Bump the pip group across 1 directory with 28 updates #9

dependabot · 2025-06-02T08:36:22Z

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

--- updated-dependencies: - dependency-name: aiohttp dependency-version: 3.12.6 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: boto3 dependency-version: 1.38.27 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: pip - dependency-name: botocore dependency-version: 1.38.27 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: pip - dependency-name: cachetools dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: pip - dependency-name: charset-normalizer dependency-version: 3.4.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: pip - dependency-name: datasets dependency-version: 3.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: exceptiongroup dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: fonttools dependency-version: 4.58.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: fsspec dependency-version: 2025.5.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: google-auth dependency-version: 2.40.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: huggingface-hub dependency-version: 0.32.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: joblib dependency-version: 1.5.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: jsonschema dependency-version: 4.24.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: jupyter-core dependency-version: 5.8.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: multidict dependency-version: 6.4.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: pip - dependency-name: murmurhash dependency-version: 1.0.13 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: pip - dependency-name: platformdirs dependency-version: 4.3.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: pip - dependency-name: pluggy dependency-version: 1.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: preshed dependency-version: 3.0.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: pip - dependency-name: pydantic dependency-version: 2.11.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: pip - dependency-name: rpds-py dependency-version: 0.25.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: s3transfer dependency-version: 0.13.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: snowballstemmer dependency-version: 3.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: pip - dependency-name: spacy dependency-version: 3.8.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: pip - dependency-name: tornado dependency-version: 6.5.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: transformers dependency-version: 4.52.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: typer dependency-version: 0.16.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip - dependency-name: zipp dependency-version: 3.22.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2025-06-02T08:36:47Z

Dependency Review

The following issues were found:

✅ 0 vulnerable package(s)
✅ 0 package(s) with incompatible licenses
✅ 0 package(s) with invalid SPDX license definitions
⚠️ 2 package(s) with unknown licenses.

See the Details below.

License Issues

requirements.txt

Package	Version	License	Issue Type
jupyter_core	5.8.1	Null	Unknown License
aiohttp	3.12.6	Null	Unknown License

Denied Licenses: AGPL-1.0, AGPL-3.0

OpenSSF Scorecard

Scorecard details

Package

Version

Score

Details

pip/aiohttp

3.12.6

🟢 6.5

Details

Check	Score	Reason
Code-Review	⚠️ 2	Found 4/16 approved changesets -- score normalized to 2
Maintained	🟢 10	30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
License	🟢 9	license file detected
Fuzzing	🟢 10	project is fuzzed
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Security-Policy	🟢 10	security policy file detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Packaging	🟢 10	packaging workflow detected
SAST	🟢 8	SAST tool detected but not run on all commits
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.

pip/boto3

1.38.27

🟢 7.9

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 1/29 approved changesets -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Security-Policy	🟢 10	security policy file detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 10	all dependencies are pinned
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits

pip/botocore

1.38.27

🟢 8.6

Details

Check	Score	Reason
Code-Review	⚠️ 1	Found 4/30 approved changesets -- score normalized to 1
Security-Policy	🟢 10	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
License	🟢 10	license file detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Signed-Releases	⚠️ -1	no releases found
Fuzzing	🟢 10	project is fuzzed
Binary-Artifacts	🟢 10	no binaries found in the repo
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
SAST	🟢 10	SAST tool is run on all commits
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8

pip/cachetools

6.0.0

🟢 7.2

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	⚠️ 0	Found 2/28 approved changesets -- score normalized to 0
Maintained	🟢 10	27 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
Pinned-Dependencies	🟢 5	dependency not pinned by hash detected -- score normalized to 5
Fuzzing	🟢 10	project is fuzzed
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 3	branch protection is not maximal on development and all release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/charset-normalizer

3.4.2

🟢 8.1

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 0/4 approved changesets -- score normalized to 0
Dependency-Update-Tool	🟢 10	update tool detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	16 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10
Security-Policy	🟢 10	security policy file detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 5	dependency not pinned by hash detected -- score normalized to 5
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
CII-Best-Practices	⚠️ 2	badge detected: InProgress
SAST	🟢 10	SAST tool is run on all commits
Packaging	🟢 10	packaging workflow detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	🟢 10	5 out of the last 5 releases have a total of 5 signed artifacts.
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
CI-Tests	🟢 10	26 out of 26 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 3	project has 1 contributing companies or organizations -- score normalized to 3

pip/datasets

3.6.0

🟢 5.9

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 4	Found 14/30 approved changesets -- score normalized to 4
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases	⚠️ -1	no releases found
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/exceptiongroup

1.3.0

Unknown

pip/fonttools

4.58.1

🟢 6.2

Details

Check	Score	Reason
Code-Review	🟢 4	Found 7/15 approved changesets -- score normalized to 4
Maintained	🟢 10	30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Binary-Artifacts	🟢 10	no binaries found in the repo
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Packaging	🟢 10	packaging workflow detected
Fuzzing	⚠️ 0	project is not fuzzed
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/fsspec

2025.5.1

🟢 5.5

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 5	Found 16/30 approved changesets -- score normalized to 5
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Security-Policy	⚠️ 0	security policy file not detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
License	🟢 10	license file detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Signed-Releases	⚠️ -1	no releases found
Fuzzing	🟢 10	project is fuzzed
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/google-auth

2.40.2

🟢 7.2

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	⚠️ -1	no workflows found
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ -1	No tokens found
Maintained	🟢 10	27 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Security-Policy	🟢 10	security policy file detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
License	🟢 10	license file detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases	⚠️ -1	no releases found
Fuzzing	🟢 10	project is fuzzed
Vulnerabilities	⚠️ 0	17 existing vulnerabilities detected
SAST	🟢 9	SAST tool is not run on all commits -- score normalized to 9

pip/huggingface-hub

0.32.3

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 8	Found 24/30 approved changesets -- score normalized to 8
Maintained	🟢 10	30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	⚠️ 0	security policy file not detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Packaging	⚠️ -1	packaging workflow not detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Fuzzing	⚠️ 0	project is not fuzzed
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
SAST	🟢 7	SAST tool is not run on all commits -- score normalized to 7

pip/joblib

1.5.1

🟢 5.7

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Maintained	🟢 10	25 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 8	Found 24/30 approved changesets -- score normalized to 8
Security-Policy	🟢 10	security policy file detected
License	🟢 10	license file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Fuzzing	🟢 10	project is fuzzed
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Packaging	🟢 10	packaging workflow detected
Vulnerabilities	⚠️ 0	10 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/jsonschema

4.24.0

🟢 7.1

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 0	Found 1/11 approved changesets -- score normalized to 0
Security-Policy	🟢 10	security policy file detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
Fuzzing	🟢 10	project is fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/jupyter_core

5.8.1

Unknown

pip/multidict

6.4.4

🟢 6.7

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 3	Found 10/27 approved changesets -- score normalized to 3
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Fuzzing	🟢 10	project is fuzzed
License	🟢 9	license file detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Security-Policy	🟢 10	security policy file detected
Packaging	🟢 10	packaging workflow detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
SAST	🟢 10	SAST tool is run on all commits

pip/murmurhash

1.0.13

🟢 3.5

Details

Check	Score	Reason
Maintained	⚠️ 0	1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Code-Review	⚠️ 0	Found 0/22 approved changesets -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Packaging	🟢 10	packaging workflow detected
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Security-Policy	⚠️ 0	security policy file not detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/platformdirs

4.3.8

Unknown

pip/pluggy

1.6.0

🟢 6.3

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Security-Policy	🟢 9	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 3	branch protection is not maximal on development and all release branches
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	🟢 9	1 existing vulnerabilities detected

pip/preshed

3.0.10

🟢 3.6

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 1/16 approved changesets -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Maintained	⚠️ 1	1 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 1
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Packaging	🟢 10	packaging workflow detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Security-Policy	⚠️ 0	security policy file not detected
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/pydantic

2.11.5

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Security-Policy	🟢 10	security policy file detected
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/rpds-py

0.25.1

Unknown

pip/s3transfer

0.13.0

🟢 7.2

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Maintained	🟢 10	25 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Code-Review	🟢 4	Found 8/18 approved changesets -- score normalized to 4
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	🟢 10	all dependencies are pinned
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Vulnerabilities	🟢 9	1 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits

pip/snowballstemmer

3.0.1

🟢 4.4

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 30 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 0	Found 2/30 approved changesets -- score normalized to 0
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Fuzzing	⚠️ 0	project is not fuzzed
Binary-Artifacts	🟢 10	no binaries found in the repo
Security-Policy	⚠️ 0	security policy file not detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Signed-Releases	⚠️ -1	no releases found
License	🟢 10	license file detected
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/spacy

3.8.7

🟢 4.1

Details

Check	Score	Reason
Maintained	🟢 10	21 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 3	Found 11/30 approved changesets -- score normalized to 3
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Packaging	🟢 10	packaging workflow detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Security-Policy	⚠️ 0	security policy file not detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Vulnerabilities	⚠️ 0	66 existing vulnerabilities detected

pip/tornado

6.5.1

🟢 6.2

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 2	Found 4/14 approved changesets -- score normalized to 2
Security-Policy	🟢 10	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Packaging	🟢 10	packaging workflow detected
Vulnerabilities	⚠️ 2	8 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/transformers

4.52.4

🟢 4.4

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 9	Found 29/30 approved changesets -- score normalized to 9
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 10	license file detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Dangerous-Workflow	⚠️ 0	dangerous workflow patterns detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Packaging	🟢 10	packaging workflow detected
Binary-Artifacts	🟢 10	no binaries found in the repo
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Vulnerabilities	⚠️ 0	464 existing vulnerabilities detected

pip/typer

0.16.0

Unknown

pip/zipp

3.22.0

🟢 6.2

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	⚠️ 0	Found 1/21 approved changesets -- score normalized to 0
Maintained	🟢 10	29 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Security-Policy	🟢 10	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	🟢 10	project is fuzzed
License	⚠️ 0	license file not detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

Scanned Files

requirements.txt

dependabot · 2025-06-09T07:32:37Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 2, 2025

dependabot bot requested a review from a team as a code owner June 2, 2025 08:36

dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 2, 2025

dependabot bot closed this Jun 9, 2025

dependabot bot deleted the dependabot/pip/pip-20a4b8676b branch June 9, 2025 07:32

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the pip group across 1 directory with 28 updates #9

Bump the pip group across 1 directory with 28 updates #9

Uh oh!

dependabot bot commented on behalf of github Jun 2, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Jun 2, 2025

Uh oh!

dependabot bot commented on behalf of github Jun 9, 2025

Uh oh!

Uh oh!

Bump the pip group across 1 directory with 28 updates #9

Bump the pip group across 1 directory with 28 updates #9

Uh oh!

Conversation

dependabot bot commented on behalf of github Jun 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Jun 2, 2025

Dependency Review

License Issues

requirements.txt

OpenSSF Scorecard

Scanned Files

Uh oh!

dependabot bot commented on behalf of github Jun 9, 2025

Uh oh!

Uh oh!

dependabot bot commented on behalf of github Jun 2, 2025 •

edited

Loading