보안(deps): Bump the python-runtime group with 4 updates

[dependabot]

Updates the requirements on pyarrow, huggingface-hub, sse-starlette and plotly to permit the latest version.
Updates pyarrow to 24.0.0

Release notes

Sourced from pyarrow's releases.

Apache Arrow 24.0.0

Release Notes URL: https://arrow.apache.org/release/24.0.0.html

Commits

• 31b4b6c MINOR: [Release] Update versions for 24.0.0
• 06dbc17 MINOR: [Release] Update .deb/.rpm changelogs for 24.0.0
• a021d80 MINOR: [Release] Update CHANGELOG.md for 24.0.0
• 2d6b12c GH-49716: [C++] FixedShapeTensorType::Deserialize should strictly validate se...
• a74cb6a GH-49697: [C++][CI] Check IPC file body bounds are in sync with decoder outco...
• 871a0c6 GH-49676: [Python][Packaging] Fix gRPC docker image layer being too big for h...
• f9203b3 GH-49586: [C++][CI] StructToStructSubset test failure with libc++ 22.1.1 (#49...
• fe298b4 GH-49628: [Python][Interchange protocol] Suppress warnings for pandas 4.0.0 a...
• 1f94910 GH-49252: [GLib] Deprecate Feather features (#49673)
• 5ba5c3c GH-49671: [CI][Docs] Don't run jobs for push by Dependabot (#49672)
• Additional commits viewable in compare view

Updates huggingface-hub to 1.17.0

Release notes

Sourced from huggingface-hub's releases.

[v1.17.0] Cross-repo copies, ssh to Spaces, smarter CLI tables

📋 Copy files between repositories

You can now copy files or entire folders between different repositories on the Hub — model to model, model to dataset, any combination — without downloading or re-uploading data. CommitOperationCopy accepts src_repo_id and src_repo_type for cross-repo sources, and LFS blobs are deduplicated server-side via the /lfs-files/duplicate endpoint. Non-LFS files are fetched from the source repo and committed as regular payloads. copy_files and hf buckets cp now support repo-to-repo in addition to the existing bucket destinations.

>>> from huggingface_hub import copy_files
Copy an entire folder
>>> copy_files(
...     "hf://datasets/username/source-dataset/data/",
...     "hf://datasets/username/target-dataset/data/",
... )

• [Copy] Support cross-repo file copies by @​Wauplin in #4203

📚 Documentation: Upload guide — Copy files between repositories

🖥️ SSH into a Space with hf spaces ssh

A new hf spaces ssh command opens an SSH session directly into a Space's Dev Mode container. If Dev Mode is not enabled yet, the CLI prompts you to enable it. You can also use --dry-run to print the SSH command without running it, or -i to forward a specific key. Your SSH public key must be registered in your HF user settings.

# SSH into a Space
$ hf spaces ssh username/my-space
Print the SSH command without running it
$ hf spaces ssh username/my-space --dry-run

• [CLI] Add hf spaces ssh by @​gary149 in #4241

📚 Documentation: CLI guide — SSH into a Space | Spaces guide — SSH into a Space

📂 List all your repos with hf repos ls

A new hf repos ls command lists all your repositories — models, datasets, spaces, and buckets — with storage size and percentage of namespace total, sorted by storage usage. It supports --type, --search, --namespace, and --limit (default 30, --limit 0 for all), plus the standard --format family.

# List all your repos
$ hf repos ls
List all datasets under org with JSON output
$ hf repos ls --namespace my-org --type dataset --limit 0 --format json | jq '.[].id'

• [CLI] Add hf repos ls command by @​Wauplin in #4283

📚 Documentation: CLI guide — List repos | Repository guide — List your repositories

... (truncated)

Commits

• b529493 Release: v1.17.0
• e2f95ef Release: v1.17.0.rc0
• 06d2a3f [CLI] Add hf repos ls command (#4283)
• 714044e [Docs] Document missing parameters in lfs, hf_file_system, and repocard_data ...
• 5e8e940 [CLI] Auto right-align numeric columns in human table output (#4288)
• bb09fa4 [Copy] Support cross-repo file copies (#4203)
• b17ab0c [CLI] Drop legacy printing helpers from _cli_utils.py (#4285)
• 5c7920e [CLI] Migrate hf lfs-enable-largefiles, hf extensions, hf version to `o...
• ffc07b6 [Jobs] Decouple Job hardware from Spaces, auto-sync enums with Hub API (#4266)
• c06e976 [CLI] Auto-fit human tables to terminal width (#4251)
• Additional commits viewable in compare view

Updates sse-starlette to 3.4.4

Release notes

Sourced from sse-starlette's releases.

v3.4.4

Full Changelog: sysid/sse-starlette@v3.4.3...v3.4.4

Commits

• e093395 Bump version to 3.4.4
• a6799e1 new release workflow
• d033a97 Bump version to 3.4.3
• 6a34c6a Merge pull request #186 from sysid/dependabot/uv/urllib3-2.7.0
• e0be426 chore(deps): bump urllib3 from 2.6.3 to 2.7.0
• d8d43ab Merge pull request #185 from sysid/dependabot/uv/granian-2.7.4
• 5854ac0 chore(deps): bump granian from 2.6.0 to 2.7.4
• 1d56ff3 Bump version to 3.4.2
• 8387e11 update pyproject.toml
• c9bf688 Bump version to 3.4.1
• Additional commits viewable in compare view

Updates plotly to 6.7.0

Release notes

Sourced from plotly's releases.

v6.7.0

Added

• Add facet_row support to px.imshow for creating subplots along an additional dimension [#5445], with thanks to @​FBumann for the contribution!

Fixed

• Update numpy.percentile syntax to stop using deprecated alias [#5483], with thanks to @​Mr-Neutr0n for the contribution!
  • numpy with a version less than 1.22 is no longer supported.
• Handle empty px.histogram by skipping None label in hover template [#5535], with thanks to @​tysoncung for the contribution!

Updated

• Update plotly.js from version 3.4.0 to version 3.5.0. See the plotly.js release notes for more information. [#5565]. Notable changes include:
  • Add hoveranywhere and clickanywhere layout attributes to enable emitting hover and click events anywhere in the plot area, not just over traces [#7707]
  • Add displayNotifier configuration property to set the display of notifier in the top right area of the viewport [#7730]
  • Update USA location lookup for scattergeo and choropleth traces to use both location names and abbreviations [#7731]

Changelog

Sourced from plotly's changelog.

[6.7.0] - 2026-04-09

Added

• Add facet_row support to px.imshow for creating subplots along an additional dimension [#5445], with thanks to @​FBumann for the contribution!

Fixed

• Update numpy.percentile syntax to stop using deprecated alias [#5483], with thanks to @​Mr-Neutr0n for the contribution!
  • numpy with a version less than 1.22 is no longer supported.
• Handle empty px.histogram by skipping None label in hover template [#5535], with thanks to @​tysoncung for the contribution!

Updated

• Update plotly.js from version 3.4.0 to version 3.5.0. See the plotly.js release notes for more information. [#5565]. Notable changes include:
  • Add hoveranywhere and clickanywhere layout attributes to enable emitting hover and click events anywhere in the plot area, not just over traces [#7707]
  • Add displayNotifier configuration property to set the display of notifier in the top right area of the viewport [#7730]
  • Update USA location lookup for scattergeo and choropleth traces to use both location names and abbreviations [#7731]

[6.6.0] - 2026-03-02

Fixed

• Remove unneeded type="text/javascript" attribute from <style> tag [#5454], with thanks to @​hannob for the contribution!
• Remove global warning format side effect [#5481], with thanks to @​emmanuel-ferdman for the contribution!
• Fix spurious engine deprecation warning in write_image [#5517], with thanks to @​mosh3eb for the contribution!

Updated

• Update plotly.js from version 3.3.1 to version 3.4.0. See the plotly.js release notes for more information. [#5527]. Notable changes include:
  • Add support for clicking legend titles to toggle visibility of all traces in legend [#7698]
  • Add support for shapes to reference multiple axes [#7666]
  • Add support for dashed marker lines in scatter plots [#7673]
  • Increase axis autorange when bar charts have outside text labels, to avoid labels being clipped [#7675]

[6.5.2] - 2026-01-14

Fixed

• Fix issue where pie trace legend, showlegend attributes don't accept array values [#5464 and #5465], with thanks to @​my-tien for the contribution!

[6.5.1] - 2026-01-07

Fixed

• Fix issue where Plotly Express ignored trace-specific color sequences defined in templates via template.data.<trace_type> [#5437], with thanks to @​antonymilne for the contribution!

Updated

• Speed up validate_gantt function [#5386], with thanks to @​misrasaurabh1 for the contribution!
• Update plotly.js from version 3.3.0 to version 3.3.1. See the plotly.js release notes for more information. [#5456]. Notable changes include:
  • Add support for arrays for the pie properties showlegend and legend, so that these can be configured per slice. [#7580]

[6.5.0] - 2025-11-17

Updated

• Update plotly.js from version 3.2.0 to version 3.3.0. See the plotly.js release notes for more information. [#5421]. Notable changes include:
  • Add hovertemplate for candlestick and ohlc traces [#7619]

... (truncated)

Commits

• 1a2065a Add missing attributions
• 8422e17 Add missing octothorpes
• fa9116f Update Jupyter Lab extension files
• c771ad5 Version changes for v6.7.0
• 067b954 Merge pull request #5565 from plotly/cam/update-plotly.js-v3.5.0
• 1b7de49 Update Jupyter support files
• d605d3e chore: Update plotly.js to v3.5.0
• 600f865 Merge pull request #5541 from plotly/migrate-to-gh-actions
• 10c7c56 Merge pull request #5518 from mosh3eb/fix/broken-license-link-readme
• ea813dd Merge branch 'main' into fix/broken-license-link-readme
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.