Bump the pip group across 5 directories with 21 updates

[dependabot]

Bumps the pip group with 1 update in the /apps/android_camera/models directory: tensorflow.
Bumps the pip group with 18 updates in the /apps/microtvm directory:

Package	From	To
tensorflow	2.12.0	2.12.1
numpy	1.21.3	1.22.0
tornado	6.3.3	6.4.1
onnx	1.13.0	1.16.0
black	19.10b0	24.3.0
pillow	10.2.0	10.3.0
certifi	2022.12.7	2024.7.4
django	4.1.7	4.1.13
fonttools	4.39.3	4.43.0
grpcio	1.53.0	1.53.2
idna	3.4	3.7
jinja2	3.1.2	3.1.4
requests	2.28.2	2.32.2
setuptools	67.6.1	70.0.0
sqlparse	0.4.3	0.5.0
urllib3	1.26.18	1.26.19
zipp	3.15.0	3.19.1
lxml	4.6.3	4.9.1

Bumps the pip group with 4 updates in the /apps/microtvm/cmsisnn directory: numpy, tornado, pillow and lxml.
Bumps the pip group with 4 updates in the /apps/microtvm/ethosu directory: numpy, tornado, pillow and lxml.
Bumps the pip group with 9 updates in the /docker/python directory:

Package	From	To
certifi	2022.5.18.1	2024.7.4
idna	3.3	3.7
requests	2.27.1	2.32.2
setuptools	62.3.2	70.0.0
urllib3	1.26.18	1.26.19
zipp	3.8.0	3.19.1
cleo	0.8.1	2.0.0
cryptography	41.0.6	42.0.4
pip	22.1.1	23.3

Updates tensorflow from 2.9.3 to 2.11.1

Release notes

Sourced from tensorflow's releases.

TensorFlow 2.11.1

Release 2.11.1

Note: TensorFlow 2.10 was the last TensorFlow release that supported GPU on native-Windows. Starting with TensorFlow 2.11, you will need to install TensorFlow in WSL2, or install tensorflow-cpu and, optionally, try the TensorFlow-DirectML-Plugin.

• Security vulnerability fixes will no longer be patched to this Tensorflow version. The latest Tensorflow version includes the security vulnerability fixes. You can update to the latest version (recommended) or patch security vulnerabilities yourself steps. You can refer to the release notes of the latest Tensorflow version for a list of newly fixed vulnerabilities. If you have any questions, please create a GitHub issue to let us know.

This release also introduces several vulnerability fixes:

• Fixes an FPE in TFLite in conv kernel CVE-2023-27579
• Fixes a double free in Fractional(Max/Avg)Pool CVE-2023-25801
• Fixes a null dereference on ParallelConcat with XLA CVE-2023-25676
• Fixes a segfault in Bincount with XLA CVE-2023-25675
• Fixes an NPE in RandomShuffle with XLA enable CVE-2023-25674
• Fixes an FPE in TensorListSplit with XLA CVE-2023-25673
• Fixes segmentation fault in tfg-translate CVE-2023-25671
• Fixes an NPE in QuantizedMatMulWithBiasAndDequantize CVE-2023-25670
• Fixes an FPE in AvgPoolGrad with XLA CVE-2023-25669
• Fixes a heap out-of-buffer read vulnerability in the QuantizeAndDequantize operation CVE-2023-25668
• Fixes a segfault when opening multiframe gif CVE-2023-25667
• Fixes an NPE in SparseSparseMaximum CVE-2023-25665
• Fixes an FPE in AudioSpectrogram CVE-2023-25666
• Fixes a heap-buffer-overflow in AvgPoolGrad CVE-2023-25664
• Fixes a NPE in TensorArrayConcatV2 CVE-2023-25663
• Fixes a Integer overflow in EditDistance CVE-2023-25662
• Fixes a Seg fault in tf.raw_ops.Print CVE-2023-25660
• Fixes a OOB read in DynamicStitch CVE-2023-25659
• Fixes a OOB Read in GRUBlockCellGrad CVE-2023-25658

TensorFlow 2.11.0

Release 2.11.0

Breaking Changes

• The tf.keras.optimizers.Optimizer base class now points to the new Keras optimizer, while the old optimizers have been moved to the tf.keras.optimizers.legacy namespace.

  If you find your workflow failing due to this change, you may be facing one of the following issues:

  • Checkpoint loading failure. The new optimizer handles optimizer state differently from the old optimizer, which simplifies the logic of checkpoint saving/loading, but at the cost of breaking checkpoint backward compatibility in some cases. If you want to keep using an old checkpoint, please change your optimizer to tf.keras.optimizer.legacy.XXX (e.g. tf.keras.optimizer.legacy.Adam).
  • TF1 compatibility. The new optimizer, tf.keras.optimizers.Optimizer, does not support TF1 any more, so please use the legacy optimizer tf.keras.optimizer.legacy.XXX. We highly recommend migrating your workflow to TF2 for stable support and new features.
  • Old optimizer API not found. The new optimizer, tf.keras.optimizers.Optimizer, has a different set of public APIs from the old optimizer. These API changes are mostly related to getting rid of slot variables and TF1 support. Please check the API documentation to find alternatives to the missing API. If you must call the deprecated API, please change your optimizer to the legacy optimizer.
  • Learning rate schedule access. When using a tf.keras.optimizers.schedules.LearningRateSchedule, the new optimizer's learning_rate property returns the current learning rate value instead of a LearningRateSchedule object as before. If you need to access the LearningRateSchedule object, please use optimizer._learning_rate.
  • If you implemented a custom optimizer based on the old optimizer. Please set your optimizer to subclass tf.keras.optimizer.legacy.XXX. If you want to migrate to the new optimizer and find it does not support your optimizer, please file an issue in the Keras GitHub repo.
  • Errors, such as Cannot recognize variable.... The new optimizer requires all optimizer variables to be created at the first apply_gradients() or minimize() call. If your workflow calls the optimizer to update different parts of the model in multiple stages, please call optimizer.build(model.trainable_variables) before the training loop.
  • Timeout or performance loss. We don't anticipate this to happen, but if you see such issues, please use the legacy optimizer, and file an issue in the Keras GitHub repo.

  The old Keras optimizer will never be deleted, but will not see any new feature additions. New optimizers (for example, tf.keras.optimizers.Adafactor) will only be implemented based on the new tf.keras.optimizers.Optimizer base class.

• tensorflow/python/keras code is a legacy copy of Keras since the TensorFlow v2.7 release, and will be deleted in the v2.12 release. Please remove any import of tensorflow.python.keras and use the public API with from tensorflow import keras or import tensorflow as tf; tf.keras.

Major Features and Improvements

... (truncated)

Changelog

Sourced from tensorflow's changelog.

Release 2.11.1

Note: TensorFlow 2.10 was the last TensorFlow release that supported GPU on native-Windows. Starting with TensorFlow 2.11, you will need to install TensorFlow in WSL2, or install tensorflow-cpu and, optionally, try the TensorFlow-DirectML-Plugin.

• Security vulnerability fixes will no longer be patched to this Tensorflow version. The latest Tensorflow version includes the security vulnerability fixes. You can update to the latest version (recommended) or patch security vulnerabilities yourself steps. You can refer to the release notes of the latest Tensorflow version for a list of newly fixed vulnerabilities. If you have any questions, please create a GitHub issue to let us know.

This release also introduces several vulnerability fixes:

• Fixes an FPE in TFLite in conv kernel CVE-2023-27579
• Fixes a double free in Fractional(Max/Avg)Pool CVE-2023-25801
• Fixes a null dereference on ParallelConcat with XLA CVE-2023-25676
• Fixes a segfault in Bincount with XLA CVE-2023-25675
• Fixes an NPE in RandomShuffle with XLA enable CVE-2023-25674
• Fixes an FPE in TensorListSplit with XLA CVE-2023-25673
• Fixes segmentation fault in tfg-translate CVE-2023-25671
• Fixes an NPE in QuantizedMatMulWithBiasAndDequantize CVE-2023-25670
• Fixes an FPE in AvgPoolGrad with XLA CVE-2023-25669
• Fixes a heap out-of-buffer read vulnerability in the QuantizeAndDequantize operation CVE-2023-25668
• Fixes a segfault when opening multiframe gif CVE-2023-25667
• Fixes an NPE in SparseSparseMaximum CVE-2023-25665
• Fixes an FPE in AudioSpectrogram CVE-2023-25666
• Fixes a heap-buffer-overflow in AvgPoolGrad CVE-2023-25664
• Fixes a NPE in TensorArrayConcatV2 CVE-2023-25663
• Fixes a Integer overflow in EditDistance CVE-2023-25662
• Fixes a Seg fault in tf.raw_ops.Print CVE-2023-25660
• Fixes a OOB read in DynamicStitch CVE-2023-25659
• Fixes a OOB Read in GRUBlockCellGrad CVE-2023-25658

Release 2.11.0

Breaking Changes

• tf.keras.optimizers.Optimizer now points to the new Keras optimizer, and old optimizers have moved to the tf.keras.optimizers.legacy namespace. If you find your workflow failing due to this change, you may be facing one of the following issues:

  • Checkpoint loading failure. The new optimizer handles optimizer state differently from the old optimizer, which simplies the logic of checkpoint saving/loading, but at the cost of breaking checkpoint backward compatibility in some cases. If you want to keep using an old checkpoint, please change your optimizer to tf.keras.optimizers.legacy.XXX (e.g. tf.keras.optimizers.legacy.Adam).
  • TF1 compatibility. The new optimizer does not support TF1 any more, so please use the legacy optimizer tf.keras.optimizer.legacy.XXX. We highly recommend to migrate your workflow to TF2 for stable support and new features.
  • API not found. The new optimizer has a different set of public APIs from the old optimizer. These API changes are mostly related to getting rid of slot variables and TF1 support. Please check the API

... (truncated)

Commits

• a3e2c69 Merge pull request #60016 from tensorflow/fix-relnotes
• 13b85dc Fix release notes
• 48b18db Merge pull request #60014 from tensorflow/disable-test-that-ooms
• eea48f5 Disable a test that results in OOM+segfault
• a632584 Merge pull request #60000 from tensorflow/venkat-patch-3
• 93dea7a Update RELEASE.md
• a2ba9f1 Updating Release.md with Legal Language for Release Notes
• fae41c7 Merge pull request #59998 from tensorflow/fix-bad-cherrypick-again
• 2757416 Fix bad cherrypick
• c78616f Merge pull request #59992 from tensorflow/fix-2.11-build
• Additional commits viewable in compare view

Updates tensorflow from 2.12.0 to 2.12.1

Release notes

Sourced from tensorflow's releases.

TensorFlow 2.11.1

Release 2.11.1

Note: TensorFlow 2.10 was the last TensorFlow release that supported GPU on native-Windows. Starting with TensorFlow 2.11, you will need to install TensorFlow in WSL2, or install tensorflow-cpu and, optionally, try the TensorFlow-DirectML-Plugin.

• Security vulnerability fixes will no longer be patched to this Tensorflow version. The latest Tensorflow version includes the security vulnerability fixes. You can update to the latest version (recommended) or patch security vulnerabilities yourself steps. You can refer to the release notes of the latest Tensorflow version for a list of newly fixed vulnerabilities. If you have any questions, please create a GitHub issue to let us know.

This release also introduces several vulnerability fixes:

• Fixes an FPE in TFLite in conv kernel CVE-2023-27579
• Fixes a double free in Fractional(Max/Avg)Pool CVE-2023-25801
• Fixes a null dereference on ParallelConcat with XLA CVE-2023-25676
• Fixes a segfault in Bincount with XLA CVE-2023-25675
• Fixes an NPE in RandomShuffle with XLA enable CVE-2023-25674
• Fixes an FPE in TensorListSplit with XLA CVE-2023-25673
• Fixes segmentation fault in tfg-translate CVE-2023-25671
• Fixes an NPE in QuantizedMatMulWithBiasAndDequantize CVE-2023-25670
• Fixes an FPE in AvgPoolGrad with XLA CVE-2023-25669
• Fixes a heap out-of-buffer read vulnerability in the QuantizeAndDequantize operation CVE-2023-25668
• Fixes a segfault when opening multiframe gif CVE-2023-25667
• Fixes an NPE in SparseSparseMaximum CVE-2023-25665
• Fixes an FPE in AudioSpectrogram CVE-2023-25666
• Fixes a heap-buffer-overflow in AvgPoolGrad CVE-2023-25664
• Fixes a NPE in TensorArrayConcatV2 CVE-2023-25663
• Fixes a Integer overflow in EditDistance CVE-2023-25662
• Fixes a Seg fault in tf.raw_ops.Print CVE-2023-25660
• Fixes a OOB read in DynamicStitch CVE-2023-25659
• Fixes a OOB Read in GRUBlockCellGrad CVE-2023-25658

TensorFlow 2.11.0

Release 2.11.0

Breaking Changes

• The tf.keras.optimizers.Optimizer base class now points to the new Keras optimizer, while the old optimizers have been moved to the tf.keras.optimizers.legacy namespace.

  If you find your workflow failing due to this change, you may be facing one of the following issues:

  • Checkpoint loading failure. The new optimizer handles optimizer state differently from the old optimizer, which simplifies the logic of checkpoint saving/loading, but at the cost of breaking checkpoint backward compatibility in some cases. If you want to keep using an old checkpoint, please change your optimizer to tf.keras.optimizer.legacy.XXX (e.g. tf.keras.optimizer.legacy.Adam).
  • TF1 compatibility. The new optimizer, tf.keras.optimizers.Optimizer, does not support TF1 any more, so please use the legacy optimizer tf.keras.optimizer.legacy.XXX. We highly recommend migrating your workflow to TF2 for stable support and new features.
  • Old optimizer API not found. The new optimizer, tf.keras.optimizers.Optimizer, has a different set of public APIs from the old optimizer. These API changes are mostly related to getting rid of slot variables and TF1 support. Please check the API documentation to find alternatives to the missing API. If you must call the deprecated API, please change your optimizer to the legacy optimizer.
  • Learning rate schedule access. When using a tf.keras.optimizers.schedules.LearningRateSchedule, the new optimizer's learning_rate property returns the current learning rate value instead of a LearningRateSchedule object as before. If you need to access the LearningRateSchedule object, please use optimizer._learning_rate.
  • If you implemented a custom optimizer based on the old optimizer. Please set your optimizer to subclass tf.keras.optimizer.legacy.XXX. If you want to migrate to the new optimizer and find it does not support your optimizer, please file an issue in the Keras GitHub repo.
  • Errors, such as Cannot recognize variable.... The new optimizer requires all optimizer variables to be created at the first apply_gradients() or minimize() call. If your workflow calls the optimizer to update different parts of the model in multiple stages, please call optimizer.build(model.trainable_variables) before the training loop.
  • Timeout or performance loss. We don't anticipate this to happen, but if you see such issues, please use the legacy optimizer, and file an issue in the Keras GitHub repo.

  The old Keras optimizer will never be deleted, but will not see any new feature additions. New optimizers (for example, tf.keras.optimizers.Adafactor) will only be implemented based on the new tf.keras.optimizers.Optimizer base class.

• tensorflow/python/keras code is a legacy copy of Keras since the TensorFlow v2.7 release, and will be deleted in the v2.12 release. Please remove any import of tensorflow.python.keras and use the public API with from tensorflow import keras or import tensorflow as tf; tf.keras.

Major Features and Improvements

... (truncated)

Changelog

Sourced from tensorflow's changelog.

Release 2.11.1

Note: TensorFlow 2.10 was the last TensorFlow release that supported GPU on native-Windows. Starting with TensorFlow 2.11, you will need to install TensorFlow in WSL2, or install tensorflow-cpu and, optionally, try the TensorFlow-DirectML-Plugin.

• Security vulnerability fixes will no longer be patched to this Tensorflow version. The latest Tensorflow version includes the security vulnerability fixes. You can update to the latest version (recommended) or patch security vulnerabilities yourself steps. You can refer to the release notes of the latest Tensorflow version for a list of newly fixed vulnerabilities. If you have any questions, please create a GitHub issue to let us know.

This release also introduces several vulnerability fixes:

• Fixes an FPE in TFLite in conv kernel CVE-2023-27579
• Fixes a double free in Fractional(Max/Avg)Pool CVE-2023-25801
• Fixes a null dereference on ParallelConcat with XLA CVE-2023-25676
• Fixes a segfault in Bincount with XLA CVE-2023-25675
• Fixes an NPE in RandomShuffle with XLA enable CVE-2023-25674
• Fixes an FPE in TensorListSplit with XLA CVE-2023-25673
• Fixes segmentation fault in tfg-translate CVE-2023-25671
• Fixes an NPE in QuantizedMatMulWithBiasAndDequantize CVE-2023-25670
• Fixes an FPE in AvgPoolGrad with XLA CVE-2023-25669
• Fixes a heap out-of-buffer read vulnerability in the QuantizeAndDequantize operation CVE-2023-25668
• Fixes a segfault when opening multiframe gif CVE-2023-25667
• Fixes an NPE in SparseSparseMaximum CVE-2023-25665
• Fixes an FPE in AudioSpectrogram CVE-2023-25666
• Fixes a heap-buffer-overflow in AvgPoolGrad CVE-2023-25664
• Fixes a NPE in TensorArrayConcatV2 CVE-2023-25663
• Fixes a Integer overflow in EditDistance CVE-2023-25662
• Fixes a Seg fault in tf.raw_ops.Print CVE-2023-25660
• Fixes a OOB read in DynamicStitch CVE-2023-25659
• Fixes a OOB Read in GRUBlockCellGrad CVE-2023-25658

Release 2.11.0

Breaking Changes

• tf.keras.optimizers.Optimizer now points to the new Keras optimizer, and old optimizers have moved to the tf.keras.optimizers.legacy namespace. If you find your workflow failing due to this change, you may be facing one of the following issues:

  • Checkpoint loading failure. The new optimizer handles optimizer state differently from the old optimizer, which simplies the logic of checkpoint saving/loading, but at the cost of breaking checkpoint backward compatibility in some cases. If you want to keep using an old checkpoint, please change your optimizer to tf.keras.optimizers.legacy.XXX (e.g. tf.keras.optimizers.legacy.Adam).
  • TF1 compatibility. The new optimizer does not support TF1 any more, so please use the legacy optimizer tf.keras.optimizer.legacy.XXX. We highly recommend to migrate your workflow to TF2 for stable support and new features.
  • API not found. The new optimizer has a different set of public APIs from the old optimizer. These API changes are mostly related to getting rid of slot variables and TF1 support. Please check the API

... (truncated)

Commits

• a3e2c69 Merge pull request #60016 from tensorflow/fix-relnotes
• 13b85dc Fix release notes
• 48b18db Merge pull request #60014 from tensorflow/disable-test-that-ooms
• eea48f5 Disable a test that results in OOM+segfault
• a632584 Merge pull request #60000 from tensorflow/venkat-patch-3
• 93dea7a Update RELEASE.md
• a2ba9f1 Updating Release.md with Legal Language for Release Notes
• fae41c7 Merge pull request #59998 from tensorflow/fix-bad-cherrypick-again
• 2757416 Fix bad cherrypick
• c78616f Merge pull request #59992 from tensorflow/fix-2.11-build
• Additional commits viewable in compare view

Updates numpy from 1.21.3 to 1.22.0

Release notes

Sourced from numpy's releases.

v1.22.0

NumPy 1.22.0 Release Notes

NumPy 1.22.0 is a big release featuring the work of 153 contributors spread over 609 pull requests. There have been many improvements, highlights are:

• Annotations of the main namespace are essentially complete. Upstream is a moving target, so there will likely be further improvements, but the major work is done. This is probably the most user visible enhancement in this release.
• A preliminary version of the proposed Array-API is provided. This is a step in creating a standard collection of functions that can be used across application such as CuPy and JAX.
• NumPy now has a DLPack backend. DLPack provides a common interchange format for array (tensor) data.
• New methods for quantile, percentile, and related functions. The new methods provide a complete set of the methods commonly found in the literature.
• A new configurable allocator for use by downstream projects.

These are in addition to the ongoing work to provide SIMD support for commonly used functions, improvements to F2PY, and better documentation.

The Python versions supported in this release are 3.8-3.10, Python 3.7 has been dropped. Note that 32 bit wheels are only provided for Python 3.8 and 3.9 on Windows, all other wheels are 64 bits on account of Ubuntu, Fedora, and other Linux distributions dropping 32 bit support. All 64 bit wheels are also linked with 64 bit integer OpenBLAS, which should fix the occasional problems encountered by folks using truly huge arrays.

Expired deprecations

Deprecated numeric style dtype strings have been removed

Using the strings "Bytes0", "Datetime64", "Str0", "Uint32", and "Uint64" as a dtype will now raise a TypeError.

(gh-19539)

Expired deprecations for loads, ndfromtxt, and mafromtxt in npyio

numpy.loads was deprecated in v1.15, with the recommendation that users use pickle.loads instead. ndfromtxt and mafromtxt were both deprecated in v1.17 - users should use numpy.genfromtxt instead with the appropriate value for the usemask parameter.

(gh-19615)

... (truncated)

Commits

• 4adc87d Merge pull request #20685 from charris/prepare-for-1.22.0-release
• fd66547 REL: Prepare for the NumPy 1.22.0 release.
• 125304b wip
• c283859 Merge pull request #20682 from charris/backport-20416
• 5399c03 Merge pull request #20681 from charris/backport-20954
• f9c45f8 Merge pull request #20680 from charris/backport-20663
• 794b36f Update armccompiler.py
• d93b14e Update test_public_api.py
• 7662c07 Update init.py
• 311ab52 Update armccompiler.py
• Additional commits viewable in compare view

Updates tornado from 6.3.3 to 6.4.1

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1 releases/v3.2.0 releases/v3.1.1 releases/v3.1.0 releases/v3.0.2 releases/v3.0.1 releases/v3.0.0 releases/v2.4.1 releases/v2.4.0 releases/v2.3.0

... (truncated)

Commits

• 2a0e1d1 Merge pull request #3388 from bdarnell/release-641
• b7af4e8 Release notes and version bump for version 6.4.1
• d65f6e7 Merge pull request #3387 from bdarnell/chunked-parsing
• 8d721a8 httputil: Only strip tabs and spaces from header values
• 7786f09 Merge pull request #3386 from bdarnell/curl-crlf
• fb119c7 http1connection: Stricter handling of transfer-encoding
• b0ffc58 curl_httpclient,http1connection: Prohibit CR and LF in headers
• 0efa9a4 Merge pull request #3385 from bdarnell/update-black
• 2757c6e Merge pull request #3384 from tornadoweb/dependabot/pip/requests-2.32.2
• 291d1b6 *: Update black
• Additional commits viewable in compare view

Updates onnx from 1.13.0 to 1.16.0

Release notes

Sourced from onnx's releases.

v1.16.0

ONNX v1.16.0 is now available with exciting new features! We would like to thank everyone who contributed to this release! Please visit onnx.ai to learn more about ONNX and associated projects.

Key Updates

ai.onnx Opset 21

• Update to support int4 and uint4:
  • Cast, CastLike, Constant, ConstantOfShape, Identity, If, Loop, Reshape, Scan, Shape, Size
• Update to support float8e4m3fnuz, float8e5m2, float8e5m2fnuz, int4 and uint4:
  • Flatten, Pad, Squeeze, Transpose, Unsqueeze
• Support blocked quantization. Support int4, uint4, int16, and uint16:
  • DequantizeLinear, QuantizeLinear,
• Support bfloat16 and float16 scales. Support float8e4m3fn, float8e4m3fnuz, float8e5m2, float8e5m2fnuz quantized tensors:
  • QLinearMatMul,
• Add stash_type attribute and change input shape of scale and bias from (G) to (C) for GroupNormalization

ai.onnx.ml Opset 4

• Addeded new operator TreeEnsemble

IR Version 10

• Added support for UINT4, INT4 types
• GraphProto, FunctionProto, NodeProto, TensorProto added metadata_props field
• FunctionProto added value_info field
• FunctionProto and NodeProto added overload field to support overloaded functions.

Python Changes

• Support registering custom OpSchemas via Python interface
• Support Python3.12

Security Updates

• Fix path sanitization bypass leading to arbitrary read (CVE-2024-27318)
• Fix Out of bounds read due to lack of string termination in assert (CVE-2024-27319)

Deprecation notice

• Deprecated using C++14 to compile ONNX from source. Use C++17 instead #5612
• Deprecated TreeEnsembleClassifier and TreeEnsembleRegressor
• Remove FormalParameter properties that were depreciated in ONNX 1.14 by 5074

Bug fixes and infrastructure improvements

• Enable empty list of values as attribute (#5559)
• Add backward conversions from 18->17 for reduce ops (#5606)
• DFT-20 version converter (#5613)
• Fix version-converter to generate valid identifiers (#5628)
• Reserve removed proto fields (#5643)
• Cleanup shape inference implementation (#5596)
• Do not use LFS64 on non-glibc linux (#5669)
• Drop "one of" default attribute check in LabelEncoder (#5673)
• TreeEnsemble base values for the reference implementation (#5665)
• Parser/printer support external data format (#5688)
• [cmake] Place export target file in the correct directory (#5677)

... (truncated)

Commits

• 990217f Set version number for official release (#6033)
• 2159934 [Cherry-pick] Fix builds from source and pip tar.gz on s390x systems (#5986)
• f46a3f8 [Cherry-pick] Use CMAKE_PREFIX_PATH in finding libprotobuf (#5975) (#5997)
• c867683 [Cherry-pick]Fix SegFault bug in shape inference (#5995)
• e6ff7b9 [Cherry-pick] Fix unique_name (#5994)
• 34e00dd Set version in rel-1.16.0 to 1.16.0rc2 (#5987)
• 309a0b0 [Cherry-pick] Fix Check URLs errors in rel-1.16 (#5973)
• 69ec4b6 Set version in rel-1.16.0 to 1.16.0rc1 (#5969)
• ff60ddc Update top-k documentation (#5948)
• 833575e Prepare for rel-1.16.0 (#5959)
• Additional commits viewable in compare view

Updates black from 19.10b0 to 24.3.0

Release notes

Sourced from black's releases.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

• Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

• Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

• Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
• Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
• Checking for newline before adding one on docstring that is almost at the line limit (#4185)
• Remove redundant parentheses in case statement if guards (#4214).

Configuration

... (truncated)

Changelog

Sourced from black's changelog.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

• Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

• Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

• Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
• Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
• Checking for newline before adding one on docstring that is almost at the line limit (#4185)
• Remove redundant parentheses in case statement if guards (#4214).

... (truncated)

Commits

• See full diff in compare view

Updates pillow from 10.2.0 to 10.3.0

Release notes

Sourced from pillow's releases.

10.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html

Changes

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [@​hugovk]
• Use functools.lru_cache for hopper() #7912 [@​hugovk]
• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [@​radarhere]
• Improve speed of loading QOI images #7925 [@​radarhere]
• Added RGB to I;16N conversion #7920 [@​radarhere]
• Add --report argument to main.py to omit supported formats #7818 [@​nulano]
• Added RGB to I;16, I;16L and I;16B conversion #7918 [@​radarhere]
• Fix editable installation with custom build backend and configuration options #7658 [@​nulano]
• Fix putdata() for I;16N on big-endian #7209 [@​Yay295]
• Determine MPO size from markers, not EXIF data #7884 [@​radarhere]
• Improved conversion from RGB to RGBa, LA and La #7888 [@​radarhere]
• Support FITS images with GZIP_1 compression #7894 [@​radarhere]
• Use I;16 mode for 9-bit JPEG 2000 images #7900 [@​scaramallion]
• Raise ValueError if kmeans is negative #7891 [@​radarhere]
• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [@​radarhere]
• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [@​radarhere]
• Added reading of JPEG2000 palettes #7870 [@​radarhere]
• Added alpha_quality argument when saving WebP images #7872 [@​radarhere]
• Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #7881 [@​radarhere]
• Removed Python and NumPy pinning on Cygwin #7880 [@​radarhere]
• Update UnidentifiedImageError and version imports #7644 [@​radarhere]
• Stop reading EPS image at EOF marker #7753 [@​radarhere]
• PSD layer co-ordinates may be negative #7706 [@​radarhere]
• Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #7791 [@​radarhere]
• When saving GIF frame that restores to background color, do not fill identical pixels #7788 [@​radarhere]
• Fixed reading PNG iCCP compression method #7823 [@​radarhere]
• Allow writing IFDRational to UNDEFINED tag #7840 [@​radarhere]
• Fix logged tag name when loading Exif data #7842 [@​radarhere]
• Use maximum frame size in IHDR chunk when saving APNG images #7821 [@​radarhere]
• Prevent opening P TGA images without a palette #7797 [@​radarhere]
• Use palette when loading ICO images #7798 [@​radarhere]
• Use consistent arguments for load_read and load_seek #7713 [@​radarhere]
• Turn off nullability warnings for macOS SDK #7827 [@​radarhere]
• Fix shift-sign issue in Convert.c #7838 [@​r-barnes]
• winbuild: Refactor dependency versions into constants #7843 [@​hugovk]
• Build macOS arm64 wheels natively #7852 [@​radarhere]
• Fixed typo #7855 [@​radarhere]
• Open 16-bit grayscale PNGs as I;16 #7849 [@​radarhere]
• Handle truncated chunks at the end of PNG images #7709 [@​lajiyuan]
• Match mask size to pasted image size in GifImagePlugin #7779 [@​radarhere]
• Changed SupportsGetMesh protocol to be public