Skip to content

chore(deps): Bump the uv group across 1 directory with 2 updates#81

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-00b344c8c0
Open

chore(deps): Bump the uv group across 1 directory with 2 updates#81
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-00b344c8c0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps the uv group with 2 updates in the / directory: nltk and transformers.

Updates nltk from 3.9.4 to 3.10.0

Release notes

Sourced from nltk's releases.

v3.10.0-rc1

What's Changed

... (truncated)

Changelog

Sourced from nltk's changelog.

Version 3.10.0 2026-06-11

  • Enforce the stricter nltk.pathsec security policy by default
  • Document the new security model and migration guidance
  • Harden resource loading against path traversal and SSRF/DNS-rebinding
  • Harden downloader path handling and block XML entity expansion
  • Close remaining corpus-reader security edge cases
  • Replace unsafe exec() usage in the utility CLI
  • Warn on unpickling user-provided pickles
  • Add HuggingFace datasets integration (nltk.huggingface)
  • Align TnT with Brants (2000) specifications
  • Fix PorterStemmer irregular-form lowercasing in NLTK mode
  • Fix TransitionParser sparse index dtype for scikit-learn 1.9
  • Fix TextCat tie handling
  • Fix WordNet object comparisons for incompatible types
  • Cache WordNet max depth lazily for lch_similarity()
  • Fix CCG variable direction, substitution, and type-raising bugs
  • Fix Jaro similarity for single-character and empty-string cases
  • Improve CI and release-maintenance workflows

Thanks to the following contributors to 3.10.0: 13rac1, alvations, bowiechen, devesh-2002, ekaf, elias-ba, haosenwang1018, HyperPS, ihitamandal, jancallewaert, jhnwnstd, JuanIMartinezB, Lemm1, LinZiyuu, Mr-Neutr0n, PastelStorm, scruge1, Syzygy2048, ylwango613, yzhaoinuw

Version 3.9.4 2026-03-24

  • Support Python 3.14
  • Fix bug in Levenshtein distance when substitution_cost > 2
  • Fix bug in Treebank detokeniser re quote ordering
  • Fix bug in Jaro similarity for empty strings
  • Several security enhancements
  • Fix GHSA-rf74-v2fm-23pw: unbounded recursion in JSONTaggedDecoder
  • Implement TextTiling vocabulary introduction method (Hearst 1997)
  • Fix ALINE feature matrix errors and add comprehensive tests
  • Support multiple VerbNet versions, fix longid/shortid regex for VerbNet ids
  • Let downloader fallback to md5 when sha256 is unavailable
  • Several other minor bugfixes and code cleanups

Thanks to the following contributors to 3.9.4: Min-Yen Kan, Eric Kafe, Emily Voss, bowiechen, Hrudhai01, jancallewaert, Mr-Neutr0n, pollak.peter89, ylwango613,

Version 3.9.3 2026-02-21

  • Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
  • Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
  • Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
  • Validate external StanfordSegmenter JARs using SHA256 (#3477)

... (truncated)

Commits
  • bd49f90 allow escaped brackets in Tree.fromstring (#3694)
  • 27b8ad6 don't crash chomsky_normal_form on terminals with siblings (#3693)
  • 52227d2 Use os.name for Windows path handling (#3605)
  • 06c0e2c Avoid RIBES zero division on empty inputs (#3604)
  • a167389 Treat missing unzip output as stale (#3607)
  • c94c967 Fix EOF empty document bug in IEER corpus reader (#3648)
  • 94a259c Enforce restrictive primitive type checking in pathsec wrappers (#3692)
  • 5ac475d fix(security): isolate Stanford Java options and clean temp files (#3683)
  • 986f26e ci(deps): bump the github-actions group with 3 updates (#3691)
  • f26b375 fix(security): prevent pickle RCE in TransitionParser model loading (CWE-502)...
  • Additional commits viewable in compare view

Updates transformers from 5.3.0 to 5.5.0

Release notes

Sourced from transformers's releases.

Release v5.5.0

New Model additions

Gemma4

Gemma 4 is a multimodal model with pretrained and instruction-tuned variants, available in 1B, 13B, and 27B parameters. The architecture is mostly the same as the previous Gemma versions. The key differences are a vision processor that can output images of fixed token budget and a spatial 2D RoPE to encode vision-specific information across height and width axis.

You can find all the original Gemma 4 checkpoints under the Gemma 4 release.

The key difference from previous Gemma releases is the new design to process images of different sizes using a fixed-budget number of tokens. Unlike many models that squash every image into a fixed square (like 224×224), Gemma 4 keeps the image's natural aspect ratio while making it the right size. There a a couple constraints to follow:

  • The total number of pixels must fit within a patch budget
  • Both height and width must be divisible by 48 (= patch size 16 × pooling kernel 3)

[!IMPORTANT] Gemma 4 does not apply the standard ImageNet mean/std normalization that many other vision models use. The model's own patch embedding layer handles the final scaling internally (shifting values to the [-1, 1] range).

The number of "soft tokens" (aka vision tokens) an image processor can produce is configurable. The supported options are outlined below and the default is 280 soft tokens per image.

Soft Tokens Patches (before pooling) Approx. Image Area
70 630 ~161K pixels
140 1,260 ~323K pixels
280 2,520 ~645K pixels
560 5,040 ~1.3M pixels
1,120 10,080 ~2.6M pixels

To encode positional information for each patch in the image, Gemma 4 uses a learned 2D position embedding table. The position table stores up to 10,240 positions per axis, which allows the model to handle very large images. Each position is a learned vector of the same dimensions as the patch embedding. The 2D RoPE which Gemma 4 uses independently rotate half the attention head dimensions for the x-axis and the other half for the y-axis. This allows the model to understand spatial relationships like "above," "below," "left of," and "right of."

NomicBERT

NomicBERT is a BERT-inspired encoder model that applies Rotary Position Embeddings (RoPE) to create reproducible long context text embeddings. It is the first fully reproducible, open-source text embedding model with 8192 context length that outperforms both OpenAI Ada-002 and OpenAI text-embedding-3-small on short-context MTEB and long context LoCo benchmarks. The model generates dense vector embeddings for various tasks including search, clustering, and classification using specific instruction prefixes.

Links: Documentation | Paper

MusicFlamingo

Music Flamingo is a fully open large audio–language model designed for robust understanding and reasoning over music. It builds upon the Audio Flamingo 3 architecture by including Rotary Time Embeddings (RoTE), which injects temporal position information to enable the model to handle audio sequences up to 20 minutes. The model features a unified audio encoder across speech, sound, and music with special sound boundary tokens for improved audio sequence modeling.

Links: Documentation | Paper

... (truncated)

Commits
  • c1c3424 update
  • 20bff68 update release workflow
  • 8956441 v5.5.0
  • 5135e5e casually dropping the most capable open weights on the planet (#45192)
  • a594e09 Internalise the NomicBERT model (#43067)
  • 4932e97 Fix resized LM head weights being overwritten by post_init (#45079)
  • 57e8413 [Qwen3.5 MoE] Add _tp_plan to ForConditionalGeneration (#45124)
  • b10552e Fix TypeError: 'NoneType' object is not iterable in GenerationMixin.generate ...
  • 423f2a3 fix(models): Fix dtype mismatch in SwitchTransformers and TimmWrapperModel (#...
  • ade7a05 Generalize gemma vision mask to videos (#45185)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the uv group with 2 updates in the / directory: [nltk](https://github.com/nltk/nltk) and [transformers](https://github.com/huggingface/transformers).


Updates `nltk` from 3.9.4 to 3.10.0
- [Release notes](https://github.com/nltk/nltk/releases)
- [Changelog](https://github.com/nltk/nltk/blob/develop/ChangeLog)
- [Commits](nltk/nltk@3.9.4...v3.10.0)

Updates `transformers` from 5.3.0 to 5.5.0
- [Release notes](https://github.com/huggingface/transformers/releases)
- [Commits](huggingface/transformers@v5.3.0...v5.5.0)

---
updated-dependencies:
- dependency-name: nltk
  dependency-version: 3.10.0
  dependency-type: indirect
  dependency-group: uv
- dependency-name: transformers
  dependency-version: 5.5.0
  dependency-type: indirect
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants