Skip to content

Bump bokeh from 2.4.3 to 3.8.2 in /python #59952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump bokeh from 2.4.3 to 3.8.2 in /python #59952

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 7, 2026

Bumps bokeh from 2.4.3 to 3.8.2.

Changelog

Sourced from bokeh's changelog.

2026-01-06 3.8.2:

  • bugfixes:

    • #14768 [component: server] Incomplete Origin Validation in WebSockets in Bokeh server applications

  • tasks:

2025-11-07 3.8.1:

  • bugfixes:

    • #14618 [component: docs] Local documentation build fails with Extension error (sphinxext.opengraph)
    • #14626 [component: docs] Local documentation fails on Windows because of missing svg icons
    • #14651 [component: bokehjs] HoverTool parameter @$name for stacked bar chart not working in version 3.8.0

  • tasks:

2025-08-29 3.8:

  • bugfixes:
    • #12430 [component: bokehjs] [BUG] Step glyphs do not support linked brushing
    • #12994 [component: bokehjs] [BUG] Patch does not output under certain conditions
    • #13616 [component: bokehjs] [BUG] DateRangePicker value does not reflect value in browser when selection is aborted
    • #14334 js_on_change not firing when range is updated in range tool
    • #14352 [component: bokehjs] Log Axis and Range1d < 1 failing
    • #14383 [component: bokehjs] SerializationError: circular reference When Passing List of Renderers to CustomJS Callbacks, but not when passing renderers sperately.
    • #14396 [component: examples] Remove context from time of day in span example
    • #14399 Bad typings for list_attr_splat (e.g. Plot.axis)
    • #14413 [component: bokehjs] ValueRef formatter does not handle datetime nullable well
    • #14420 [component: bokehjs] Enhance performance of WebGL multi_marker
    • #14422 [component: bokehjs] Legend renderer not correctly positioned when saved with SaveTool
    • #14424 [component: bokehjs] Patches with no data does not show plot with Bokeh 3.7+
    • #14458 [component: bokehjs] Removing and re-adding DOM nodes causes React problems
    • #14461 [component: tests] The regression test for issue #14207 is unreliable
    • #14468 [component: docs] Try on CodePen link does not work in documentation /docs/user_guide/advanced/bokehjs.html
    • #14469 [component: bokehjs] Canvas2D: Multiple readback operations using getImageData are faster with the willReadFrequently attribute set to true
    • #14476 Improve handling of pd.NA in Property.matches
    • #14497 mypy 1.15.0 fails in CI but not locally
    • #14499 [component: docs] IndexError on importing bokeh.sphinxext.bokeh_plot
    • #14520 [component: bokehjs] BokehJS complains about categorical factors for the BoxAnnotation widget
    • #14536 Flex layouts need to apply min_width and min_height selectively
    • #14540 [component: tests] Tests are failing on Windows and Python 3.10 after PR #14531
    • #14541 New SVG icons have inconsistent line widths
    • #14554 Add support for scalar uint32 color input.
    • #14565 [component: bokehjs] DataTable source update broken
    • #14574 [component: build] grammar build script failing with whitespace in path
    • #14597 [component: bokehjs] document_ready even trigger twice with Bokeh 3.4.0.dev4
    • #14602 [component: bokehjs] Layoutable components in side panels don't appear in exported images
    • #14620 Re-connect race condition on page reload

... (truncated)

Commits
  • e5ce879 Deployment updates for release 3.8.2
  • 2b3ee10 Don't validate npm credentials due to OICD limitations in npm (#14769)
  • 756e3ae Migrate from NPM tokens to trusted providers for publishing in CI (#14766)
  • 2f225a1 Update dependencies in build environment (#14758)
  • 69d197c update switcher.json
  • d915c8b update to latest ruff (#14661)
  • 5f9f7b6 update release notes
  • cedd113 handle wildcard host with port correctly
  • a961ab7 small CI fixes for advisory fork merge
  • d62939a Merge commit from fork
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump bokeh from 2.4.3 to 3.8.2 in /python
005956f 
Bumps [bokeh](https://github.com/bokeh/bokeh) from 2.4.3 to 3.8.2.
- [Changelog](https://github.com/bokeh/bokeh/blob/3.8.2/docs/CHANGELOG)
- [Commits](bokeh/bokeh@2.4.3...3.8.2)

---
updated-dependencies:
- dependency-name: bokeh
  dependency-version: 3.8.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jan 7, 2026
cursor[bot]
cursor bot reviewed Jan 7, 2026
View reviewed changes
python/requirements_compiled.txt
bleach==6.1.0
# via nbconvert
bokeh==2.4.3 ; python_version < "3.12"
bokeh==3.8.2 ; python_version < "3.12"
Copy link

@cursor cursor bot Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Source and compiled requirements files are inconsistent

Medium Severity

The PR updates bokeh to 3.8.2 in requirements_compiled.txt but leaves bokeh==2.4.3 in the source file python/requirements/ml/data-requirements.txt. This inconsistency means that regenerating the compiled requirements or installing from the source file directly would result in the old, vulnerable version being installed. The security fix for incomplete WebSocket origin validation (#14768) would be ineffective when using the source requirements file.

🔬 Verification Test

Test code:

# Check source requirements file
grep "bokeh" python/requirements/ml/data-requirements.txt

# Check compiled requirements file  
grep "bokeh==" python/requirements_compiled.txt

Command run:

grep "bokeh" python/requirements/ml/data-requirements.txt && grep "bokeh==" python/requirements_compiled.txt

Output:

bokeh==2.4.3; python_version < '3.12'
bokeh==3.8.2 ; python_version < "3.12"

Why this proves the bug: The output shows that the source file data-requirements.txt specifies version 2.4.3 while the compiled file specifies version 3.8.2, confirming the version mismatch between source and compiled requirements.

Fix in Cursor Fix in Web

@ray-gardener ray-gardener bot added tune Tune-related issues core Issues that should be addressed in Ray Core labels Jan 8, 2026
@github-actions
Copy link

github-actions bot commented Jan 22, 2026

This pull request has been automatically marked as stale because it has not had
any activity for 14 days. It will be closed in another 14 days if no further activity occurs.
Thank you for your contributions.

You can always ask for help on our discussion forum or Ray's public slack channel.

If you'd like to keep this open, just leave any comment, and the stale label will be removed.

@github-actions github-actions bot added the stale The issue is stale. It will be closed within 7 days unless there are further conversation label Jan 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

core Issues that should be addressed in Ray Core dependencies Pull requests that update a dependency file python Pull requests that update Python code stale The issue is stale. It will be closed within 7 days unless there are further conversation tune Tune-related issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant