Skip to content

chore(deps): Update stable-baselines3 requirement from >=2.0.0 to >=2.8.0#33

Merged
TPTBusiness merged 1 commit into
masterfrom
dependabot/pip/stable-baselines3-gte-2.8.0
Apr 27, 2026
Merged

chore(deps): Update stable-baselines3 requirement from >=2.0.0 to >=2.8.0#33
TPTBusiness merged 1 commit into
masterfrom
dependabot/pip/stable-baselines3-gte-2.8.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026

Updates the requirements on stable-baselines3 to permit the latest version.

Commits
  • 5e00d26 Release v2.8.0 (#2235)
  • a72be40 Update contribution guidelines regarding LLM/code assistant usage (#2231)
  • 5bb5da5 Update changelog for SB3 ecosystem (#2227)
  • cc20f5a Switch to Markdown documentation (MyST parser) (#2219)
  • 5675204 Fix pandas.concat futurewarning by checking for empty frames (#2218)
  • 8ca546f Docs: update ONNX export for SBX (#2214)
  • 9c7b0f2 EnvChecker: Generate a warning if a multidiscrete space has multi-dimensional...
  • 8fccf7f Fix saving jitted model and simplify load (#2205)
  • c6ce50f Improve type hints for distributions and cleanup (#2200)
  • 58ac622 doc: update min Python version required
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): Update stable-baselines3 requirement
bdbce8a 
Updates the requirements on [stable-baselines3](https://github.com/DLR-RM/stable-baselines3) to permit the latest version.
- [Release notes](https://github.com/DLR-RM/stable-baselines3/releases)
- [Commits](DLR-RM/stable-baselines3@v2.0.0...v2.8.0)

---
updated-dependencies:
- dependency-name: stable-baselines3
  dependency-version: 2.8.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 27, 2026
@TPTBusiness TPTBusiness merged commit ade0f7f into master Apr 27, 2026
10 checks passed
@dependabot dependabot Bot deleted the dependabot/pip/stable-baselines3-gte-2.8.0 branch April 27, 2026 14:18
TPTBusiness pushed a commit that referenced this pull request Apr 30, 2026
@dependabot @TPTBusiness
chore(deps): Update stable-baselines3 requirement (#33)
86fd4b7 
Updates the requirements on [stable-baselines3](https://github.com/DLR-RM/stable-baselines3) to permit the latest version.
- [Release notes](https://github.com/DLR-RM/stable-baselines3/releases)
- [Commits](DLR-RM/stable-baselines3@v2.0.0...v2.8.0)

---
updated-dependencies:
- dependency-name: stable-baselines3
  dependency-version: 2.8.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
TPTBusiness added a commit that referenced this pull request May 1, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
abac77f 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 1, 2026
@dependabot @TPTBusiness
chore(deps): Update stable-baselines3 requirement (#33)
22414bc 
Updates the requirements on [stable-baselines3](https://github.com/DLR-RM/stable-baselines3) to permit the latest version.
- [Release notes](https://github.com/DLR-RM/stable-baselines3/releases)
- [Commits](DLR-RM/stable-baselines3@v2.0.0...v2.8.0)

---
updated-dependencies:
- dependency-name: stable-baselines3
  dependency-version: 2.8.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
TPTBusiness added a commit that referenced this pull request May 3, 2026
@TPTBusiness
chore: Document torch CVE-2025-2953 is already fixed
b41ef07 
- Add comment explaining torch >=2.8.0 is already safe (CVE fixed in >=2.7.1)
- Dependabot alert #33 is false positive due to missing lockfile
- No version change needed - current specification is already secure

Security Status:
- CVE-2025-2953: Fixed in torch >=2.7.1, current spec >=2.8.0 ✓
- Affects: torch.mkldnn_max_pool2d function
- Impact: Local DoS via improper resource shutdown
- Attack vector: Local (requires local access)

Note: Without a lockfile (pip-tools/uv/poetry), Dependabot cannot determine
the installed version and raises alerts based on the requirement spec alone.
TPTBusiness added a commit that referenced this pull request May 3, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
3c3e5a7 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 3, 2026
@dependabot @TPTBusiness
chore(deps): Update stable-baselines3 requirement (#33)
998ad1e 
Updates the requirements on [stable-baselines3](https://github.com/DLR-RM/stable-baselines3) to permit the latest version.
- [Release notes](https://github.com/DLR-RM/stable-baselines3/releases)
- [Commits](DLR-RM/stable-baselines3@v2.0.0...v2.8.0)

---
updated-dependencies:
- dependency-name: stable-baselines3
  dependency-version: 2.8.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
TPTBusiness added a commit that referenced this pull request May 3, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
d7e2018 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 3, 2026
@dependabot @TPTBusiness
chore(deps): Update stable-baselines3 requirement (#33)
95a1302 
Updates the requirements on [stable-baselines3](https://github.com/DLR-RM/stable-baselines3) to permit the latest version.
- [Release notes](https://github.com/DLR-RM/stable-baselines3/releases)
- [Commits](DLR-RM/stable-baselines3@v2.0.0...v2.8.0)

---
updated-dependencies:
- dependency-name: stable-baselines3
  dependency-version: 2.8.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
TPTBusiness added a commit that referenced this pull request May 10, 2026
@TPTBusiness
chore: Document torch CVE-2025-2953 is already fixed
8c309b8 
- Add comment explaining torch >=2.8.0 is already safe (CVE fixed in >=2.7.1)
- Dependabot alert #33 is false positive due to missing lockfile
- No version change needed - current specification is already secure

Security Status:
- CVE-2025-2953: Fixed in torch >=2.7.1, current spec >=2.8.0 ✓
- Affects: torch.mkldnn_max_pool2d function
- Impact: Local DoS via improper resource shutdown
- Attack vector: Local (requires local access)

Note: Without a lockfile (pip-tools/uv/poetry), Dependabot cannot determine
the installed version and raises alerts based on the requirement spec alone.
TPTBusiness added a commit that referenced this pull request May 10, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
f171782 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 10, 2026
@dependabot @TPTBusiness
chore(deps): Update stable-baselines3 requirement (#33)
5040235 
Updates the requirements on [stable-baselines3](https://github.com/DLR-RM/stable-baselines3) to permit the latest version.
- [Release notes](https://github.com/DLR-RM/stable-baselines3/releases)
- [Commits](DLR-RM/stable-baselines3@v2.0.0...v2.8.0)

---
updated-dependencies:
- dependency-name: stable-baselines3
  dependency-version: 2.8.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
TPTBusiness added a commit that referenced this pull request May 22, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
2fd6e06 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 22, 2026
@dependabot @TPTBusiness
chore(deps): Update stable-baselines3 requirement (#33)
f2e6d46 
Updates the requirements on [stable-baselines3](https://github.com/DLR-RM/stable-baselines3) to permit the latest version.
- [Release notes](https://github.com/DLR-RM/stable-baselines3/releases)
- [Commits](DLR-RM/stable-baselines3@v2.0.0...v2.8.0)

---
updated-dependencies:
- dependency-name: stable-baselines3
  dependency-version: 2.8.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TPTBusiness