpinned
171220
# or a newer aiobotocore covers the gap. See PR #2159, PR #2169.
172-
- dependency-name: "boto3"
173-
versions: [">1.40.70"]
221+
- dependency-name: 'boto3'
222+
versions: ['>1.40.70']
174223

175224
# CLI (Typer, managed with uv)
176225
# Security-only mode: the CLI is published to PyPI as `transformerlab-cli` and
@@ -181,35 +230,35 @@ updates:
181230
# disables routine version-update PRs while still allowing Dependabot security
182231
# advisory PRs to fire (security updates bypass the limit). Revisit if the CLI
183232
# ever grows a network listener or starts parsing untrusted input.
184-
- package-ecosystem: "uv"
185-
directory: "/cli"
233+
- package-ecosystem: 'uv'
234+
directory: '/cli'
186235
schedule:
187-
interval: "weekly"
188-
day: "monday"
236+
interval: 'weekly'
237+
day: 'monday'
189238
open-pull-requests-limit: 0
190239

191240
# Lab SDK (published to PyPI as `transformerlab`)
192-
- package-ecosystem: "uv"
193-
directory: "/lab-sdk"
241+
- package-ecosystem: 'uv'
242+
directory: '/lab-sdk'
194243
schedule:
195-
interval: "weekly"
196-
day: "monday"
244+
interval: 'weekly'
245+
day: 'monday'
197246
open-pull-requests-limit: 5
198247
groups:
199248
minor-and-patch:
200249
update-types:
201-
- "minor"
202-
- "patch"
250+
- 'minor'
251+
- 'patch'
203252

204253
# GitHub Actions workflows
205-
- package-ecosystem: "github-actions"
206-
directory: "/"
254+
- package-ecosystem: 'github-actions'
255+
directory: '/'
207256
schedule:
208-
interval: "weekly"
209-
day: "monday"
257+
interval: 'weekly'
258+
day: 'monday'
210259
open-pull-requests-limit: 5
211260
groups:
212261
minor-and-patch:
213262
update-types:
214-
- "minor"
215-
- "patch"
263+
- 'minor'
264+
- 'patch'

0 commit comments

Comments
 (0)