build(deps): bump the uv group across 1 directory with 5 updates

[dependabot]

Bumps the uv group with 4 updates in the /benchmark directory: cbor2, gradio, pypdf and vllm.

Updates cbor2 from 5.8.0 to 5.9.0

Release notes

Sourced from cbor2's releases.

5.9.0

• Added the max_depth decoder parameter to limit the maximum allowed nesting level of containers, with a default value of 400 levels (CVE-2026-26209)
• Changed the default read_size from 4096 to 1 for backwards compatibility. The buffered reads introduced in 5.8.0 could cause issues when code needs to access the stream position after decoding. Users can opt-in to faster decoding by passing read_size=4096 when they don't need to access the stream directly after decoding. Added a direct read path for read_size=1 to avoid buffer management overhead. (#275; PR by @​andreer)
• Fixed C encoder not respecting string referencing when encoding string-type datetimes (tag 0) (#254)
• Fixed a missed check for an exception in the C implementation of CBOREncoder.encode_shared() (#287)
• Fixed two reference/memory leaks in the C extension's long string decoder (#290 PR by @​killiancowan82)
• Fixed C decoder ignoring the str_errors setting when decoding strings, and improved string decoding performance by using stack allocation for small strings and eliminating unnecessary conditionals. Benchmarks show 9-17% faster deserialization. (#255; PR by @​andreer)

Commits

• 93c5988 Bumped up the version
• d903d62 Updated the max_depth default value in the C function signature
• 2b53b28 Stack allocate small strings (#270)
• a7ac10d Upped the max_depth value to 400
• 54c8ed5 Fixed reference/memory leaks in decode_definite_long_string (#290)
• a8d92dc [pre-commit.ci] pre-commit autoupdate (#289)
• c91aa00 [pre-commit.ci] pre-commit autoupdate (#288)
• 53521e7 Fixed ssize_t to Py_ssize_t
• 94e0d21 Added missing Python counterpart for max_depth
• bcb6cea Added the max_depth decoder parameter
• Additional commits viewable in compare view

Updates gradio from 5.49.1 to 6.7.0

Changelog

Sourced from gradio's changelog.

6.7.0

Features

• #12829 d720b25 - Allow :fastest :cheapest options when loading models. Thanks @​dawoodkhan82!
• #12918 e29e1cc - Add Space-specific skill generation to gradio skills add. Thanks @​abidlabs!
• #12929 978bc6e - Add server functions support to gr.HTML. Thanks @​aliabid94!
• #12917 a0fff5c - Add push_to_hub method to gr.HTML. Add a gallery to view notable custom HTML components. Thanks @​freddyaboulton!
• #12899 820eff0 - Add support for gr.HTML as a layout element. Thanks @​aliabid94!
• #12900 d6907ac - add SKILLS.md to Gradio repo, part 1 + cleanup. Thanks @​abidlabs!
• #12907 3e625a0 - Better error handling when connection to server is lost. Thanks @​abidlabs!

Fixes

• #12911 dcfc429 - Fix Button component ignoring the scale parameter. Thanks @​hztBUAA!
• #12925 ccff8b8 - Walkthrough Selected Bug. Thanks @​freddyaboulton!
• #12890 ac29df8 - fix DataFrame NaN values becoming 0 after sorting. Thanks @​Mr-Neutr0n!
• #12926 6011b00 - Fix absolute path issue in Windows. Thanks @​freddyaboulton!
• #12904 7c3fa2a - Fix Loading Spinner Issue Caused by Events Targeting Components In Inactive Tabs. Thanks @​freddyaboulton!
• #12903 57707c7 - Fix Tab i18n issue. Thanks @​freddyaboulton!
• #12901 1387fc6 - Fix unload event bug. Thanks @​freddyaboulton!
• #12906 81482b5 - Lazy load sub-tab and accordion components. Thanks @​dawoodkhan82!

6.6.0

Features

• #12839 1c671b3 - Hide forms with no elements. Thanks @​aliabid94!
• #12700 b01c95a - Rewrite behavior section of docs. Thanks @​aliabd!

Fixes

• #12875 d0b3422 - Fix stop button not switching back to submit button in chat interface. Thanks @​freddyaboulton!
• #12797 6a0c6ea - Refactor translation logic. Thanks @​hannahblair!
• #12877 ebbd242 - Ensure disconnected toast text is visible. Thanks @​hannahblair!
• #12873 6533d38 - Fix stop button not working in Audio streaming. Thanks @​hysts!
• #12862 a8e6b7b - Fix ColorPicker not firing focus, blur, or submit events after Svelte 5 migration. Thanks @​veeceey!
• #12865 db7ab39 - Fix Gallery fullscreen button not working in preview mode. Thanks @​veeceey!
• #12866 9810396 - Fix Gallery preview=True parameter not working on initial load. Thanks @​veeceey!
• #12894 e0cd4ca - Fix load examples bug in spa. Thanks @​freddyaboulton!
• #12830 a2a0078 - Video to Svelte 5. Thanks @​dawoodkhan82!
• #12882 fc7c01e - Validate proxy url host. Thanks @​freddyaboulton!
• #12874 b10e17c - fix(reloading): Re-assign config for SpacesReloader. Thanks @​cbensimon!
• #12884 dfee0da - Oauth fixes. Thanks @​freddyaboulton!
• #12811 8f8cef8 - Fix windows tests. Thanks @​freddyaboulton!
• #12846 226daba - Fix bug where children of accordions dont get rendered when they are opened programmatically. Thanks @​freddyaboulton!
• #12887 c006778 - Fix AttributeError in ColoredCheckboxGroup.api_info(). Thanks @​hysts!

6.5.1

... (truncated)

Commits

• 8b03393 chore: update versions (#12902)
• c4b92e2 Fix skill generation check (#12931)
• 978bc6e Add server functions support to gr.HTML (#12929)
• 7c3fa2a Fix Loading Spinner Issue Caused by Events Targeting Components In Inactive T...
• 6011b00 Fix absolute path issue in Windows (#12926)
• e29e1cc Add Space-specific skill generation to gradio skills add (#12918)
• 81482b5 Lazy load sub-tab and accordion components (#12906)
• ccff8b8 Walkthrough Selected Bug (#12925)
• dcfc429 Fix Button component ignoring scale parameter (#12911)
• a0fff5c Add push_to_hub method to gr.HTML. Add a gallery to view notable custom HTML ...
• Additional commits viewable in compare view

Updates pypdf from 6.9.1 to 6.9.2

Release notes

Sourced from pypdf's releases.

Version 6.9.2, 2026-03-23

What's new

Security (SEC)

• Avoid infinite loop in read_from_stream for broken files (#3693) by @​stefan6419846

Robustness (ROB)

• Resolve UnboundLocalError for xobjs in _get_image (#3684) by @​Yuki9814

Full Changelog

Changelog

Sourced from pypdf's changelog.

Version 6.9.2, 2026-03-23

Security (SEC)

• Avoid infinite loop in read_from_stream for broken files (#3693)

Robustness (ROB)

• Resolve UnboundLocalError for xobjs in _get_image (#3684)

Full Changelog

Commits

• da867f4 REL: 6.9.2
• 02b1345 SEC: Avoid infinite loop in read_from_stream for broken files (#3693)
• 3bef339 MAINT: Prefer bytearray over bytes in image_inline (#3692)
• 04b0a38 ROB: Resolve UnboundLocalError for xobjs in _get_image (#3684)
• See full diff in compare view

Updates vllm from 0.11.0 to 0.14.1

Release notes

Sourced from vllm's releases.

v0.14.1

This is a patch release on top of v0.14.0 to address a few security and memory leak fixes.

v0.14.0

Highlights

This release features approximately 660 commits from 251 contributors (86 new contributors).

Breaking Changes:

• Async scheduling is now enabled by default - Users who experience issues can disable with --no-async-scheduling.
  • Excludes some not-yet-supported configurations: pipeline parallel, CPU backend, non-MTP/Eagle spec decoding.
• PyTorch 2.9.1 is now required and the default wheel is compiled against cu129.
• Deprecated quantization schemes have been removed (#31688, #31285).
• When using speculative decoding, unsupported sampling parameters will fail rather than being silently ignored (#31982).

Key Improvements:

• Async scheduling enabled by default (#27614): Overlaps engine core scheduling with GPU execution, improving throughput without user configuration. Now also works with speculative decoding (#31998) and structured outputs (#29821).
• gRPC server entrypoint (#30190): Alternative to REST API with binary protocol, HTTP/2 multiplexing.
• --max-model-len auto (#29431): Automatically fits context length to available GPU memory, eliminating OOM startup failures.
• Model inspection view (#29450): View the modules, attention backends, and quantization of your model in vLLM by specifying VLLM_LOG_MODEL_INSPECTION=1 or by simply printing the LLM object.
• Model Runner V2 enhancements: UVA block tables (#31965), M-RoPE (#32143), logit_bias/allowed_token_ids/min_tokens support (#32163).
  • Please note that Model Runner V2 is still experimental and disabled by default.

Model Support

New Model Architectures:

• Grok-2 with tiktoken tokenizer (#31847)
• LFM2-VL vision-language model (#31758)
• MiMo-V2-Flash (#30836)
• openPangu MoE (#28775)
• IQuestCoder (#31575)
• Nemotron Parse 1.1 (#30864)
• GLM-ASR audio (#31436)
• Isaac vision model v0.1/v0.2 (#28367, #31550)
• Kanana-1.5-v-3b-instruct (#29384)
• K-EXAONE-236B-A23B MoE (#31621)

LoRA Support Expansion:

• Multimodal tower/connector LoRA (#26674): LLaVA (#31513), BLIP2 (#31620), PaliGemma (#31656), Pixtral (#31724), DotsOCR (#31825), GLM4-V (#31652)
• DeepSeek-OCR (#31569), Qwen3-Next (#31719), NemotronH (#31539), PLaMo 2/3 (#31322)
• Vision LoRA mm_processor_cache support (#31927)
• MoE expert base_layer loading (#31104)

Model Enhancements:

• Qwen3-VL as reranker (#31890)
• DeepSeek v3.2 chat prefix completion (#31147)
• GLM-4.5/GLM-4.7 enable_thinking: false (#31788)
• Ernie4.5-VL video timestamps (#31274)
• Score template expansion (#31335)
• LLaMa4 vision encoder compilation (#30709)

... (truncated)

Commits

• d7de043 [CI] fix version comparsion and exclusion patterns in upload-release-wheels.s...
• 4dc11b0 [Bugfix] Fix Whisper/encoder-decoder GPU memory leak (#32789)
• 2bd95d8 [Misc] Bump opencv-python dependecy version to 4.13 (#32668)
• f46d576 [Misc] Replace urllib's urlparse with urllib3's parse_url (#32746)
• d682094 [build] fix cu130 related release pipeline steps and publish as nightly image...
• b17039b [CI] Implement uploading to PyPI and GitHub in the release pipeline, enable r...
• 48b67ba [Frontend] Standardize use of create_error_response (#32319)
• 09f4264 [Bugfix] Fix ROCm dockerfiles (#32447)
• 7f42dc2 [CI] Fix LM Eval Large Models (H100) (#32423)
• c2a37a3 Cherry pick [ROCm] [CI] [Release] Rocm wheel pipeline with sccache #32264
• Additional commits viewable in compare view

Updates xgrammar from 0.1.25 to 0.1.21

Commits

• 774867c Bump to v0.1.21 (#358)
• 290ba3b [Refactor] RuleExpr -> GrammarExpr (#357)
• 3833ef2 [Minor] Replace all Result<...>::Ok with ResultOk (#355)
• 096e57b [Refactor] Refactor utils and FSM lib (#354)
• fddf4bd [Refactor] Refactor file structure (#353)
• a28352c Fix: fix wrong LRU cache implementation (#352)
• b943fea [Feature] Use an earley parser to replace the current pushdown automata (#308)
• 3b6b11e Bump to v0.1.20 (#351)
• bac97eb [Feature] JSON Serialize Method with C++ reflection (#335)
• e750120 Update JSON Schema Converter to support int64 values (#315)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.