Bump the all group across 1 directory with 5 updates

[dependabot]

Bumps the all group with 4 updates in the / directory: torch, ty, huggingface-hub and requests.

Updates torch from 2.11.0 to 2.12.0

Release notes

Sourced from torch's releases.

PyTorch 2.12.0 Release Notes

• Highlights
• Backwards Incompatible Changes
• Deprecations
• New Features
• Improvements
• Bug fixes
• Performance
• Documentation
• Developers
• Security

Highlights

For more details about these highlighted features, you can look at the release blogpost. Below are the full release notes for this release.

Backwards Incompatible Changes

Build Frontend

• Strengthened SVE compile checks in FindARM.cmake, which may reject previously accepted but incorrect SVE configurations (#176646)

  Source builds that enable SVE now validate the compiler configuration more strictly. If a build previously passed with an incomplete or mismatched SVE setup, it may now fail during CMake configuration instead of later in compilation. Update the compiler/toolchain flags so they accurately describe the target SVE support, or disable SVE for that build.

• Updated the minimum CUDA version required to build PyTorch from source to CUDA 12.6 (#178925)

  Building PyTorch from source with CUDA versions older than 12.6 is no longer supported. Users building custom binaries should install CUDA 12.6 or newer and make sure CUDA_HOME points to that installation.

  Version 2.11:

  CUDA_HOME=/usr/local/cuda-12.4 python setup.py develop

  Version 2.12:

  CUDA_HOME=/usr/local/cuda-12.6 python setup.py develop

• Enforced a C++20 minimum in CMake build files (#178662)

... (truncated)

Commits

• 0d62256 [release] Dockerfile: skip torchaudio install when CUDA_PATH=cu132 (#183346)
• 7661cd9 [MPS] Fix SDPA wrong output for permuted q/k/v with B > 1 (#181886)
• 9da6087 Fix stale PYTORCH_RELEASES_CODE_CC dict (fixes #182250) (#182369)
• e4c37cc Avoid raw stream name collisions in Inductor (#182178)
• 822d047 [MPS] Fix bool mask handling in 1-pass SDPA decode kernel (#182285) (#182311)
• 5c5e523 Add enable_gqa parameter to SDPA MPS meta registration (#181550)
• eece52e [AOTI] Add BC-safe c_shim v2 for _scaled_dot_product_attention_math_for_mps e...
• b39330b [Inductor] Call latest c_shim version for versioned fallback ops (#181548)
• 06f10d0 Revert "[FSDP2] add fqn to communication ops" (#182100) (#182157)
• 449e339 Revert "[Inductor] Improve materialization heuristic for a chain of computaio...
• Additional commits viewable in compare view

Updates torchvision from 0.26.0 to 0.27.0

Release notes

Sourced from torchvision's releases.

TorchVision 0.27 Release

TorchVision 0.27 is out! This is a small release where the main improvement is the addition of the popular lanczos interpolation mode for the v2.Resize transform on CPU. Results are equivalent to PIL's, but you can expect TorchVision to be faster as it leverages AVX2 (on x86) and NEON paths (on ARM).

Improvements

[transforms] Add support for lanczos interpolation mode (#9459) [transforms] Drastically speed-up Resize on NEON ARM (#9439) [ops] Vectorize masks_to_boxes for performance (#9358) [ops, transforms] Add direct XYWH-CXCYWH conversion for better performance (#9326) [datasets] torchvision.datasets.voc: update dataset and project site URLs (#9216) [ops] Add support for rotated boxes in box_iou (#9404, #9379) [ops][MPS] Improve runtime complexity of roi_align (#9100) [Code quality] #9359, #9364, #9359, #9317, #9409, #9408, #9416, #9411, #4463, #9475, #9427, #9448, #9443, #9396, #9316, #9286, #9324, #9338, #9381, #9386

[Documentation] #9339, #9351, #9323, #9374, #9412, #9378, #9428, #9431, #9474, #9472, #9463, #9440, #9385, #9327, #9334, #8879, #9350, #9392

Bug Fixes

[transforms] Fix incorrect normalization axis in v2.ElasticTransform (#9300) [transforms] Fix: add clamping to avoid v2.ElasticTransform IndexError when bbox equals canvas size (#9436) [transforms] Fix tv_tensors.wrap to preserve subclass types for BoundingBoxes and KeyPoints (#9332) [transforms] Fix CXCYWH to XYXY conversion for integer bounding boxes (#9322) [ops] Fix masks_to_boxes for empty masks (#9357)

Contributors

🎉 We're grateful for our community, which helps us improve Torchvision by submitting issues and PRs, and providing feedback and suggestions. The following persons have contributed patches for this release:

Andrew Strelsky, Andrey Talman, David Miguel Susano Pinto, fruet, Joan Salvà Soler, jsalvasoler , Look001122, MPSFuzz , mselim00, Murat Raimbekov, Nicolas Hug , Nikita Shulga, Pierre Moulon, ribbon-otter, Richard Barnes, shrianshChari, Timon Erhart, Ting Lu, Wei Shan Sun, Zhitao Yu

Commits

• 78839c2 [Release 0.27] Cherry-pick of 'Remove old pyav backend, rely on TC instead (#...
• 883dcaf [Release 0.27] update test-infra refs and version (#9480)
• bb02424 [Release 0.27] Remove prototype (#9479)
• 8ad7115 Fix windows builds with TheRock which doesn't accept "/Zc:preprocessor" TheRo...
• b9ee001 Revert CV-CUDA (#9476)
• 3ea6d90 Fix warning message to show up on the LFW dataset webpages (#9474)
• 601776d Fix typo in anchor_utils.py documentation (#9472)
• e160dc8 Improve LFW download error message with alternative manual download link (Kag...
• 6214cb2 Fix vision install for all files (#9465)
• 4e58149 fix windows install for vision (#9464)
• Additional commits viewable in compare view

Updates ty from 0.0.33 to 0.0.35

Release notes

Sourced from ty's releases.

0.0.35

Release Notes

Released on 2026-05-10.

Bug fixes

• Allow ParamSpec specialization through unioned generic classes (#24826)
• Fix cross-file find-references for keyword arguments (#25043)
• Fix comparison between negative and positive literal integers (#25023)
• Reject dataclass decorator parameters based on supported Python version (#25029)

LSP server

• Adjust start of block folding range to preserve visible header for character-precise LSP clients. (#24917)
• Emit folding ranges from the language server for multi-line block headers. (#24978)
• Skip global search for references if identifier is not externally visible (#25033)
• Speed-up find-references by using multithreading for cross-file searches (#25042)

CLI

• Include severity in JUnit diagnostics (#25080)

Core type checking

• Check non-generic overload implementations (#24936)
• Expand support for narrowing within walruses (#24968)
• Filter overloads based on return type for ParamSpec mapping (#24769)
• Improve support for recursive types (#24773)
• Include TypedDict type context when inferring mixed constructors (#25039)
• Include TypedDict type context when inferring string keys (#25037)
• Preserve NewType and TypeAliasType in implicit aliases (#25072)
• Provide type cntext for generator expression yields (#25069)
• Provide type context for boolean operands (#25070)
• Selectively promote a union of homogeneous fixed-length tuples to a single variadic tuple (#24705)
• Support narrowing on __class__ checks (#24997)
• Use more precise exception types when catching a union (#25076)

Diagnostics

• Include error context for overload consistency diagnostics (#24950)

Performance

• Cache results in desperate module resolution (#24977)
• Lazily initialize builder when transforming a union type (#24929)
• Project reachability constraints before narrowing (#24982)
• Skip parameter accumulation for object variadics (#24976)

Contributors

... (truncated)

Changelog

Sourced from ty's changelog.

0.0.35

Released on 2026-05-10.

Bug fixes

• Allow ParamSpec specialization through unioned generic classes (#24826)
• Fix cross-file find-references for keyword arguments (#25043)
• Fix comparison between negative and positive literal integers (#25023)
• Reject dataclass decorator parameters based on supported Python version (#25029)

LSP server

• Adjust start of block folding range to preserve visible header for character-precise LSP clients. (#24917)
• Emit folding ranges from the language server for multi-line block headers. (#24978)
• Skip global search for references if identifier is not externally visible (#25033)
• Speed-up find-references by using multithreading for cross-file searches (#25042)

CLI

• Include severity in JUnit diagnostics (#25080)

Core type checking

• Check non-generic overload implementations (#24936)
• Expand support for narrowing within walruses (#24968)
• Filter overloads based on return type for ParamSpec mapping (#24769)
• Improve support for recursive types (#24773)
• Include TypedDict type context when inferring mixed constructors (#25039)
• Include TypedDict type context when inferring string keys (#25037)
• Preserve NewType and TypeAliasType in implicit aliases (#25072)
• Provide type cntext for generator expression yields (#25069)
• Provide type context for boolean operands (#25070)
• Selectively promote a union of homogeneous fixed-length tuples to a single variadic tuple (#24705)
• Support narrowing on __class__ checks (#24997)
• Use more precise exception types when catching a union (#25076)

Diagnostics

• Include error context for overload consistency diagnostics (#24950)

Performance

• Cache results in desperate module resolution (#24977)
• Lazily initialize builder when transforming a union type (#24929)
• Project reachability constraints before narrowing (#24982)
• Skip parameter accumulation for object variadics (#24976)

Contributors

... (truncated)

Commits

• bc12d1c Bump version to 0.0.35 (#3436)
• fb34d89 Build riscv64 manylinux binary (#3402)
• 05def00 Update maturin to v1.13.1 (#3417)
• 569c081 Update prek dependencies (#3416)
• 608f8ff Update renovate configuration (#3379)
• 518b61d Update uraimo/run-on-arch-action action to v3.1.0 (#3405)
• 5542959 Update pre-commit hook astral-sh/ruff-pre-commit to v0.15.12 (#3404)
• d00448e Bump version to 0.0.34 (#3392)
• e9e4c90 docs: Reference correct issue in FAQ regarding strict mode (#3385)
• 1b70eae Release: move 'diagnostics' section further down (#3373)
• Additional commits viewable in compare view

Updates huggingface-hub from 1.12.2 to 1.14.0

Release notes

Sourced from huggingface-hub's releases.

[v1.14.0] Handle Spaces secrets & variables from CLI and other improvements

🖥️ Manage Space secrets and variables from the CLI

You can now manage Space secrets and environment variables directly from the command line with two new hf spaces subgroups: secrets and variables. Use hf spaces secrets to add, list, and delete write-only secrets, and hf spaces variables to add, list, and delete readable environment variables. Both add commands support multiple -s/-e flags and --secrets-file/-env-file for loading from dotenv files. On the Python side, HfApi.get_space_secrets() returns secret metadata (key, description, updated timestamp) without ever revealing values.

# List secrets (values are write-only — only keys and timestamps are shown)
$ hf spaces secrets ls username/my-space
Add secrets
$ hf spaces secrets add username/my-space -s OPENAI_API_KEY=sk-...
$ hf spaces secrets add username/my-space --secrets-file .env.secrets
Delete a secret (confirmation prompt, use --yes to skip)
$ hf spaces secrets delete username/my-space OPENAI_API_KEY --yes
List, add, and delete variables (values are readable)
$ hf spaces variables ls username/my-space
$ hf spaces variables add username/my-space -e MODEL_ID=gpt2 -e MAX_TOKENS=512
$ hf spaces variables delete username/my-space MAX_TOKENS --yes

• [CLI] Add hf spaces secrets and variables subgroups by @​davanstrien in #4170
• [CLI] Add get_space_secrets + hf spaces secrets ls by @​Wauplin in #4182

📚 Documentation: CLI guide · Manage your Space

🪣 Rsync-style trailing slash for bucket folder copies

hf buckets cp now supports rsync-style trailing slash semantics when copying folders. A trailing / on the source path copies only the folder's contents to the destination, while omitting it nests the folder itself — matching the behavior you'd expect from rsync. This makes it possible to flatten directory structures during copies, which was not possible before. Additionally, copy_files now raises an explicit EntryNotFoundError when the source path resolves to no files, instead of silently succeeding with zero operations.

# Without trailing slash: "logs" dir is nested => dst/logs/...
$ hf buckets cp hf://buckets/username/src-bucket/logs hf://buckets/username/dst/
With trailing slash: only contents of "logs" are copied => dst/...
$ hf buckets cp hf://buckets/username/src-bucket/logs/ hf://buckets/username/dst/

• [Buckets] Support rsync-style trailing slash in copy_files by @​Wauplin in #4187
• [CLI] Raise error when copy_files source doesn't exist by @​Wauplin in #4186

📚 Documentation: Buckets guide · CLI guide

💔 Breaking Change

• [CLI] Rename hf skills upgrade -> hf skills update by @​hanouticelina in #4176 — hf skills upgrade no longer exists; use hf skills update instead.
• [CLI] Add out.status() by @​hanouticelina in #4171 — status updates (spinners/progress) on hf extensions install and hf spaces dev-mode are now suppressed when using --format json, --quiet, or --format agent.

🖥️ CLI

... (truncated)

Commits

• 2ea0c83 Release: v1.14.0
• f7cffc7 Release: v1.14.0.rc0
• ac0156b style
• 32476d9 Update typer dependency version in setup.py (#4193)
• fadab7a [CLI] Raise error when copy_files source doesn't exist (#4186)
• 7c0abeb [CLI] Add get_space_secrets + hf spaces secrets ls (#4182)
• 51adb8f [Buckets] Support rsync-style trailing slash in copy_files to copy folder con...
• 22eaf89 [internal] Untrack useless files (#4191)
• 2774771 Update unit test warnings check to ignore unrelated deprecation warnings (#4188)
• 3d19907 [CLI] Support hf -v to print version (#4185)
• Additional commits viewable in compare view

Updates requests from 2.33.1 to 2.34.1

Release notes

Sourced from requests's releases.

v2.34.1

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

New Contributors

• @​k223kim made their first contribution in psf/requests#7433

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13

v2.34.0

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. (#7427)
• Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. (#7315)

New Contributors

... (truncated)

Changelog

Sourced from requests's changelog.

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. (#7427)
• Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. (#7315)

Commits

• b7b549b v2.34.1
• e511bc7 Fix mutability issues with headers input types (#7431)
• 5691f59 Update JsonType containers to read-based collections (#7436)
• 2144213 Constrain Response.reason to str (#7437)
• 6404f34 Fix prepare_body stream detection for __getattr__-based file wrappers (#7...
• 0b401c7 v2.34.0
• 86b378d Align Session.get parameters with requests.get (#7429)
• a4f9a59 Port bpo-39057 to Requests (#7427)
• 3816cfa Parameterize SupportsItems to handle Mapping key invariance (#7426)
• b684dcb sessions: fix hooks type (#7425)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions