security(deps): bump python from 3.12-slim to 3.13.13-slim in /data-management/viewer/backend#596
Conversation
Bumps python from 3.12-slim to 3.13.13-slim. --- updated-dependencies: - dependency-name: python dependency-version: 3.13.13-slim dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
github-actions
Bot
changed the title
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #596 +/- ##
==========================================
+ Coverage 65.16% 67.70% +2.53%
==========================================
Files 251 263 +12
Lines 15597 16827 +1230
Branches 2152 2290 +138
==========================================
+ Hits 10164 11392 +1228
Misses 5142 5142
- Partials 291 293 +2
*This pull request uses carry forward flags. Click here to find out more. 🚀 New features to boost your workflow:
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Advisory Review Summary
Surfaces touched: docker (data-management/viewer/backend/Dockerfile)
| Package | From | To | Severity | Surface |
|---|---|---|---|---|
| python (Docker base image) | 3.12-slim | 3.13.13-slim | No advisory identifiers | docker |
python (Docker base image)
Advisory summary: The PR body contains no GHSA or CVE identifiers. Dependabot classified this as security(deps):, which typically indicates the python:3.12-slim base image layers contain CVEs fixed in the updated image. Without explicit GHSA/CVE IDs in the PR body, no specific vulnerability details can be cited — the advisory enrichment chain (GitHub Advisory API → OSV → NVD) returned no indexed records for Docker image-level vulnerabilities on this package coordinate.
Release notes highlights: Python 3.13 is a CPython feature release introducing free-threaded mode (experimental), improved error messages, and removal of some deprecated stdlib APIs. The python:3.13.13-slim tag is a patch-level update within the 3.13 series. See: (docs.python.org/redacted)
Repo-specific risk notes:
pyproject.tomldeclaresrequires-python = ">=3.12"— Python 3.13 is within the declared compatibility range ✅uv.lockincludes resolution markers forpython_full_version >= '3.14', confirming dependencies were resolved with cross-version flexibility ✅- The new image digest is SHA-pinned (
sha256:d2462a6bed37b4fc6cabecf5a2132ae70df772fe03c7393c4d98a0c2fb48aa2e), maintaining supply-chain integrity ✅ - This is a standard Debian slim image — no CUDA, GPU driver, or Isaac Sim ABI concerns apply ✅
- Isaac Sim ABI guard: not applicable (no
training/rl/paths touched)
Validation Signal
Deterministic CI: PR Validation: in_progress:in_progress
in_progress:in_progress at dispatch time. Individual per-surface check runs completed:
| Check Run | Conclusion | Link |
|---|---|---|
pr-validation-summary |
✅ success | link |
Dataviewer Backend Pytest / Pytest Dataviewer Backend |
✅ success | link |
Python Lint / Ruff Lint and Format Check |
✅ success | link |
Dataviewer Frontend Tests |
⬜ skipped | link |
Binary Integrity Check |
— | Not present in check runs |
Binary Dependency Freshness |
— | Not present in check runs |
Static impact reasoning: No training/rl/ paths are touched; the Isaac Sim ABI guard is not applicable. The diff is a single-line FROM instruction change with a pinned digest — the only risk surface is Python 3.12 → 3.13 CPython behavior changes, which the passing Dataviewer Backend Pytest exercises.
Advisory verdict: COMMENT — PR_VALIDATION_CONCLUSION was in_progress:in_progress at resolver dispatch time. All completed per-surface check runs are success; no high-risk triggers fire for this standard Python slim base image bump. Maintainers may merge once the full PR Validation run concludes successfully.
Generated by AW Dependabot PR Review for issue #596 · ● 427.3K
| # syntax=docker/dockerfile:1 | ||
|
|
||
| FROM python:3.12-slim@sha256:520153e2deb359602c9cffd84e491e3431d76e7bf95a3255c9ce9433b76ab99a AS base | ||
| FROM python:3.13.13-slim@sha256:d2462a6bed37b4fc6cabecf5a2132ae70df772fe03c7393c4d98a0c2fb48aa2e AS base |
There was a problem hiding this comment.
Docker surface — Python 3.12 → 3.13.13-slim
The new digest sha256:d2462a6bed37b4fc6cabecf5a2132ae70df772fe03c7393c4d98a0c2fb48aa2e is pinned, maintaining supply-chain integrity. ✅
Python 3.13 crosses a CPython feature-release boundary. Compatibility notes:
pyproject.tomldeclaresrequires-python = ">=3.12"— Python 3.13 is within range ✅uv.lockincludespython_full_version >= '3.14'resolution markers, confirming multi-version flexibility ✅Dataviewer Backend Pytestpassed against this change ✅- No CUDA/GPU/Isaac Sim concerns — this is a standard Debian slim image ✅
No high-risk triggers apply. Standard validation: rebuild the container and smoke-run GET /health before deploying.
1 participant
Bumps python from 3.12-slim to 3.13.13-slim.
Most Recent Ignore Conditions Applied to This Pull Request
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)