Bump the tensorflow group across 1 directory with 3 updates

[dependabot]

Bumps the tensorflow group with 3 updates in the /tensorflow directory: jupyterhub, pillow and numpy.

Updates jupyterhub from 5.3.0 to 5.4.1

Commits

• 1d4c33b Bump to 5.4.1
• 89ef91b disable announcement in tagged release
• a439dc5 Merge pull request #5172 from minrk/541
• a0785ed last changes in 5.4.1 changelog
• c1fbdf3 Merge pull request #5176 from minrk/test-314
• fb2aed8 add 416 to upgrade dbs
• 70b86eb make sure now method is declared staticmethod
• 1f8465e add 4.1.6 to upgrade test
• 2f4f5ac skip old hub db upgrade test for too-new Python
• 0d908da test with 3.14 (and 3.14t)
• Additional commits viewable in compare view

Updates pillow from 11.3.0 to 12.0.0

Release notes

Sourced from pillow's releases.

12.0.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.0.0.html

Removals

• Remove support for FreeType <= 2.9.0 #9159 [@​radarhere]
• Drop support for Python 3.9 #9119 [@​hugovk]
• Remove deprecations for Pillow 12.0.0 #9053 [@​radarhere]

Deprecations

• Deprecate Image._show #9186 [@​radarhere]
• Deprecate ImageCmsProfile product_name and product_info #8995 [@​lukegb]

Documentation

• ImagingHistogramInstance can use two bands #9251 [@​radarhere]
• Update 12.0.0 release notes #9247 [@​hugovk]
• Added ImageDraw alpha channel examples #9201 [@​radarhere]
• Update Python version #9230 [@​radarhere]
• Updated macOS tested Pillow versions #9209 [@​radarhere]
• Add GitHub profile link to release notes #9197 [@​radarhere]
• Split versionadded info #9190 [@​radarhere]
• Document ImageFile.MAXBLOCK #9163 [@​radarhere]
• Updated macOS version in CI targets #9157 [@​radarhere]
• Fix typos #9135 [@​radarhere]
• Added "Colors" to concepts #9067 [@​radarhere]
• Update macOS tested Pillow versions #9068 [@​radarhere]
• Thanks, folks! #9056 [@​aclark4life]
• Setup nit: "fork" should be lowercased #9055 [@​aclark4life]

Dependencies

• Update dependency cibuildwheel to v3.2.1 #9246 [@renovate[bot]]
• [pre-commit.ci] pre-commit autoupdate #9233 [@pre-commit-ci[bot]]
• Update harfbuzz to 12.1.0 #9218 [@​radarhere]
• Update libtiff to 4.7.1 #9222 [@​radarhere]
• Update FreeType to 2.14.1 on macOS and Linux wheels #9217 [@​radarhere]
• Update dependency cibuildwheel to v3.2.0 #9219 [@renovate[bot]]
• Update Ghostscript to 10.6.0 #9202 [@​radarhere]
• Update openjpeg to 2.5.4 #9215 [@​radarhere]
• Update harfbuzz to 11.5.0 #9203 [@​radarhere]
• Update dependency mypy to v1.18.2 #9213 [@renovate[bot]]
• Update dependency mypy to v1.18.1 #9207 [@renovate[bot]]
• Update github-actions #9194 [@renovate[bot]]
• Updated harfbuzz to 11.4.5 #9150 [@​radarhere]
• Update zlib-ng to 2.2.5 #9140 [@​radarhere]
• Update raqm to 0.10.3 #9137 [@​radarhere]
• Update libjpeg-turbo to 3.1.2 #9188 [@​radarhere]
• [pre-commit.ci] pre-commit autoupdate #9180 [@pre-commit-ci[bot]]

... (truncated)

Commits

• 693df7b 12.0.0 version bump
• d175bb8 Use macos-14 for iOS arm64 simulator (#9258)
• 592b2f8 Revert "Use macos-latest for iOS arm64 simulator"
• 5dddb2c Use enums for Modes and RawModes in C (#9256)
• e7b72a3 Add ImageText (#9098)
• 864d4b6 Shift bits before making value negative (#9255)
• 994a9de Install arro3 dependencies when type checking (#9254)
• d5e1601 Improved documentation
• e533ccc Merge branch 'main' into imagetext
• 95a85dc Use snake case
• Additional commits viewable in compare view

Updates numpy from 2.2.4 to 2.3.4

Release notes

Sourced from numpy's releases.

v2.3.4 (Oct 15, 2025)

NumPy 2.3.4 Release Notes

The NumPy 2.3.4 release is a patch release split between a number of maintenance updates and bug fixes. This release supports Python versions 3.11-3.14. This release is based on Python 3.14.0 final.

Changes

The npymath and npyrandom libraries now have a .lib rather than a .a file extension on win-arm64, for compatibility for building with MSVC and setuptools. Please note that using these static libraries is discouraged and for existing projects using it, it's best to use it with a matching compiler toolchain, which is clang-cl on Windows on Arm.

(gh-29750)

Contributors

A total of 17 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• !DWesl
• Charles Harris
• Christian Barbia +
• Evgeni Burovski
• Joren Hammudoglu
• Maaz +
• Mateusz Sokół
• Matti Picus
• Nathan Goldbaum
• Ralf Gommers
• Riku Sakamoto +
• Sandeep Gupta +
• Sayed Awad
• Sebastian Berg
• Sergey Fedorov +
• Warren Weckesser
• dependabot[bot]

Pull requests merged

A total of 30 pull requests were merged for this release.

• #29725: MAINT: Prepare 2.3.x for further development
• #29781: MAINT: Pin some upstream dependences
• #29782: BLD: enable x86-simd-sort to build on KNL with -mavx512f
• #29783: BUG: Include python-including headers first (#29281)
• #29784: TYP: fix np.number and np.*integer method declaration
• #29785: TYP: mypy 1.18.1

... (truncated)

Commits

• 1458b9e REL: Prepare for the NumPy 2.3.4 release (#29955)
• 7583bed Merge pull request #29950 from charris/backport-29885
• 3186751 Merge pull request #29949 from charris/backport-29948
• 7fd2ad9 STY: rename @classmethod arg to cls
• fe8447d MAINT: Simplify string arena growth strategy (#29885)
• a90f073 Merge pull request #29940 from charris/backport-29937
• 55d91ab MAINT: Bump pypa/cibuildwheel from 3.1.4 to 3.2.1
• e2f0383 Merge pull request #29926 from charris/backport-29609
• b427e83 BUG: fix negative samples generated by Wald distribution (#29609)
• 36363d6 Merge pull request #29922 from charris/backport-29914
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
pip/jupyterhub	5.4.2	🟢 6.1	Details Check Score Reason Code-Review 🟢 5 Found 6/12 approved changesets -- score normalized to 5 Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 33 existing vulnerabilities detected
pip/pillow	12.0.0	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 15/18 approved changesets -- score normalized to 8 Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 9 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 13 existing vulnerabilities detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches
pip/numpy	2.3.4	🟢 7.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Vulnerabilities ⚠️ 0 26 existing vulnerabilities detected SAST 🟢 9 SAST tool detected but not run on all commits Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Security-Policy 🟢 9 security policy file detected CI-Tests 🟢 10 15 out of 15 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 101 contributing companies or organizations
pip/pillow	12.0.0	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 15/18 approved changesets -- score normalized to 8 Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 9 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 13 existing vulnerabilities detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches

Scanned Files

• tensorflow/jupyter-requirements.txt
• tensorflow/requirements.txt
• tensorflow/serving/requirements.txt