From 9ed41d9e09151bad0805b7087a1af8db4d53fd6e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 May 2026 05:20:25 +0000 Subject: [PATCH 1/2] chore(deps): bump gradio from 6.14.0 to 6.15.0 Bumps [gradio](https://github.com/gradio-app/gradio) from 6.14.0 to 6.15.0. - [Release notes](https://github.com/gradio-app/gradio/releases) - [Changelog](https://github.com/gradio-app/gradio/blob/main/CHANGELOG.md) - [Commits](https://github.com/gradio-app/gradio/compare/gradio@6.14.0...gradio@6.15.0) --- updated-dependencies: - dependency-name: gradio dependency-version: 6.15.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- uv.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/uv.lock b/uv.lock index e6a5c49..fdea3b1 100644 --- a/uv.lock +++ b/uv.lock @@ -180,7 +180,7 @@ requires-dist = [ { name = "fastapi", extras = ["standard"], marker = "extra == 'gemini-proxy'", specifier = ">=0.136.0" }, { name = "google-cloud-firestore", marker = "extra == 'gemini-proxy'", specifier = ">=2.27.0" }, { name = "google-genai", marker = "extra == 'gemini-proxy'", specifier = ">=1.73.1" }, - { name = "gradio", marker = "extra == 'gradio'", specifier = ">=6.12.0" }, + { name = "gradio", marker = "extra == 'gradio'", specifier = ">=6.15.0" }, { name = "httpx", specifier = ">=0.28.1" }, { name = "langfuse", marker = "extra == 'observability'", specifier = ">=4.3.1" }, { name = "lxml", marker = "extra == 'news'", specifier = ">=6.1.0" }, @@ -1476,7 +1476,7 @@ grpc = [ [[package]] name = "gradio" -version = "6.14.0" +version = "6.15.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "anyio" }, @@ -1508,9 +1508,9 @@ dependencies = [ { name = "typing-extensions" }, { name = "uvicorn" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/de/bd/7d1544571de4566138e50c868b91bb79e38c998266896d38fed3d3a77898/gradio-6.14.0.tar.gz", hash = "sha256:4972ef7d01ac57472772624eb4e095767b6c8f3cd4846b7fea648e8034cda9f8", size = 36026409, upload-time = "2026-04-30T16:50:31.698Z" } +sdist = { url = "https://files.pythonhosted.org/packages/8f/7d/0f81cbbe84bcec5f1636428ea67cd7e7351c2939979cf9c89122ec2f6224/gradio-6.15.0.tar.gz", hash = "sha256:dce148292c95493990cbe358ac9f2295a11fa27bff218263e0422f004693270b", size = 36424891, upload-time = "2026-05-26T20:58:59.217Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/7e/e2/41f991b2e212b7afda3a9927676ebf8af302e5a2c632b330bd70bf2cf2c1/gradio-6.14.0-py3-none-any.whl", hash = "sha256:bb702f5ab643510d167bae54269ad6e985c2185174d388fe542cc5957f51f4fd", size = 19687959, upload-time = "2026-04-30T16:50:26.914Z" }, + { url = "https://files.pythonhosted.org/packages/19/32/410b3f58814c9fcae51d835829e7923364d347a0f62693a044047a02baad/gradio-6.15.0-py3-none-any.whl", hash = "sha256:c71bf7aeb3fd788de9a97961ae97f06bfddd6a3cc4cf1bd0bd3c62d016849fc8", size = 20091423, upload-time = "2026-05-26T20:58:55.146Z" }, ] [[package]] From 9b7bb28c340f359d3c163833f44ed249e067434f Mon Sep 17 00:00:00 2001 From: "aieng-bot[bot]" Date: Thu, 28 May 2026 01:01:01 +0000 Subject: [PATCH 2/2] chore: pin fastapi<0.136.3 to fix MAL-2026-4750 fastapi 0.136.3 introduced an undocumented malicious dependency 'fastar>=0.9.0' (supply chain attack). Pin to <0.136.3 to use the safe 0.136.1 release until a clean upstream version is published. Co-authored-by: aieng-bot --- uv.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uv.lock b/uv.lock index fdea3b1..bdb8e20 100644 --- a/uv.lock +++ b/uv.lock @@ -180,7 +180,7 @@ requires-dist = [ { name = "fastapi", extras = ["standard"], marker = "extra == 'gemini-proxy'", specifier = ">=0.136.0" }, { name = "google-cloud-firestore", marker = "extra == 'gemini-proxy'", specifier = ">=2.27.0" }, { name = "google-genai", marker = "extra == 'gemini-proxy'", specifier = ">=1.73.1" }, - { name = "gradio", marker = "extra == 'gradio'", specifier = ">=6.15.0" }, + { name = "gradio", marker = "extra == 'gradio'", specifier = ">=6.12.0" }, { name = "httpx", specifier = ">=0.28.1" }, { name = "langfuse", marker = "extra == 'observability'", specifier = ">=4.3.1" }, { name = "lxml", marker = "extra == 'news'", specifier = ">=6.1.0" },