Bump the uv group across 1 directory with 3 updates

[dependabot]

Bumps the uv group with 3 updates in the /backend directory: cryptography, pypdf and torch.

Updates cryptography from 46.0.7 to 48.0.1

Changelog

Sourced from cryptography's changelog.

48.0.1 - 2026-06-09

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 4.0.1.
.. _v48-0-0:
48.0.0 - 2026-05-04

• BACKWARDS INCOMPATIBLE: Support for Python 3.8 has been removed. cryptography now requires Python 3.9 or later.

• BACKWARDS INCOMPATIBLE: Loading an X.509 CRL whose inner TBSCertList.signature algorithm does not match the outer signatureAlgorithm now raises ValueError. Previously, such CRLs were parsed successfully and only rejected during signature validation.

• Added support for :doc:/hazmat/primitives/asymmetric/mlkem and :doc:/hazmat/primitives/asymmetric/mldsa when using OpenSSL 3.5.0 or later, in addition to the existing AWS-LC and BoringSSL support. This means post-quantum algorithms are now available to users of our wheels.

  • Note: Going forward, we do not guarantee that all functionality in cryptography will be available when building against OpenSSL. See :doc:/statements/state-of-openssl for more information.

.. _v47-0-0:

47.0.0 - 2026-04-24

* Support for Python 3.8 is deprecated and will be removed in the next
  ``cryptography`` release.
* **BACKWARDS INCOMPATIBLE:** Support for binary elliptic curves
  (``SECT*`` classes) has been removed. These curves are rarely used and
  have additional security considerations that make them undesirable.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been removed.
  OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC
  continue to be supported.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 4.1.
* **BACKWARDS INCOMPATIBLE:** Loading keys with unsupported algorithms or
  keys with unsupported explicit curve encodings now raises
  :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of
  ``ValueError``. This change affects
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`,
  and :meth:`~cryptography.x509.Certificate.public_key` when called on
  certificates with unsupported public key algorithms.
</tr></table> 

... (truncated)

Commits

• de987ce 48.0.1 version bump and changelog (#14996)
• 8e03e30 bump for 48.0.0 release (#14796)
• 295e0d2 Add AGENTS.md with CLAUDE.md symlink (#14794)
• 104a2de Bump BoringSSL, OpenSSL, AWS-LC in CI (#14793)
• 67ec1e5 call check_length early on AesSiv::encrypt (#14792)
• b2da57a changelog for mldsa/mlkem for openssl (#14791)
• 3cf44ad ML-KEM OpenSSL support (#14781)
• 2e31639 ML-DSA OpenSSL support (#14773)
• 5affe5a fix rust nightly clippy (#14790)
• 2e73ca4 bump rust-openssl dep and update EcPoint::mul_generator to mul_generator2 (#1...
• Additional commits viewable in compare view

Updates pypdf from 6.12.0 to 6.13.3

Release notes

Sourced from pypdf's releases.

Version 6.13.3, 2026-06-17

What's new

Security (SEC)

• Apply MAX_DECLARED_STREAM_LENGTH to streams without length as well (#3871) by @​stefan6419846

Performance Improvements (PI)

• Avoid per-pixel getpixel loop for 1-bit indexed images (#3854) by @​Samuel-Harris

Robustness (ROB)

• Several fixes by @​metsw24-max

Maintenance (MAINT)

• Make mypy assert messages consistent (#3849) by @​j-t-1

Full Changelog

Version 6.13.2, 2026-06-10

What's new

Security (SEC)

• Detect multi-hop cyclic /Pages trees in _flatten to prevent SIGSEGV (#3847) by @​fredericoschardong

Robustness (ROB)

• Fix UnboundLocalError in _read_standard_xref_table on a malformed entry (#3841) by @​joszamama
• Raise PdfStreamError on non-hexadecimal bytes in hex readers (#3832) by @​metsw24-max

Full Changelog

Version 6.13.1, 2026-06-08

What's new

Security (SEC)

• Prevent infinite loops when processing threads/articles (#3839) by @​stefan6419846

Full Changelog

Version 6.13.0, 2026-06-05

What's new

Security (SEC)

• Avoid infinite loops for outlines and text extraction (#3830) by @​stefan6419846

New Features (ENH)

• Add Japanese predefined CMaps (#3800) by @​yasuhiroiwaki
• Font: Collect all character widths, not only those that can be unicode mapped (#3798) by @​PJBrs

Robustness (ROB)

• Recover a corrupt trailing startxref pointer (closes #3238) (#3826) by @​gaoflow
• Handle /Pages node without /Kids during flattening (#3825) by @​gaoflow

... (truncated)

Changelog

Sourced from pypdf's changelog.

Version 6.13.3, 2026-06-17

Security (SEC)

• Apply MAX_DECLARED_STREAM_LENGTH to streams without length as well (#3871)

Performance Improvements (PI)

• Avoid per-pixel getpixel loop for 1-bit indexed images (#3854)

Robustness (ROB)

• Several fixes

Maintenance (MAINT)

• Make mypy assert messages consistent (#3849)

Full Changelog

Version 6.13.2, 2026-06-10

Security (SEC)

• Detect multi-hop cyclic /Pages trees in _flatten to prevent SIGSEGV (#3847)

Robustness (ROB)

• Fix UnboundLocalError in _read_standard_xref_table on a malformed entry (#3841)
• Raise PdfStreamError on non-hexadecimal bytes in hex readers (#3832)

Full Changelog

Version 6.13.1, 2026-06-08

Security (SEC)

• Prevent infinite loops when processing threads/articles (#3839)

Full Changelog

Version 6.13.0, 2026-06-05

Security (SEC)

• Avoid infinite loops for outlines and text extraction (#3830)

New Features (ENH)

• Add Japanese predefined CMaps (#3800)
• Font: Collect all character widths, not only those that can be unicode mapped (#3798)

Robustness (ROB)

• Recover a corrupt trailing startxref pointer (closes #3238) (#3826)
• Handle /Pages node without /Kids during flattening (#3825)
• Accept inline image EI marker at the end of a content stream (#3827)

Maintenance (MAINT)

• Type the always-raising deprecation helpers as NoReturn (#3819)

... (truncated)

Commits

• 9aa05e7 REL: 6.13.3
• bbd083d SEC: Apply MAX_DECLARED_STREAM_LENGTH to streams without length as well (#3871)
• d5cd266 ROB: Guard text operators against missing operands in extract_text (#3861)
• 82f1f90 ROB: Tolerate malformed /Limits in index2label (#3858)
• 0276a6f PI: Avoid per-pixel getpixel loop for 1-bit indexed images (#3854)
• 41a9c3c MAINT: Make mypy assert messages consistent (#3849)
• d1bba60 MAINT: Increase readability of PdfDocCommon (#3834)
• 53b6fbc DEV: Bump codecov/codecov-action from 6.0.1 to 7.0.0 (#3859)
• e07c223 MAINT: Enforce G004 (no f-strings in logging) (#3845)
• 5270f76 ROB: Guard zero unitsPerEm in from_truetype_font_file (#3846)
• Additional commits viewable in compare view

Updates torch from 2.10.0 to 2.12.1

Release notes

Sourced from torch's releases.

PyTorch 2.12.1 Release, bug fix release

This release is meant to fix the following regressions and silent correctness issues:

Regression fixes

• Fix nondeterministic outputs in test_batch_invariance with FLASH_ATTN on NVIDIA B200 GPUs (#181248), fixed by updating Triton to 3.7.1 (#186814)
• Fix illegal memory access in the Triton convolution2d_bwd_weight kernel on B100/B200 (sm100) GPUs (#187081), fixed by updating Triton to 3.7.1 (#186814)
• Fix fill_ on byte-dtype views with misaligned storage offset (#186821)

Releng / Build

• Drop CPython 3.13t from the binary build matrix (#182951)

PyTorch 2.12.0 Release Notes

• Highlights
• Backwards Incompatible Changes
• Deprecations
• New Features
• Improvements
• Bug fixes
• Performance
• Documentation
• Developers
• Security

Highlights

For more details about these highlighted features, you can look at the release blogpost. Below are the full release notes for this release.

Backwards Incompatible Changes

Build Frontend

• Strengthened SVE compile checks in FindARM.cmake, which may reject previously accepted but incorrect SVE configurations (#176646)

  Source builds that enable SVE now validate the compiler configuration more strictly. If a build previously passed with an incomplete or mismatched SVE setup, it may now fail during CMake configuration instead of later in compilation. Update the compiler/toolchain flags so they accurately describe the target SVE support, or disable SVE for that build.

• Updated the minimum CUDA version required to build PyTorch from source to CUDA 12.6 (#178925)

  Building PyTorch from source with CUDA versions older than 12.6 is no longer supported. Users building custom binaries should install CUDA 12.6 or newer and make sure CUDA_HOME points to that installation.

  Version 2.11:

  CUDA_HOME=/usr/local/cuda-12.4 python setup.py develop

... (truncated)

Commits

• 7269437 Update triton to 3.7.1 release (#186814)
• 88f16c2 [MPS] Fix fill_ on byte-dtype views with misaligned storage offset (#186821)
• ccf6e67 [release-only] Update version to 2.12.1 (#186813)
• 88a6dc7 Revive CUDA 12.9 nightly binary builds (#186015)
• ded5505 [CD] Drop CPython 3.13t from binary build matrix (#182951) (#186654)
• 0d62256 [release] Dockerfile: skip torchaudio install when CUDA_PATH=cu132 (#183346)
• 7661cd9 [MPS] Fix SDPA wrong output for permuted q/k/v with B > 1 (#181886)
• 9da6087 Fix stale PYTORCH_RELEASES_CODE_CC dict (fixes #182250) (#182369)
• e4c37cc Avoid raw stream name collisions in Inductor (#182178)
• 822d047 [MPS] Fix bool mask handling in 1-pass SDPA decode kernel (#182285) (#182311)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pycon	Error		Jun 18, 2026 9:50pm