deps: update numpy requirement from <2.0.0,>=1.26.0 to >=1.26.0,<3.0.0

[dependabot]

Updates the requirements on numpy to permit the latest version.

Release notes

Sourced from numpy's releases.

v2.2.6 (May 17, 2025)

NumPy 2.2.6 Release Notes

NumPy 2.2.6 is a patch release that fixes bugs found after the 2.2.5 release. It is a mix of typing fixes/improvements as well as the normal bug fixes and some CI maintenance.

This release supports Python versions 3.10-3.13.

Contributors

A total of 8 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• Charles Harris
• Ilhan Polat
• Joren Hammudoglu
• Marco Gorelli +
• Matti Picus
• Nathan Goldbaum
• Peter Hawkins
• Sayed Adel

Pull requests merged

A total of 11 pull requests were merged for this release.

• #28778: MAINT: Prepare 2.2.x for further development
• #28851: BLD: Update vendor-meson to fix module_feature conflicts arguments...
• #28852: BUG: fix heap buffer overflow in np.strings.find
• #28853: TYP: fix NDArray[floating] + float return type
• #28864: BUG: fix stringdtype singleton thread safety
• #28865: MAINT: use OpenBLAS 0.3.29
• #28889: MAINT: from_dlpack thread safety fixes
• #28913: TYP: Fix non-existent CanIndex annotation in ndarray.setfield
• #28915: MAINT: Avoid dereferencing/strict aliasing warnings
• #28916: BUG: Fix missing check for PyErr_Occurred() in _pyarray_correlate.
• #28966: TYP: reject complex scalar types in ndarray.__ifloordiv__

Checksums

MD5

259343f056061f6eadb2f4b8999d06d4  numpy-2.2.6-cp310-cp310-macosx_10_9_x86_64.whl
16fa85488e149489ce7ee044d7b0d307  numpy-2.2.6-cp310-cp310-macosx_11_0_arm64.whl
f01b7aea9d2b76b1eeb49766e615d689  numpy-2.2.6-cp310-cp310-macosx_14_0_arm64.whl
f2ddc2b22517f6e31caa1372b12c2499  numpy-2.2.6-cp310-cp310-macosx_14_0_x86_64.whl
52190e22869884f0870eb3df7a283ca9  numpy-2.2.6-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
8f382b9ca6770db600edd5ea2447a925  numpy-2.2.6-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
e604aae2ef6e01fb92ecc39aca0424d9  numpy-2.2.6-cp310-cp310-musllinux_1_2_aarch64.whl

... (truncated)

Commits

• 2b686f6 Merge pull request #28980 from charris/prepare-2.2.6
• ed41828 REL: Prepare for the NumPy 2.2.6 release [wheel build]
• 83e4e7f Merge pull request #28966 from charris/backport-28958
• 248f0cb TYP: add rejection-tests for complex ndarray floordiv
• 5bad9da TYP: reject complex scalar types in ndarray.__ifloordiv__
• 6c42775 Merge pull request #28915 from charris/backport-28892
• 4277e7c Merge pull request #28916 from charris/backport-28898
• bd1c863 BUG: Fix missing check for PyErr_Occurred() in _pyarray_correlate. (#28898)
• 87d1d8a MAINT: Avoid dereferencing/strict aliasing warnings during complex casts in `...
• 9e50659 Merge pull request #28913 from charris/backport-28908
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

🎉 Thanks for your first pull request to AI Memory Module!

A maintainer will review your PR soon. Here's what happens next:

1. Automated tests will run (check the status above)
2. A maintainer will review your code
3. You may be asked to make changes
4. Once approved, your PR will be merged 🚀

Quick reminders:

• Make sure all tests pass
• Update documentation if needed
• Link the related issue with Fixes #XXX

Thanks for contributing! 🙏

[Hidden-History]

@claude Review the Dependabot PRs on the ai-memory repository for breaking changes and compatibility issues.

[github-actions]

🤖 AI Analysis (Ollama kimi-k2.5:cloud)

NumPy 2.x Upgrade Review

Executive Summary

Risk Level: 🔴 High
Recommendation: Hold for Manual Verification before merge

This PR bumps the NumPy upper bound from <2.0.0 to <3.0.0, effectively allowing NumPy 2.x installations. NumPy 2.0 introduced significant breaking changes (June 2024 release) that can cause runtime failures, ABI incompatibilities, and behavioral changes in vector operations.

---

🔐 Security Analysis

✅ Fixes Included (v2.2.6)

• Heap buffer overflow in np.strings.find (PR #28852) - Critical: Fixes memory corruption vulnerability in string operations
• Thread safety fixes for stringdtype singleton (PR #28864) - High: Race condition in concurrent string array access
• DLPack thread safety (PR #28889) - Medium: Memory management fixes for tensor sharing

⚠️ Security Considerations

• NumPy 2.2.6 drops support for Python 3.9 (EOL). Ensure your runtime uses Python 3.10+
• New strings module (introduced in 2.0) has had multiple security patches since release

---

💥 Breaking Changes Assessment

Critical Incompatibilities (NumPy 2.0 Migration)

Area	Change	Impact on topic drift computation
Copy Semantics	np.array(x, copy=False) now raises if copy needed	May affect vector preprocessing pipelines
Scalar Representation	np.float64(1.0) prints as np.float64(1.0) not 1.0	Could break serialization/logging
Windows int64	Default integer is now 64-bit on Windows	Potential memory doubling on Windows builds
Removed Functions	np.float_, np.int_ aliases removed	Will raise AttributeError if used
Stricter Casting	np.can_cast behavior changed	May affect type promotion in drift calculations

Threading & Concurrency Risks

The stringdtype singleton fix suggests your codebase may use string arrays for token/topic handling. Edge case: Concurrent access to string-based topic vectors could segfault in NumPy 2.2.5 and earlier.

---

🔍 Code-Specific Review

Vector Operations (Topic Drift)

The comment indicates NumPy is used for "vector operations (topic drift computation)":

Potential Issues:

1. Copy kwargs: If using np.array(vector, copy=False) for zero-copy optimizations, NumPy 2.0 changed this behavior to potentially raise errors
2. Strided arrays: Changes to stride handling in 2.0 may affect memory views used in drift calculations
3. Random number generation: If using np.random for sampling in drift detection, Generator API changes in 2.0 may affect reproducibility

Dependency Chain Risks

Check compatibility with:

• tiktoken: Verify it supports NumPy 2.x (token embeddings often use NumPy arrays)
• tree-sitter-*: Native extensions may be compiled against NumPy 1.x ABI
• detect-secrets: Usually pure Python, but verify

---

✅ Pre-Merge Checklist

1. ABI Compatibility Test

# Test with strict NumPy 2.0 first (worst case)
pip install numpy==2.0.0
python -c "import numpy; import your_module; # test topic drift"

2. Vector Operation Validation

# Test specific patterns that changed in 2.0
import numpy as np

# Test 1: Copy semantics
x = np.array([1.0, 2.0, 3.0])
y = np.array(x, copy=False)  # Changed behavior in 2.0

# Test 2: String operations (security fix validation)
from numpy import strings
arr = np.array(["topic", "drift", "test"])
strings.find(arr, "p")  # Test buffer overflow fix

# Test 3: Float scalars
assert str(np.float64(1.0)) == "np.float64(1.0)"  # Breaking change

3. Full Integration Test

• Run topic drift computation end-to-end
• Test with concurrent/threaded access (due to stringdtype fixes)
• Verify on Windows (int64 change affects memory)
• Check Python 3.10+ only (NumPy 2.2 drops 3.9)

4. Downstream Dependencies

Verify these packages have NumPy 2.x wheels:

• tiktoken (check pyproject.toml for numpy pin)
• Any C extensions in tree-sitter bindings

---

🎯 Recommendations

Immediate Actions

1. Pin to >=2.0.0,<2.3.0 initially instead of <3.0.0 to avoid unknown 2.3+ breaking changes
2. Add CI matrix testing both NumPy 1.26 (minimum) and 2.2.6 (latest)
3. Audit for deprecated aliases: Search codebase for np.float_, np.int_, np.complex_

Code Changes Required

If any Cython/C extensions exist, they must be recompiled against NumPy 2.0 headers. Look for:

• .pyx files
• setup.py with numpy.get_include()
• cimport numpy statements

Gradual Rollout Strategy

# Safer approach
numpy = [
    {version = ">=1.26.0,<2.0.0", python = "<3.10"},
    {version = ">=2.0.0,<2.3.0", python = ">=3.10"}
]

Bottom Line: The security fixes (especially the heap buffer overflow) justify the upgrade, but NumPy 2.0 is not a drop-in replacement. Require full test suite passage with numpy==2.2.6 before merging.

---

Triggered by @Hidden-History