build(deps): bump the dependencies group with 6 updates

[dependabot]

Bumps the dependencies group with 6 updates:

Package	From	To
numpy	2.4.4	2.4.5
transformers	5.8.0	5.8.1
ruff	0.15.12	0.15.13
huggingface-hub	1.14.0	1.15.0
idna	3.13	3.15
regex	2026.4.4	2026.5.9

Updates numpy from 2.4.4 to 2.4.5

Release notes

Sourced from numpy's releases.

v2.4.5 (May 15, 2026)

NumPy 2.4.5 Release Notes

NumPy 2.4.5 is a patch release that fixes bugs discovered after the 2.4.4 release, has some typing improvements, and maintains infrastructure.

This release supports Python versions 3.11-3.14

Contributors

A total of 17 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• Aleksei Nikiforov
• Anarion Zuo +
• Ankit Ahlawat
• Breno Favaretto +
• Charles Harris
• Igor Krivenko +
• Ijtihed Kilani +
• Joren Hammudoglu
• Maarten Baert +
• Matti Picus
• Nathan Goldbaum
• Praneeth Kodumagulla +
• Ralf Gommers
• RoomWithOutRoof +
• Sebastian Berg
• Warren Weckesser
• div +

Pull requests merged

A total of 28 pull requests were merged for this release.

• #31093: MAINT: Prepare 2.4.x for further development
• #31182: TYP: fix np.shape assignability issue for python lists (#31171)
• #31197: ENH: Return rank 0 for empty matrices in matrix_rank (#30422)
• #31198: CI/BUG: add native jobs for s390x, fix bug in pack_inner...
• #31199: BUG: f2py map complex_long_double to NPY_CLONGDOUBLE
• #31205: MAINT: f2py: Stop setting re._MAXCACHE to 50.
• #31206: BUG: fix heap buffer overflow in timedelta to string casts
• #31207: MAINT: Rename ppc64le and s390x workflow (#31121)
• #31208: BUG: Fix matvec/vecmat in-place aliasing (out=input produces...
• #31209: TYP: tile: accept numpy scalars and arrays as second argument...
• #31211: DEP: Undo deprecation for np.dtype() signature used by old pickles...
• #31212: REV: Manual revert of float16 svml use (#31178)
• #31222: TYP: ix_ fix for boolean and non-1d input (#31218)
• #31329: BUG: incorrect temp elision for new-style (NEP 43) user-defined...
• #31330: TYP: fix sliding_window_view axis parameter typing

... (truncated)

Commits

• 26e8185 Merge pull request #31441 from charris/prepare-2.4.5
• 573110c REL: Prepare for the NumPy 2.4.5 release.
• be6123a Merge pull request #31426 from jorenham/backport-31425
• a286f52 TYP: Fix DTypeLike runtime type-checker support
• f880727 Merge pull request #31404 from charris/backport-31399
• 626d469 Merge pull request #31402 from charris/backport-31397
• a42bd48 Merge pull request #31401 from charris/backport-31396
• 207ad05 TYP: _NestedSequence type parameter default to work around a mypy issue (#3...
• 309b637 BUG: exclude pycache directories from wheels (#31397)
• 8ded93c BUG: Avoid UB in safe_[add,sub,mul] helpers (#31396)
• Additional commits viewable in compare view

Updates transformers from 5.8.0 to 5.8.1

Release notes

Sourced from transformers's releases.

Patch release v5.8.1

This release is mainly to fix the Deepseek V4 integration!!!

• [fix] Add fatal_error to ContinuousBatchingManager so the serving... by @​qgallouedec, @​remi-or
• Fix WeightConverter regex incorrectly matching shared_experts as experts by @​silencelamb, @​claude
• Fix deepseek v4 by @​ArthurZucker (#45892)
• Deepseek v4 csa mask collapse by @​ArthurZucker, @​Sawyer117 (#45928)

Commits

• cc832f9 up
• f966d7b Deepseek v4 csa mask collapse (#45928)
• 283f3f0 Fix deepseek v4 (#45892)
• 4e0be9c Fix WeightConverter regex incorrectly matching shared_experts as experts in D...
• ec85262 [fix] Add fatal_error to ContinuousBatchingManager so the serving layer c...
• See full diff in compare view

Updates ruff from 0.15.12 to 0.15.13

Release notes

Sourced from ruff's releases.

0.15.13

Release Notes

Released on 2026-05-14.

Preview features

• Add a rule to flag lazy imports that are eagerly evaluated (#25016)
• [pylint] Standardize diagnostic message (PLR0914, PLR0917) (#24996)

Bug fixes

• Fix F811 false positive for class methods (#24933)
• Fix setting selection for multi-folder workspace (#24819)
• [eradicate] Fix false positive for lines with leading whitespace (ERA001) (#25122)
• [flake8-pyi] Fix false positive for f-string debug specifier (PYI016) (#24098)

Rule changes

• Always include panic payload in panic diagnostic message (#24873)
• Restrict PYI034 for in-place operations to enclosing class (#24511)
• Improve error message for parameters that are declared global (#24902)
• Update known stdlib (#25103)

Performance

• [isort] Avoid constructing glob::Patterns for literal known modules (#25123)

CLI

• Add TOML examples to --config help text (#25013)
• Colorize ruff check 'All checks passed' (#25085)

Configuration

• Increase max allowed value of line-length setting (#24962)

Documentation

• Add D203 to rules that conflict with the formatter (#25044)
• Clarify COM819 and formatter interaction (#25045)
• Clarify that NotImplemented is a value, not an exception (F901) (#25054)
• Update number of lint rules supported (#24942)

Other changes

• Simplify the playground's markdown template (#24924)

Contributors

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.13

Released on 2026-05-14.

Preview features

• Add a rule to flag lazy imports that are eagerly evaluated (#25016)
• [pylint] Standardize diagnostic message (PLR0914, PLR0917) (#24996)

Bug fixes

• Fix F811 false positive for class methods (#24933)
• Fix setting selection for multi-folder workspace (#24819)
• [eradicate] Fix false positive for lines with leading whitespace (ERA001) (#25122)
• [flake8-pyi] Fix false positive for f-string debug specifier (PYI016) (#24098)

Rule changes

• Always include panic payload in panic diagnostic message (#24873)
• Restrict PYI034 for in-place operations to enclosing class (#24511)
• Improve error message for parameters that are declared global (#24902)
• Update known stdlib (#25103)

Performance

• [isort] Avoid constructing glob::Patterns for literal known modules (#25123)

CLI

• Add TOML examples to --config help text (#25013)
• Colorize ruff check 'All checks passed' (#25085)

Configuration

• Increase max allowed value of line-length setting (#24962)

Documentation

• Add D203 to rules that conflict with the formatter (#25044)
• Clarify COM819 and formatter interaction (#25045)
• Clarify that NotImplemented is a value, not an exception (F901) (#25054)
• Update number of lint rules supported (#24942)

Other changes

• Simplify the playground's markdown template (#24924)

Contributors

• @​MichaReiser

... (truncated)

Commits

• 2afb467 Bump 0.15.13 (#25157)
• 3008796 [ty] classify TypeVar semantic tokens as type parameters (#24891)
• 79470e3 [isort] Avoid constructing glob::Patterns for literal known modules (#25123)
• 2522549 Remove shellcheck from prek (#25154)
• 7db7170 [ty] Support TypedDict key completions in incomplete, anonymous contexts (#25...
• bb3dd53 [ty] Run full iteration analysis on narrowed typevars (#25143)
• 828cdb7 [ty] Isolate file-watching test environment (#25151)
• 89e1d86 [ty] Preserve TypedDict keys through dict unpacking (#24523)
• 86f3064 [ty] Avoid accessing args[0] for static_assert (#25149)
• ed819f9 [ty] Treat custom enum __new__ values as dynamic (#25136)
• Additional commits viewable in compare view

Updates huggingface-hub from 1.14.0 to 1.15.0

Release notes

Sourced from huggingface-hub's releases.

[v1.15.0] Region-aware buckets & repos, hf skills list, polished CLI help and more

🌍 Pick a region when creating buckets and repos

create_bucket and create_repo now accept an optional region argument ("us" or "eu") so you can pin a new bucket or repo to a specific cloud region at creation time. The same option is exposed on the CLI via a --region flag on hf buckets create and hf repos create.

>>> from huggingface_hub import create_bucket, create_repo
>>> create_bucket("my-bucket", region="us")
>>> create_repo("my-model", region="eu")

$ hf buckets create my-bucket --region us
$ hf repos create username/my-model --region eu

• [Bucket/Repo] Support 'region' option in create_bucket and create_repo by @​Wauplin in #4194

🧩 Discover marketplace skills with hf skills list

A new hf skills list (alias ls) command lists every skill available in the Hugging Face marketplace and shows whether each one is already installed in the four supported locations (project, global, project Claude, global Claude). Handy when you want to check what's installable and what you've already got before running hf skills add.

$ hf skills ls
NAME                        DESCRIPTION                         PROJECT PROJECT (CLAUDE) GLOBAL GLOBAL (CLAUDE)
--------------------------- ----------------------------------- ------- ---------------- ------ ---------------
hf-cli                      Execute Hugging Face Hub operati...     yes              yes    yes             yes                                

• [CLI] Add hf skills list command by @​Wauplin in #4180

🎨 Polished --help output with ANSI styling

hf --help and every subcommand now render with underlined section headings and bold option/command names, making the help screens much easier to scan in a terminal. The new styling is automatically disabled when NO_COLOR is set or when the CLI detects it's running under an AI agent, so script and agent output stays clean.

• [CLI] Pretty-print --help with ANSI styling by @​Wauplin in #4192

🖥️ CLI

• [CLI] Check Homebrew registry for updates when installed via brew by @​Wauplin in #4204 — hf update no longer suggests a version that isn't on brew yet for Homebrew installs.
• [CLI] No traceback on LocalEntryNotFoundError by @​Wauplin in #4190 — offline/cache-miss errors now print a clean message instead of a Python traceback (set HF_DEBUG=1 for the full stack).

🐛 Bug and typo fixes

• Make HF_HUB_ENABLE_HF_TRANSFER deprecation warning visible to users by @​Adithya191101 in #4220
• Fix hint message to use 'hf skills update' by @​Pierrci in #4206

📖 Documentation

• [docs] Drop duplicated Key Features list from hf jobs CLI section by @​davanstrien in #4222

... (truncated)

Commits

• bb6d939 Release: v1.15.0
• 69413ea Release: v1.15.0.rc0
• dee4964 Make HF_HUB_ENABLE_HF_TRANSFER deprecation warning visible to users (#4220)
• 7023faf [docs] Drop duplicated Key Features list from hf jobs CLI section (#4222)
• 1f57da2 Only sync skill if SKILL.md has changed (#4210)
• 9c05199 Fix hint message to use 'hf skills update' (#4206)
• 230c624 [CLI] No traceback on LocalEntryNotFoundError (#4190)
• 3d85543 [CLI] Add hf skills list command (#4180)
• 04195e0 [CLI] Pretty-print --help with ANSI styling (#4192)
• 0c75ef9 [CLI] Check Homebrew registry for updates when installed via brew (#4204)
• Additional commits viewable in compare view

Updates idna from 3.13 to 3.15

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

• Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
• Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
• Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
• Allow flit_core 4.x in the build backend.
• Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
• Add Dependabot configuration for GitHub Actions.
• Convert README and HISTORY from reStructuredText to Markdown.
• Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

• Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

Commits

• af30a09 Release 3.15
• 30314d4 Pre-release 3.15rc0
• 05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
• 2987fdb Convert README and HISTORY from reStructuredText to Markdown
• 59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
• def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
• bbd8004 Merge pull request #234 from StanFromIreland/patch-1
• edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
• 5557db0 Merge branch 'master' into patch-1
• f11746c Merge pull request #235 from StanFromIreland/patch-2
• Additional commits viewable in compare view

Updates regex from 2026.4.4 to 2026.5.9

Changelog

Sourced from regex's changelog.

Version: 2026.5.9

Reverse matching with full unicode casefolding could lead to out-of-range string indexes.

Version: 2026.4.4

A fix for older Python versions before free-threading was  supported.

Version: 2026.4.3

More fixes for free-threading.

Version: 2026.3.32

Fixed segfault.

Version: 2026.3.31

Fixed bug again.

Version: 2026.3.30

Fixed bug.

Version: 2026.3.28

Fixed version.

Version: 2026.3.27

Various fixes, including ones to improve free-threading support.

Version: 2026.2.28

Replaced atomic operations with mutex on pattern object for free-threaded Python.

Version: 2026.2.26

PR [#598](https://github.com/mrabarnett/mrab-regex/issues/598): Fix race condition in storage caching with atomic operations.
Replaced use of PyUnicode_GET_LENGTH with PyUnicode_GetLength.

Version: 2026.2.19

Added \z as alias of \Z, like in re module.
Added prefixmatch as alias of match, like in re module.

Version: 2026.1.15

... (truncated)

Commits

• e57d185 Reverse matching with full unicode casefolding lead to out-of-range string in...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.