Skip to content

Build(deps-dev): Update pueblo requirement from >=0.0.18 to >=0.0.19 in /topic/machine-learning/mlflow#1904

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/topic/machine-learning/mlflow/pueblo-gte-0.0.19
Open

Build(deps-dev): Update pueblo requirement from >=0.0.18 to >=0.0.19 in /topic/machine-learning/mlflow#1904
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/topic/machine-learning/mlflow/pueblo-gte-0.0.19

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Updates the requirements on pueblo to permit the latest version.

Release notes

Sourced from pueblo's releases.

v0.0.19

What's Changed

  • general: Adjusted dependency specification for click-aliases, for compatibility with Python 3.8.
  • nlp: Downgraded to unstructured 0.17, to get rid of the transitive llvmlite and numba dependencies
  • ngr: Accompanied changes in poethepoet v0.43 and newer

Details

Full Changelog: pyveci/pueblo@v0.0.18...v0.0.19

Changelog

Sourced from pueblo's changelog.

2026-07-06 v0.0.19

  • general: Adjusted dependency specification for click-aliases, for compatibility with Python 3.8.
  • nlp: Downgraded to unstructured 0.17, to get rid of the transitive llvmlite and numba dependencies
  • ngr: Accompanied changes in poethepoet v0.43 and newer

2026-04-07 v0.0.18

  • general: Downgrade to poethepoet 0.42 to fix task runner API
  • nlp: Relax package dependencies by removing upper bounds. The idea of a "validated ecosystem" is counter-productive in this case, because the strict constraints limit test case evolution.

2026-03-22 v0.0.17

  • mcp: Added McpConversation helper for exercising an MCP server

2026-03-22 v0.0.16

  • Replaced NLTK with spaCy to remediate CVE-2025-14009, following the decision of the unstructured package. NLTK's downloader uses zipfile.extractall() without path validation, enabling RCE via malicious packages (CVSS 10.0, no patch available). spaCy models install as pip packages, eliminating the vulnerable downloader entirely.
  • ngr: Added runner for shell scripts like test.sh

2026-02-08 v0.0.15

  • Downgraded to unstructured v0.18.27 due to installation problems with llvmlite

2026-01-25 v0.0.14

  • Testing: Fixed ValueError: Invalid frequency: S. Failed to parse with error message: Did you mean s?
  • ngr: Updated to poethepoet 0.38 at ngr-python-test-poethepoet
  • CI: Partially validated on Python 3.14t (free threading)

2025-12-15 v0.0.13

  • nlp: Switched from langchain to langchain-core
  • Testing: Migrated from pytest's LocalPath to pathlib.Path

2025-11-05 v0.0.12

  • ngr: Stopped overwriting existing Gradle wrapper. The --gradle-wrapper option can be used to optionally regenerate the Gradle wrapper now.
  • ngr: Deprecated Python's --accept-no-venv option: The test runner should not apply any governance here.

2025-01-19 v0.0.11

  • ngr: For invoking Elixir, use mix test --trace

... (truncated)

Commits
  • d1f35c8 Release v0.0.19
  • 1afc345 Update dependency poethepoet to <0.49
  • 511e13f ngr: Accompany changes in poethepoet v0.43 and newer
  • 2f30173 nlp: Downgrade to unstructured 0.17
  • d4b9cc9 Update astral-sh/setup-uv action to v8.3.0
  • a8bd6bb Update dependency coverage to <7.16
  • 4eb9dc5 Update dependency Microsoft.NET.Test.Sdk to 18.7.0
  • d1669d6 Update actions/cache action to v6
  • a94f6c2 Update dependency ty to <0.0.57
  • 820ae0b Add a lower bound to numba to fix resolving dependencies by uv
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Updates the requirements on [pueblo](https://github.com/pyveci/pueblo) to permit the latest version.
- [Release notes](https://github.com/pyveci/pueblo/releases)
- [Changelog](https://github.com/pyveci/pueblo/blob/main/CHANGES.md)
- [Commits](pyveci/pueblo@v0.0.18...v0.0.19)

---
updated-dependencies:
- dependency-name: pueblo
  dependency-version: 0.0.19
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Concerns of dependencies. python Pull requests that update Python code labels Jul 7, 2026
@amotl

amotl commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Hi. This patch is not necessary and effectively just noise. Please close the PR without much ado, and migrate to Renovate to tame CI by applying the "widen" version bumping strategy across the board.

/cc @bgunebakan, @florinutz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Concerns of dependencies. python Pull requests that update Python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant