chore(deps): bump the version-updates group across 1 directory with 5 updates

[dependabot]

Bumps the version-updates group with 5 updates in the /scripts/evals/moderation directory:

Package	From	To
torch	2.12.0	2.12.1
transformers	4.57.6	5.12.1
pytest	9.0.3	9.1.1
ruff	0.15.15	0.15.20
atheris	3.0.0	3.1.0

Updates torch from 2.12.0 to 2.12.1

Release notes

Sourced from torch's releases.

PyTorch 2.12.1 Release, bug fix release

This release is meant to fix the following regressions and silent correctness issues:

Regression fixes

• Fix nondeterministic outputs in test_batch_invariance with FLASH_ATTN on NVIDIA B200 GPUs (#181248), fixed by updating Triton to 3.7.1 (#186814)
• Fix illegal memory access in the Triton convolution2d_bwd_weight kernel on B100/B200 (sm100) GPUs (#187081), fixed by updating Triton to 3.7.1 (#186814)
• Fix fill_ on byte-dtype views with misaligned storage offset (#186821)

Releng / Build

• Drop CPython 3.13t from the binary build matrix (#182951)

Commits

• 7269437 Update triton to 3.7.1 release (#186814)
• 88f16c2 [MPS] Fix fill_ on byte-dtype views with misaligned storage offset (#186821)
• ccf6e67 [release-only] Update version to 2.12.1 (#186813)
• 88a6dc7 Revive CUDA 12.9 nightly binary builds (#186015)
• ded5505 [CD] Drop CPython 3.13t from binary build matrix (#182951) (#186654)
• See full diff in compare view

Updates transformers from 4.57.6 to 5.12.1

Release notes

Sourced from transformers's releases.

Patch release v5.12.1

Updated the lower bound for PEFT and a fix for auto tokenizer to properly resolve the mistral tokenizer (when mistral-common is installed). This is similar to v.5.10.3 minus the fixes that were already included in the main release - vLLM will first target 5.10.3 🤗

• Fix peft lower bound #46605 by @​hmellor (#46605)
• mistral common backend fix #46667 by @​itazap (#46667)

Full Changelog: huggingface/transformers@v5.12.0...v5.12.1

Patch release v5.10.4

Update: Note that on pypi 5.10.3 doesn't exist and this this saved under 5.10.4 (so essentially a minor version skipped). Sorry about that, that's on me. Just wanted to clarify to make this less confusing!

A few fixes needed for vLLM to sync with transformers 🤗

• [fix] regression introduced by #45534 #46456 by @​eustlb (#46456)
• Fix {image/video/audio}_token_ids in ProcessorMixin #46500 by @​hmellor (#46500)
• Fix InternVL models #46524 by @​hmellor (#46524)
• Fix the offsets in processing #46525 by @​zucchini-nlp (#46525)
• Fix peft lower bound #46605 by @​hmellor (#46605)
• mistral common backend fix #46667 by @​itazap (#46667)

Full Changelog: huggingface/transformers@v5.10.2...v5.10.3

Release v5.12.0

New Model additions

MiniMax-M3-VL

MiniMax-M3-VL is the vision-language member of the MiniMax-M3 family that pairs a CLIP-style vision tower with 3D rotary position embeddings with the MiniMax-M3 text backbone. It uses a mixed dense/sparse Mixture-of-Experts decoder with SwiGLU-OAI gated experts and a lightning indexer for block-sparse attention. The model processes images through a Conv3d patch embedding system and includes specialized components for efficient multimodal understanding and generation.

Links: Documentation

• Add minimax m3vl (#46600) by @​ArthurZucker in #46600

PP-OCRv6: update documentation and slow tests (#46576)

The official weights for PP-OCRv6 are out: PP-OCRv6 is a lightweight OCR system that combines architectural innovation with data-centric optimization. It redesigns the backbone, detection neck, and recognition neck around a unified MetaFormer-style building block with structural reparameterization. Three model tiers (medium, small, tiny) share the same block primitives, covering deployment scenarios from server to edge.

• PP-OCRv6: update documentation and slow tests (#46576) by @ zhang-prog

Add Parakeet-RNNT (#46331)

... (truncated)

Commits

• ddb849a v5.12.1
• d81db16 mistral common backend fix (#46667)
• 07c294c Fix peft lower bound (#46605)
• e0e7504 Revert "fix security issue with allow all kernels"
• 7904f30 fix security issue with allow all kernels
• d77d573 fix kernel path
• f7999c7 v5.12.0
• 4c5d4fd Add minimax m3vl (#46600)
• 5957e6f [CI] capture checkers output in OTEL (#46601)
• 2d68208 Lfm2: thread seq_idx through ShortConv for packed/varlen inputs (#46588)
• Additional commits viewable in compare view

Updates pytest from 9.0.3 to 9.1.1

Release notes

Sourced from pytest's releases.

9.1.1

pytest 9.1.1 (2026-06-19)

Bug fixes

• #14220: Fixed a logic bug in pytest.RaisesGroup which would might cause it to display incorrect "It matches FooError() which was paired with BarError" messages.
• #14591: Fixed a regression in pytest 9.1.0 which caused overriding a parametrized fixture with an indirect @​pytest.mark.parametrize to fail with "duplicate parametrization of '<fixture name>'".
• #14606: Fixed list-item typing errors from mypy in @pytest.mark.parametrize <pytest.mark.parametrize ref> argvalues parameter.
• #14608: Fixed a regression in pytest 9.1.0 where conftest.py files located in <invocation dir>/test* were no longer loaded as initial conftests when invoked without arguments. This could cause certain hooks (like pytest_addoption) in these files to not fire.

9.1.0

pytest 9.1.0 (2026-06-13)

Removals and backward incompatible breaking changes

• #14533: When using --doctest-modules, autouse fixtures with module, package or session scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.

  If this is undesirable, move the fixture definition to a conftest.py file if possible.

  Technical explanation for those interested: When using --doctest-modules, pytest possibly collects Python modules twice, once as pytest.Module and once as a DoctestModule (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the DoctestModule collects a fixture, it is now visible to it only, and not to the Module. This means that both need to register the fixtures independently.

Deprecations (removal in next major release)

• #10819: Added a deprecation warning for class-scoped fixtures defined as instance methods (without @classmethod). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use @classmethod decorator instead -- by yastcher.

  See 10819 and 14011.

• #12882: Calling request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.

  See dynamic-fixture-request-during-teardown for details.

• #13409: Using non-~collections.abc.Collection iterables (such as generators, iterators, or custom iterable objects) for the argvalues parameter in @pytest.mark.parametrize <pytest.mark.parametrize ref> and metafunc.parametrize <pytest.Metafunc.parametrize> is now deprecated.

  These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running pytest.main() multiple times, using class-level parametrize decorators, or collecting tests multiple times.

  See parametrize-iterators for details and suggestions.

• #13946: The private config.inicfg attribute is now deprecated. Use config.getini() <pytest.Config.getini> to access configuration values instead.

  See config-inicfg for more details.

• #14004: Passing baseid to ~pytest.FixtureDef or nodeid strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.

... (truncated)

Commits

• cf470ec Prepare release version 9.1.1
• e0c8ce6 Merge pull request #14625 from pytest-dev/patchback/backports/9.1.x/a07c31a97...
• 1b82d16 Merge pull request #14624 from pytest-dev/patchback/backports/9.1.x/b375b79ec...
• 501c4bc Merge pull request #14596 from bluetech/doc-classmethod
• b61f588 Merge pull request #14622 from chrisburr/fix-14608-initial-conftest-test-subdir
• 9a567e0 [automated] Update plugin list (#14617) (#14618)
• ef8b299 Merge pull request #14620 from pytest-dev/patchback/backports/9.1.x/680f9f3ed...
• 66abd07 Merge pull request #14220 from bysiber/fix-stale-iexp-raisesgroup
• 79fbf93 Merge pull request #14612 from pytest-dev/patchback/backports/9.1.x/974ed48b6...
• 0d312eb Merge pull request #14611 from bluetech/parametrize-argvalues-typing
• Additional commits viewable in compare view

Updates ruff from 0.15.15 to 0.15.20

Release notes

Sourced from ruff's releases.

0.15.20

Release Notes

Released on 2026-06-25.

Preview features

• Allow human-readable names in rule selectors (#25887)
• Emit a warning instead of an error for unknown rule selectors (#26113)
• Match noqa shebang handling in ruff:ignore comments (#26286)
• [ruff] Remove pytest-fixture-autouse (RUF076) (#26240, #26371)

Documentation

• Add versioning sections to custom crate READMEs (#26317)
• Update ruff_python_parser README for crates.io (#26315)
• [perflint] Clarify that PERF402 applies to any iterable (#26242)

Contributors

• @​dhruvmanila
• @​MichaReiser
• @​ntBre
• @​trilamsr

Install ruff 0.15.20

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ruff/releases/download/0.15.20/ruff-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/ruff/releases/download/0.15.20/ruff-installer.ps1 | iex"

Download ruff 0.15.20

File	Platform	Checksum
ruff-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
ruff-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
ruff-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
ruff-i686-pc-windows-msvc.zip	x86 Windows	checksum
ruff-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
ruff-aarch64-unknown-linux-gnu.tar.gz	ARM64 Linux	checksum
ruff-i686-unknown-linux-gnu.tar.gz	x86 Linux	checksum

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.20

Released on 2026-06-25.

Preview features

• Allow human-readable names in rule selectors (#25887)
• Emit a warning instead of an error for unknown rule selectors (#26113)
• Match noqa shebang handling in ruff:ignore comments (#26286)
• [ruff] Remove pytest-fixture-autouse (RUF076) (#26240, #26371)

Documentation

• Add versioning sections to custom crate READMEs (#26317)
• Update ruff_python_parser README for crates.io (#26315)
• [perflint] Clarify that PERF402 applies to any iterable (#26242)

Contributors

• @​dhruvmanila
• @​MichaReiser
• @​ntBre
• @​trilamsr

0.15.19

Released on 2026-06-23.

Preview features

• Support human-readable names when hovering suppression comments and in code actions (#26114)

Bug fixes

• Fall back to default settings when editor-only settings are invalid (#26244)
• Fix panic when inserting text at a notebook cell boundary (#26111)

Rule changes

• [pylint] Update fix suggestions for __floor__, __trunc__, __length_hint__, and __matmul__ variants (PLC2801) (#26239)

Performance

• Avoid allocating when parsing single string literals (#26200)
• Avoid reallocating singleton call arguments (#26223)
• Lazily create source files for lint diagnostics (#26226)
• Optimize formatter text width and indentation (#26236)
• Reserve capacity for builtin bindings (#26229)
• Skip repeated-key checks for singleton dictionaries (#26228)
• Use ArrayVec for qualified name segments (#26224)

... (truncated)

Commits

• f82a36b Bump 0.15.20 (#26376)
• af32943 Improve the summarise-ecosystem-results skill (#26378)
• 485ebab Remove RUF076 name from schema (#26371)
• ef81835 [ty] Implement rust-analyzer's "Click for full compiler diagnostic" feature (...
• 572b31e [ruff] Remove pytest-fixture-autouse (RUF076) (#26240)
• f703f21 Allow human-readable names in rule selectors (#25887)
• 0d726b2 [ty] Reuse equality semantics for membership compatibility (#25955)
• dbe6e98 [ty] Infer definite equality comparison results (#26337)
• e700ea3 [ty] Prove TypedDict structural patterns exhaustive (#26285)
• 6a0d2ec [ty] Widen inferred class-valued instance attributes (#26338)
• Additional commits viewable in compare view

Updates atheris from 3.0.0 to 3.1.0

Commits

• See full diff in compare view

[dependabot]

Labels

The following labels could not be found: python. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

License Issues

scripts/evals/moderation/uv.lock

Package	Version	License	Issue Type
anyio	4.14.1	Null	Unknown License
click	8.4.2	Null	Unknown License

Allowed Licenses:

MIT, MIT-0, MIT-CMU, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, BlueOak-1.0.0, CC0-1.0, Unlicense, CC-BY-4.0, CC-BY-3.0, PSF-2.0, Python-2.0, HPND, LicenseRef-scancode-secret-labs-2011, WTFPL, LicenseRef-scancode-unicode

Excluded from license check:

pkg:pypi/lxml, pkg:pypi/typing-extensions, pkg:pypi/certifi, pkg:pypi/charset-normalizer, pkg:pypi/shapely, pkg:pypi/backports-tarfile, pkg:pypi/cryptography, pkg:pypi/jaraco-classes, pkg:pypi/jaraco-context, pkg:pypi/jaraco-functools, pkg:pypi/keyrings-alt, pkg:pypi/torch, pkg:pypi/filelock, pkg:pypi/hf-xet, pkg:pypi/idna, pkg:pypi/safetensors, pkg:pypi/regex, pkg:npm/dompurify, pkg:npm/lunr-languages, pkg:npm/%40github/copilot, pkg:npm/%40github/copilot-darwin-arm64, pkg:npm/%40github/copilot-darwin-x64, pkg:npm/%40github/copilot-linux-arm64, pkg:npm/%40github/copilot-linux-x64, pkg:npm/%40github/copilot-win32-arm64, pkg:npm/%40github/copilot-win32-x64, pkg:npm/%40github/copilot-linuxmusl-arm64, pkg:npm/%40github/copilot-linuxmusl-x64, pkg:npm/lightningcss, pkg:npm/lightningcss-android-arm64, pkg:npm/lightningcss-darwin-arm64, pkg:npm/lightningcss-darwin-x64, pkg:npm/lightningcss-freebsd-x64, pkg:npm/lightningcss-linux-arm-gnueabihf, pkg:npm/lightningcss-linux-arm64-gnu, pkg:npm/lightningcss-linux-arm64-musl, pkg:npm/lightningcss-linux-x64-gnu, pkg:npm/lightningcss-linux-x64-musl, pkg:npm/lightningcss-win32-arm64-msvc, pkg:npm/lightningcss-win32-x64-msvc, pkg:npm/uri-js, pkg:npm/hve-core

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
pip/annotated-doc	0.0.4	Unknown	Unknown
pip/anyio	4.14.1	Unknown	Unknown
pip/atheris	3.1.0	🟢 6.2	Details Check Score Reason Code-Review 🟢 7 Found 23/30 approved changesets -- score normalized to 7 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 3 3 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 3 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege SAST ⚠️ 0 no SAST tool detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches
pip/click	8.4.2	Unknown	Unknown
pip/h11	0.16.0	🟢 4.4	Details Check Score Reason Code-Review 🟢 5 Found 9/18 approved changesets -- score normalized to 5 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/httpcore	1.0.9	Unknown	Unknown
pip/httpx	0.28.1	Unknown	Unknown
pip/huggingface-hub	1.21.0	🟢 6.4	Details Check Score Reason Code-Review 🟢 8 Found 24/28 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected SAST 🟢 7 SAST tool is not run on all commits -- score normalized to 7
pip/markdown-it-py	4.2.0	Unknown	Unknown
pip/mdurl	0.1.2	Unknown	Unknown
pip/pytest	9.1.1	Unknown	Unknown
pip/rich	15.0.0	Unknown	Unknown
pip/ruff	0.15.20	Unknown	Unknown
pip/shellingham	1.5.4	🟢 3.3	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 5 Found 7/12 approved changesets -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/torch	2.12.1	Unknown	Unknown
pip/torch	2.12.1+cpu	Unknown	Unknown
pip/transformers	5.12.1	🟢 6.5	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 27/30 approved changesets -- score normalized to 9 Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3
pip/typer	0.25.1	Unknown	Unknown

Scanned Files

• scripts/evals/moderation/uv.lock

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.39%. Comparing base (b6bb6ba) to head (dada696).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2254      +/-   ##
==========================================
+ Coverage   81.32%   81.39%   +0.07%     
==========================================
  Files         130      120      -10     
  Lines       19142    19066      -76     
  Branches       12        0      -12     
==========================================
- Hits        15567    15519      -48     
+ Misses       3572     3547      -25     
+ Partials        3        0       -3     

Flag	Coverage Δ
docusaurus	?
pester	86.02% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 11 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Eval Execution

✅ Status: Passed

• Artifacts evaluated: 0
• Specs run: 0
• Assertions passed: 0
• Assertions failed (blocking): 0
• Assertions failed (advisory): 0
• Failed specs (merge-blocking): 0

No changed AI artifacts required evaluation.

[github-actions]

Dependency Review

Scope: scripts/evals/moderation/ — Python packages only. No GitHub Actions, .devcontainer/, or copilot-setup-steps.yml changes; SHA pinning and environment synchronization are unaffected.

Version summary

Package	From	To	Classification
torch	2.12.0	2.12.1	patch ✅
transformers	4.57.6	5.12.1	major (4→5) ⚠️
pytest	9.0.3	9.1.1	minor ✅
ruff	0.15.15	0.15.20	patch ✅
atheris	3.0.0	3.1.0	minor ⚠️

Findings

transformers 4→5 (major): Flagged inline. Please verify moderation eval API compatibility with Transformers 5 before merging.

atheris 3.1.0 — CP311 wheel absent: The updated uv.lock shows atheris 3.1.0 provides wheels only for CP312, CP313, and CP314. The CP311 wheel present in 3.0.0 is no longer listed, and no sdist entry appears in the lock file. Since requires-python = ">=3.11", environments running Python 3.11 may fail to install the fuzz dependency group. Please confirm this is acceptable (e.g., CI runs on 3.12+) before merging.

New transitive deps: annotated-doc, anyio, and click are new entries in uv.lock, likely pulled in by transformers 5.x. All are well-established packages under Apache-2.0/MIT licenses — no concern.

Safety checks

• ✅ Licenses: all packages remain Apache-2.0 / BSD / MIT — compatible with this project's MIT license.
• ✅ SHA pinning: no GitHub Actions references modified.
• ✅ Environment sync: no .devcontainer/ or copilot-setup-steps.yml changes.
• ✅ Dependabot reports no known vulnerabilities.

Two items need human confirmation (transformers API compatibility, atheris Python 3.11 availability) before merging.

Generated by Dependabot PR Review for issue #2254 · 227.8 AIC · ⌖ 12.7 AIC · ⊞ 48.6K

[github-actions]

⚠️ Major version bump — transformers 4.x → 5.x

The constraint changes from >=4.40,<5 to >=5.12.1,<6, pinning against Hugging Face Transformers 5. This is a major release and the API surface (model loading, AutoModel, tokenizer signatures, pipeline interfaces) may have breaking changes relative to 4.x.

Please verify that the moderation eval code is compatible with the Transformers 5 API before merging.

[WilliamBerryiii]

@dependabot recreate

[github-actions]

Dependency Review — scripts/evals/moderation group bump

Summary

Package	From	To	Classification
torch	2.12.0	2.12.1	✅ Patch
transformers	4.57.6	5.12.1	⚠️ Major (v4 → v5)
pytest	9.0.3	9.1.1	✅ Minor
ruff	0.15.15	0.15.20	✅ Patch
atheris	3.0.0	3.1.0	✅ Minor

Safety Checks

• Licenses: All packages use BSD-3 (torch), Apache 2.0 (transformers, atheris), or MIT (pytest, ruff) — all compatible with the project's MIT license. ✅
• SHA pinning: No GitHub Actions workflow files changed — not applicable. ✅
• Environment sync: No changes to .devcontainer/ or copilot-setup-steps.yml — not applicable. ✅
• Vulnerabilities: Dependabot reports no known vulnerabilities introduced by this bump. ✅

Findings

torch (patch): Bug-fix release addressing nondeterministic outputs on NVIDIA B200 GPUs (Triton 3.7.1 update), an illegal memory access regression, and a fill_ byte-dtype view fix. Clean and safe to merge.

transformers (major — flag for human review): The previous constraint >=4.40,<5 deliberately excluded v5. This PR upgrades to >=5.12.1,<6, crossing the major version boundary. The lock file reflects 12 new transitive dependencies (notably httpx/anyio replacing requests/urllib3) and 4 removals, indicating transformers v5 replaced its HTTP stack. The Dependabot PR body only includes patch-level release notes for v5.12.1; the v5.0 migration notes are not summarized. Human verification that the moderation eval's detoxify + transformers integration is compatible with the v5 API is recommended before merging. See inline comment on pyproject.toml line 9.

pytest (minor): Constraint tightened from >=8.0 to >=9.1.1. pytest 9.1.0 has a noted backward-incompatible change for --doctest-modules with autouse fixtures — but this project's addopts does not include --doctest-modules, so this is unlikely to have any impact. ✅

ruff and atheris: Routine patch/minor bumps with no breaking changes. ✅

Verdict

Safety checks pass for all packages except the transformers major version bump, which requires human confirmation that the v4→v5 API transition is handled correctly in the moderation eval code. This review does not block the PR — it flags the major bump for human attention before merge.

Generated by Dependabot PR Review for issue #2254 · 290.7 AIC · ⌖ 13 AIC · ⊞ 46.2K

[github-actions]

⚠️ Major version bump: transformers v4 → v5

The previous constraint >=4.40,<5 explicitly excluded v5. This PR changes it to >=5.12.1,<6, crossing the major version boundary.

New transitive dependencies pulled in by transformers v5 (12 added, 4 removed from lock file):

• Added: httpx, anyio, h11, httpcore, typer, rich, click, shellingham, markdown-it-py, mdurl, annotated-doc, typing-extensions
• Removed: requests, urllib3, charset-normalizer (transformers v5 migrated from requests to httpx)

Please verify that the detoxify integration and any direct transformers API calls in the moderation eval code remain compatible with the v5 API before merging.

[github-actions]

Dependency Review — Safety Check Results

This review covers the 5 dependency bumps in scripts/evals/moderation/.

Version Bump Summary

Package	From	To	Classification
torch	2.12.0	2.12.1	Patch
transformers	4.57.6	5.12.1	Major (v4 → v5)
pytest	9.0.3	9.1.1	Minor
ruff	0.15.15	0.15.20	Patch
atheris	3.0.0	3.1.0	Minor

Safety Checks

• ✅ Licenses: All compatible with MIT — torch (BSD-3-Clause), transformers (Apache-2.0), pytest (MIT), ruff (MIT), atheris (Apache-2.0).
• ✅ SHA pinning: No GitHub Actions files modified; not applicable.
• ✅ Environment sync: No changes to .devcontainer/ or copilot-setup-steps.yml; not applicable.
• ✅ Vulnerabilities: Dependabot reports no known vulnerabilities introduced by these bumps.
• ✅ No new dependencies: All bumped packages were already present.

⚠️ Flag for Human Attention — Major Version Bump: transformers

transformers crosses the v4→v5 major version boundary (4.57.6 → 5.12.1). Notable signals from the lock file diff:

• typer is added as a new runtime dependency; filelock and requests are removed.
• New transitive packages appear (annotated-doc, anyio, click, colorama).

The HuggingFace v5 release may include breaking API changes for the moderation eval code. A human reviewer should confirm that scripts/evals/moderation/ tests pass against transformers==5.12.1 before merging.

All other bumps (torch patch, pytest minor, ruff patch, atheris minor) are straightforward and passed all safety checks.

Generated by Dependabot PR Review for issue #2254 · 139.5 AIC · ⌖ 14.5 AIC · ⊞ 48.4K