chore(deps): update dependency sentencepiece to v0.2.1 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
sentencepiece	==0.2.0 → ==0.2.1

---

Sentencepiece has a a heap overflow issue

CVE-2026-1260 / GHSA-38vq-g6vr-w8wf

More information

Details

Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure.

Severity

• CVSS Score: 8.5 / 10 (High)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-1260
• https://github.com/google/sentencepiece/releases/tag/v0.2.1
• https://github.com/google/sentencepiece/commit/d856b67fdb3492e035489abf9b3aaf486144b2c0
• https://github.com/advisories/GHSA-38vq-g6vr-w8wf

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

google/sentencepiece (sentencepiece)

v0.2.1

Compare Source

Major changes

• [Python] Supported wheels and builds for Python 3.13 and 3.14(rc1) #​1134, #​1127, #​1121, #​1111, #​1110, #​1104, #​1103, #​1099, #​1091
• [Python] Added an experimental support for free-threading. #​1134, #​1127, #​1110 https://github.com/google/sentencepiece/tree/master/python#free-threading-support
• [Python] Updated the supported Python version to 3.9 or later.

New features

• [ALL]: Added new build mode to prevent the precompiled normalization rules being embedded in *.so and *.a. (-DSPM_DISABLE_EMBEDDED_DATA=ON). This reduces the runtime size by approximately 1-2 MB. This mode is enabled to build python wheels. The rules are loaded as the data package.

Bug fixes & minor changes

• [ALL]: Security fix to address a heap overflow issue that could occur when using a model containing an invalid precompiled normalization model.
• [Python]: Deprecates the wheel package for Linux i686.
• [Python]: Supported wheel for Windows Arm64. #​1114
• [Python]: Fixed the crash issue on batch decoding #​1051
• [ALL]: Updated the Unicode normalization rule with the latest ICU/Unicode rules.
• [ALL]: Unused code and build mode cleanup.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Code Review

This pull request updates the version of the sentencepiece dependency from 0.2.0 to 0.2.1 across multiple requirements.txt files in the generative_ai subdirectories. I have no feedback to provide as there are no review comments or issues identified.