Bump the pytorch group across 1 directory with 12 updates

[dependabot]

Bumps the pytorch group with 12 updates in the /pytorch directory:

Package	From	To
onnxruntime-extensions	0.11.0	0.12.0
onnxruntime	1.18.1	1.19.0
tokenizers	0.19.1	0.20.0
transformers	4.44.0	4.44.2
torchvision	0.16.0.post3+cxx11.abi	0.19.0+cpu
torchaudio	2.1.0.post3+cxx11.abi	2.4.0+cpu
intel-extension-for-pytorch	2.1.40+xpu	2.4.0+cpu
oneccl-bind-pt	2.1.400+xpu	2.4.0+cpu
setuptools	69.5.1	73.0.1
numpy	1.26.4	2.1.0
jupyterlab	4.3.0b0	4.3.0b1
torchtext	0.18.0	0.18.0+cpu

Updates onnxruntime-extensions from 0.11.0 to 0.12.0

Commits

• See full diff in compare view

Updates onnxruntime from 1.18.1 to 1.19.0

Release notes

Sourced from onnxruntime's releases.

ONNX Runtime v1.19

Announcements

• Training (pypi) packages are delayed from package manager release due to some publishing errors. Feel free to contact @​maanavd if you need release candidates for some workflows ASAP. In the meantime, binaries are attached to this post. This message will be deleted once this ceases to be the case. Thanks for your understanding :)
• Second note that the wrong commit was initially tagged with v1.19.0. The final commit has since been correctly tagged: microsoft/onnxruntime@26250ae. This shouldn't effect much, but sorry for the inconvenience!

Build System & Packages

• Numpy support for 2.x has been added
• Qualcomm SDK has been upgraded to 2.25
• ONNX has been upgraded from 1.16 → 1.16.1
• Default GPU packages use CUDA 12.x and Cudnn 9.x (previously CUDA 11.x/CuDNN 8.x) CUDA 11.x/CuDNN 8.x packages are moved to the aiinfra VS feed.
• TensorRT 10.2 support added
• Introduced Java CUDA 12 packages on Maven.
• Discontinued support for Xamarin. (Xamarin reached EOL on May 1, 2024)
• Discontinued support for macOS 11 and increasing the minimum supported macOS version to 12. (macOS 11 reached EOL in September 2023)
• Discontinued support for iOS 12 and increasing the minimum supported iOS version to 13.

Core

• Implemented DeformConv
• Fixed big-endian and support build on AIX

Performance

• Added QDQ support for INT4 quantization in CPU and CUDA Execution Providers
• Implemented FlashAttention on CPU to improve performance for GenAI prompt cases
• Improved INT4 performance on CPU (X64, ARM64) and NVIDIA GPUs

Execution Providers

• TensorRT

  • Updated to support TensorRT 10.2
  • Remove calls to deprecated api’s
  • Enable refittable embedded engine when ONNX model provided as byte stream

• CUDA

  • Upgraded cutlass to 3.5.0 for performance improvement of memory efficient attention.
  • Updated MultiHeadAttention and Attention operators to be thread-safe.
  • Added sdpa_kernel provider option to choose kernel for Scaled Dot-Product Attention.
  • Expanded op support - Tile (bf16)

• CPU

  • Expanded op support - GroupQueryAttention, SparseAttention (for Phi-3 small)

• QNN

  • Updated to support QNN SDK 2.25
  • Expanded op support - HardSigmoid, ConvTranspose 3d, Clip (int32 data), Matmul (int4 weights), Conv (int4 weights), prelu (fp16)
  • Expanded fusion support – Conv + Clip/Relu fusion

• OpenVINO

  • Added support for OpenVINO 2024.3
  • Support for enabling EpContext using session options

• DirectML

... (truncated)

Commits

• 26250ae ORT 1.19.0 Release: Cherry-Pick Round 2 (#21726)
• ccf6a28 ORT 1.19.0 Release: Cherry-Pick Round 1 (#21619)
• ee2fe87 ORT 1.19.0 Release: Cherry-Pick Round 0 (#21609)
• 530a2d7 Enable FP16 Clip and Handle Bias in FP16 Depthwise Conv (#21493)
• 82036b0 Remove references to the outdated CUDA EP factory method (#21549)
• 07d3be5 CoreML: Add ML Program Split Op (#21456)
• 5d78b9a [TensorRT EP] Update TRT OSS Parser to 10.2 (#21552)
• 8417c32 Keep QDQ nodes w/ nonpositive scale around MaxPool (#21182)
• d985814 Update labeling bot (#21548)
• 7543dd0 Propagate NaNs in the CPU min and max operators (#21492)
• Additional commits viewable in compare view

Updates tokenizers from 0.19.1 to 0.20.0

Release notes

Sourced from tokenizers's releases.

Release v0.20.0: faster encode, better python support

Release v0.20.0

This release is focused on performances and user experience.

Performances:

First off, we did a bit of benchmarking, and found some place for improvement for us! With a few minor changes (mostly #1587) here is what we get on Llama3 running on a g6 instances on AWS https://github.com/huggingface/tokenizers/blob/main/bindings/python/benches/test_tiktoken.py :

Python API

We shipped better deserialization errors in general, and support for __str__ and __repr__ for all the object. This allows for a lot easier debugging see this:

>>> from tokenizers import Tokenizer;
>>> tokenizer = Tokenizer.from_pretrained("bert-base-uncased");
>>> print(tokenizer)
Tokenizer(version="1.0", truncation=None, padding=None, added_tokens=[{"id":0, "content":"[PAD]", "single_word":False, "lstrip":False, "rstrip":False, ...}, {"id":100, "content":"[UNK]", "single_word":False, "lstrip":False, "rstrip":False, ...}, {"id":101, "content":"[CLS]", "single_word":False, "lstrip":False, "rstrip":False, ...}, {"id":102, "content":"[SEP]", "single_word":False, "lstrip":False, "rstrip":False, ...}, {"id":103, "content":"[MASK]", "single_word":False, "lstrip":False, "rstrip":False, ...}], normalizer=BertNormalizer(clean_text=True, handle_chinese_chars=True, strip_accents=None, lowercase=True), pre_tokenizer=BertPreTokenizer(), post_processor=TemplateProcessing(single=[SpecialToken(id="[CLS]", type_id=0), Sequence(id=A, type_id=0), SpecialToken(id="[SEP]", type_id=0)], pair=[SpecialToken(id="[CLS]", type_id=0), Sequence(id=A, type_id=0), SpecialToken(id="[SEP]", type_id=0), Sequence(id=B, type_id=1), SpecialToken(id="[SEP]", type_id=1)], special_tokens={"[CLS]":SpecialToken(id="[CLS]", ids=[101], tokens=["[CLS]"]), "[SEP]":SpecialToken(id="[SEP]", ids=[102], tokens=["[SEP]"])}), decoder=WordPiece(prefix="##", cleanup=True), model=WordPiece(unk_token="[UNK]", continuing_subword_prefix="##", max_input_chars_per_word=100, vocab={"[PAD]":0, "[unused0]":1, "[unused1]":2, "[unused2]":3, "[unused3]":4, ...}))
>>> tokenizer
Tokenizer(version="1.0", truncation=None, padding=None, added_tokens=[{"id":0, "content":"[PAD]", "single_word":False, "lstrip":False, "rstrip":False, "normalized":False, "special":True}, {"id":100, "content":"[UNK]", "single_word":False, "lstrip":False, "rstrip":False, "normalized":False, "special":True}, {"id":101, "content":"[CLS]", "single_word":False, "lstrip":False, "rstrip":False, "normalized":False, "special":True}, {"id":102, "content":"[SEP]", "single_word":False, "lstrip":False, "rstrip":False, "normalized":False, "special":True}, {"id":103, "content":"[MASK]", "single_word":False, "lstrip":False, "rstrip":False, "normalized":False, "special":True}], normalizer=BertNormalizer(clean_text=True, handle_chinese_chars=True, strip_accents=None, lowercase=True), pre_tokenizer=BertPreTokenizer(), post_processor=TemplateProcessing(single=[SpecialToken(id="[CLS]", type_id=0), Sequence(id=A, type_id=0), SpecialToken(id="[SEP]", type_id=0)], pair=[SpecialToken(id="[CLS]", type_id=0), Sequence(id=A, type_id=0), SpecialToken(id="[SEP]", type_id=0), Sequence(id=B, type_id=1), SpecialToken(id="[SEP]", type_id=1)], special_tokens={"[CLS]":SpecialToken(id="[CLS]", ids=[101], tokens=["[CLS]"]), "[SEP]":SpecialToken(id="[SEP]", ids=[102], tokens=["[SEP]"])}), decoder=WordPiece(prefix="##", cleanup=True), model=WordPiece(unk_token="[UNK]", continuing_subword_prefix="##", max_input_chars_per_word=100, vocab={"[PAD]":0, "[unused0]":1, "[unused1]":2, ...}))

The pre_tokenizer.Sequence and normalizer.Sequence are also more accessible now:

from tokenizers import normalizers
norm = normalizers.Sequence([normalizers.Strip(), normalizers.BertNormalizer()])
norm[0]
norm[1].lowercase=False

What's Changed

• remove enforcement of non special when adding tokens by @​ArthurZucker in huggingface/tokenizers#1521
• [BREAKING CHANGE] Ignore added_tokens (both special and not) in the decoder by @​Narsil in huggingface/tokenizers#1513
• Make USED_PARALLELISM atomic by @​nathaniel-daniel in huggingface/tokenizers#1532
• Fixing for clippy 1.78 by @​Narsil in huggingface/tokenizers#1548
• feat(ci): add trufflehog secrets detection by @​McPatate in huggingface/tokenizers#1551
• Switch from cached_download to hf_hub_download in tests by @​Wauplin in huggingface/tokenizers#1547
• Fix "dictionnary" typo by @​nprisbrey in huggingface/tokenizers#1511
• make sure we don't warn on empty tokens by @​ArthurZucker in huggingface/tokenizers#1554
• Enable dropout = 0.0 as an equivalent to none in BPE by @​mcognetta in huggingface/tokenizers#1550
• Revert "[BREAKING CHANGE] Ignore added_tokens (both special and not) … by @​ArthurZucker in huggingface/tokenizers#1569
• Add bytelevel normalizer to fix decode when adding tokens to BPE by @​ArthurZucker in huggingface/tokenizers#1555
• Fix clippy + feature test management. by @​Narsil in huggingface/tokenizers#1580
• Bump spm_precompiled to 0.1.3 by @​MikeIvanichev in huggingface/tokenizers#1571
• Add benchmark vs tiktoken by @​Narsil in huggingface/tokenizers#1582
• Fixing the benchmark. by @​Narsil in huggingface/tokenizers#1583
• Tiny improvement by @​Narsil in huggingface/tokenizers#1585
• Enable fancy regex by @​Narsil in huggingface/tokenizers#1586
• Fixing release CI strict (taken from safetensors). by @​Narsil in huggingface/tokenizers#1593
• Adding some serialization testing around the wrapper. by @​Narsil in huggingface/tokenizers#1594

... (truncated)

Commits

• a5adaac version 0.20.0
• a8def07 Merge branch 'fix_release' of github.com:huggingface/tokenizers into branch_v...
• fe50673 Fix CI
• b253835 push cargo
• fc3bb76 update dependencies
• bfd9cde Perf improvement 16% by removing offsets. (#1587)
• bd27fa5 add deserialize for pre tokenizers (#1603)
• 56c9c70 Tests + Deserialization improvement for normalizers. (#1604)
• 49dafd7 Fix strip python type (#1602)
• bded212 Support None to reset pre_tokenizers and normalizers, and index sequences (...
• Additional commits viewable in compare view

Updates transformers from 4.44.0 to 4.44.2

Release notes

Sourced from transformers's releases.

Release v4.44.2

Patch release v4.44.2, mostly 2 regressions that were not caught for Jamba and for processors!

• Fix: Jamba cache fails to use torch.nn.module (#32894) Authored by @​xgal
• Fix: No need to dtype A in Jamba (#32924) @​xgal
• Fix: Regression on Processor.save_pretrained caused by #31691 (#32921) Authored by @​leloykun

Patch release v4.44.1

Here are the different fixes, mostly Gemma2 context length, nits here and there, and generation issues

• is_torchdynamo_compiling -- cast a wide exception net (#32476) by @​gante
• Revert "fixes to properly shard FSDP across cpu and meta for cpu_effcient_loading for prequantized 4bit (#32276)" (#32477) by @​gante and @​matthewdouglas
• Gemma2: fix FA2 generation (#32553) by @​zucchini-nlp
• Fix: FA2 with packed training (#32487) by @​zucchini-nlp
• Fix sliding window attention used in Gemma2FlashAttention2 (#32522) by @​brcps12
• Automatically add transformers tag to the modelcard (#32623) by @​LysandreJik
• add back the position ids (#32554) by @​ArthurZucker
• Use head_dim if in config for RoPE (#32495) @​suiyoubi @​ArthurZucker
• Revert PR 32299, flag users when Zero-3 was missed (#32851) by @​muellerzr
• fix multi-gpu with static cache (#32543) by @​SunMarc
• Reduce the error log when using core models that need their weights r… (#32656) by @​muellerzr
• Fix VLM generation issues (#32836) by @​zucchini-nlp
• Fix generate with inputs_embeds as input (#32493) (this PR has some cherry-pick)

Full Changelog: huggingface/transformers@v4.44.0...v4.44.1

Commits

• 1748902 v4.44.2
• 6845144 Fix regression on Processor.save_pretrained caused by #31691 (#32921)
• 3d8cba8 fix: no need to dtype A in jamba (#32924)
• c1df7f8 fix: jamba cache fails to use torch.nn.module (#32894)
• ca56cd7 v4.44.1
• 6e931e1 Gemma2: fix FA2 generation (#32553)
• 74f57df Fix generate with inputs_embeds as input (#32493)
• 084fe2e Merge branch 'v4.44-release' of github.com:huggingface/transformers into v4.4...
• fff9be1 Reduce the error log when using core models that need their weights renamed, ...
• 4fd0f48 Fix VLM generation issues (#32836)
• Additional commits viewable in compare view

Updates torchvision from 0.16.0.post3+cxx11.abi to 0.19.0+cpu

Updates torchaudio from 2.1.0.post3+cxx11.abi to 2.4.0+cpu

Updates intel-extension-for-pytorch from 2.1.40+xpu to 2.4.0+cpu

Updates oneccl-bind-pt from 2.1.400+xpu to 2.4.0+cpu

Updates setuptools from 69.5.1 to 73.0.1

Changelog

Sourced from setuptools's changelog.

v73.0.1

Bugfixes

• Remove abc.ABCMeta metaclass from abstract classes. pypa/setuptools#4503 <https://github.com/pypa/setuptools/pull/4503>_ had an unintended consequence of causing potential TypeError: metaclass conflict: the metaclass of a derived class must be a (non-strict) subclass of the metaclasses of all its bases -- by :user:Avasam (#4579)

v73.0.0

Features

• Mark abstract base classes and methods with abc.ABC and abc.abstractmethod -- by :user:Avasam (#4503)
• Changed the order of type checks in setuptools.command.easy_install.CommandSpec.from_param to support any collections.abc.Iterable of str param -- by :user:Avasam (#4505)

Bugfixes

• Prevent an error in bdist_wheel if compression is set to a str (even if valid) after finalizing options but before running the command. -- by :user:Avasam (#4383)
• Raises an exception when py_limited_api is used in a build with Py_GIL_DISABLEDpython/cpython#111506#4420)
• pypa/distutils#284

Deprecations and Removals

• setuptools is replacing the usages of :pypi:ordered_set with simple instances of dict[Hashable, None]. This is done to remove the extra dependency and it is possible because since Python 3.7, dict maintain insertion order. (#4574)

Misc

• #4534, #4546, #4554, #4559, #4565

v72.2.0

Features

• pypa/distutils#272pypa/distutils#237pypa/distuils#228#4538)

... (truncated)

Commits

• ebddeb3 Bump version: 73.0.0 → 73.0.1
• 18963fb Merge pull request #4580 from Avasam/no-ABCMeta
• b7ee00d Remove ABCMeta metaclass, keep abstractmethods
• 477f713 Override distribution attribute type in all distutils-based commands (#4577)
• 429ac58 Override distribution attribute type in all distutils-based commands
• 4147b09 Bump version: 72.2.0 → 73.0.0
• 2ad8c10 Merge pull request #4576 from pypa/bugfix/distutils-284
• 8afe0c3 Merge pull request #4574 from abravalheri/ordered_set
• ad611bc Merge https://github.com/pypa/distutils into bugfix/distutils-284
• 30b7331 Ensure a missing target is still indicated as 'sources are newer' even when t...
• Additional commits viewable in compare view

Updates numpy from 1.26.4 to 2.1.0

Release notes

Sourced from numpy's releases.

2.1.0 (Aug 18, 2024)

NumPy 2.1.0 Release Notes

NumPy 2.1.0 provides support for the upcoming Python 3.13 release and drops support for Python 3.9. In addition to the usual bug fixes and updated Python support, it helps get us back into our usual release cycle after the extended development of 2.0. The highlights for this release are:

• Support for the array-api 2023.12 standard.
• Support for Python 3.13.
• Preliminary support for free threaded Python 3.13.

Python versions 3.10-3.13 are supported in this release.

New functions

New function numpy.unstack

A new function np.unstack(array, axis=...) was added, which splits an array into a tuple of arrays along an axis. It serves as the inverse of [numpy.stack]{.title-ref}.

(gh-26579)

Deprecations

• The fix_imports keyword argument in numpy.save is deprecated. Since NumPy 1.17, numpy.save uses a pickle protocol that no longer supports Python 2, and ignored fix_imports keyword. This keyword is kept only for backward compatibility. It is now deprecated.

  (gh-26452)

• Passing non-integer inputs as the first argument of [bincount]{.title-ref} is now deprecated, because such inputs are silently cast to integers with no warning about loss of precision.

  (gh-27076)

Expired deprecations

• Scalars and 0D arrays are disallowed for numpy.nonzero and numpy.ndarray.nonzero.

  (gh-26268)

• set_string_function internal function was removed and PyArray_SetStringFunction was stubbed out.

... (truncated)

Commits

• 2f7fe64 Merge pull request #27236 from charris/prepare-2.1.0
• b6f434f REL: Prepare for the NumPy 2.1.0 release [wheel build]
• 3cf9394 Merge pull request #27234 from charris/backport-25984
• 7443dcc Merge pull request #27233 from charris/backport-27223
• 85b1cab BUG: Allow fitting of degree zero polynomials with Polynomial.fit
• 395a81d DOC: reword discussion about shared arrays to hopefully be clearer
• 5af2e96 Move NUMUSERTYPES thread safety discussion to legacy DType API docs
• d902c24 DOC: add docs on thread safety in NumPy
• c080180 Merge pull request #27229 from charris/backport-27226
• 44ce7e8 BUG: Fix PyArray_ZeroContiguousBuffer (resize) with struct dtypes
• Additional commits viewable in compare view

Updates jupyterlab from 4.3.0b0 to 4.3.0b1

Release notes

Sourced from jupyterlab's releases.

v4.3.0b1

4.3.0b1

(Full Changelog)

Enhancements made

• Clean up SVG icons from @jupyterlab/ui-components and update SVGO #16678 (@​joaopalmeiro)

Bugs fixed

• Use locale name instead of display/native name to toggle language #16710 (@​maitreya2954)
• Add null checks for "input" variable #16705 (@​JasonWeill)
• Null checks to guard against cell toolbar errors on startup #16704 (@​JasonWeill)
• Update contents model on file change due to save from RTC #16695 (@​krassowski)
• Add a guard on uninitialized nodes when resizing, remove log #16693 (@​krassowski)
• Fix output streaming in RTC #16692 (@​davidbrochart)
• Prevent replacing code with find and replace in read-only cells #16682 (@​itsmevichu)
• Avoid changing type of read-only cells #16679 (@​cmarmo)

Maintenance and upkeep improvements

• Bump axios from 1.6.1 to 1.7.4 #16691 (@​dependabot)
• Update to Playwright 1.46.1 #16684 (@​jtpio)

Documentation improvements

• User-facing changelog for JupyterLab 4.3 #16709 (@​krassowski)
• Update to Playwright 1.46.1 #16684 (@​jtpio)
• Fix JupyterLab install instructions in the debugger docs #16683 (@​jtpio)

Contributors to this release

(GitHub contributors page for this release)

@​cmarmo | @​davidbrochart | @​dependabot | @​itsmevichu | @​JasonWeill | @​joaopalmeiro | @​jtpio | @​jupyterlab-probot | @​krassowski | @​maitreya2954

Changelog

Sourced from jupyterlab's changelog.

4.3.0b1

(Full Changelog)

Enhancements made

• Clean up SVG icons from @jupyterlab/ui-components and update SVGO #16678 (@​joaopalmeiro)

Bugs fixed

• Use locale name instead of display/native name to toggle language #16710 (@​maitreya2954)
• Add null checks for "input" variable #16705 (@​JasonWeill)
• Null checks to guard against cell toolbar errors on startup #16704 (@​JasonWeill)
• Update contents model on file change due to save from RTC #16695 (@​krassowski)
• Add a guard on uninitialized nodes when resizing, remove log #16693 (@​krassowski)
• Fix output streaming in RTC #16692 (@​davidbrochart)
• Prevent replacing code with find and replace in read-only cells #16682 (@​itsmevichu)
• Avoid changing type of read-only cells #16679 (@​cmarmo)

Maintenance and upkeep improvements

• Bump axios from 1.6.1 to 1.7.4 #16691 (@​dependabot)
• Update to Playwright 1.46.1 #16684 (@​jtpio)

Documentation improvements

• User-facing changelog for JupyterLab 4.3 #16709 (@​krassowski)
• Update to Playwright 1.46.1 #16684 (@​jtpio)
• Fix JupyterLab install instructions in the debugger docs #16683 (@​jtpio)

Contributors to this release

(GitHub contributors page for this release)

@​cmarmo | @​davidbrochart | @​dependabot | @​itsmevichu | @​JasonWeill | @​joaopalmeiro | @​jtpio | @​jupyterlab-probot | @​krassowski | @​maitreya2954

Commits

• f7ca6ad [ci skip] Publish 4.3.0b1
• 594d340 User-facing changelog for JupyterLab 4.3 (#16709)
• f06c3e6 Merge commit from fork
• 53819cc Use locale name instead of display/native name to toggle language (#16710)
• 91f1c7c Fix stream output (#16692)
• 16611e1 Add a guard on uninitialized nodes when resizing, remove log (#16693)
• 6c60d71 Update contents model on file change due to save from RTC (#16695)
• 88eb874 Add null checks for "input" variable (#16705)
• a3b2d64 Null checks to guard against cell toolbar errors on startup (#16704)
• 3c12e59 Clean up SVG icons from @jupyterlab/ui-components and update SVGO (#16678)
• Additional commits viewable in compare view

Updates torchtext from 0.18.0 to 0.18.0+cpu

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 3 package(s) with unknown licenses.

See the Details below.

License Issues

pytorch/serving/torchserve-xpu-requirements.txt

Package	Version	License	Issue Type
intel_extension_for_pytorch	2.4.0+cpu	Null	Unknown License

pytorch/xpu-requirements.txt

Package	Version	License	Issue Type
intel_extension_for_pytorch	2.4.0+cpu	Null	Unknown License
oneccl_bind_pt	2.4.0+cpu	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
pip/onnxruntime	1.19.0	🟢 6.8	Details Check Score Reason Code-Review 🟢 10 all last 30 commits are reviewed through GitHub Maintained 🟢 10 30 commit(s) out of 30 and 8 issue activity out of 30 found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Signed-Releases ⚠️ 0 0 out of 5 artifacts are signed or have provenance Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 no published package detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Dependency-Update-Tool 🟢 10 update tool detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
pip/onnxruntime-extensions	0.12.0	🟢 6.1	Details Check Score Reason Code-Review 🟢 9 Found 29/30 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Binary-Artifacts 🟢 7 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
pip/tokenizers	0.20.0	🟢 5.4	Details Check Score Reason Code-Review 🟢 8 Found 24/27 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
pip/transformers	4.44.2	🟢 4.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 466 existing vulnerabilities detected
pip/jupyterlab	4.3.0b1	🟢 5.7	Details Check Score Reason Code-Review 🟢 9 Found 25/26 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 9 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during GetBranch(4.2.x): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 1 9 existing vulnerabilities detected
pip/torchtext	0.18.0+cpu	🟢 5.3	Details Check Score Reason Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 8 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
pip/torchvision	0.19.0+cpu	🟢 5.1	Details Check Score Reason Code-Review 🟢 4 Found 14/30 approved changesets -- score normalized to 4 Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy ⚠️ 0 security policy file not detected Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/intel_extension_for_pytorch	2.4.0+cpu	Unknown	Unknown
pip/numpy	2.1.0	🟢 8.1	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 9 out of 9 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 10 project has 93 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 9 security policy file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected
pip/setuptools	73.0.1	🟢 6	Details Check Score Reason Code-Review 🟢 4 Found 7/15 approved changesets -- score normalized to 4 Maintained 🟢 10 30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected Binary-Artifacts ⚠️ 0 binaries present in source code Fuzzing 🟢 10 project is fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/torchaudio	2.4.0+cpu	🟢 5.3	Details Check Score Reason Maintained 🟢 5 4 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 5 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/torchvision	0.19.0+cpu	🟢 5.1	Details Check Score Reason Code-Review 🟢 4 Found 14/30 approved changesets -- score normalized to 4 Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy ⚠️ 0 security policy file not detected Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/intel_extension_for_pytorch	2.4.0+cpu	Unknown	Unknown
pip/oneccl_bind_pt	2.4.0+cpu	Unknown	Unknown
pip/setuptools	73.0.1	🟢 6	Details Check Score Reason Code-Review 🟢 4 Found 7/15 approved changesets -- score normalized to 4 Maintained 🟢 10 30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected Binary-Artifacts ⚠️ 0 binaries present in source code Fuzzing 🟢 10 project is fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/torchaudio	2.4.0+cpu	🟢 5.3	Details Check Score Reason Maintained 🟢 5 4 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 5 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/torchvision	0.19.0+cpu	🟢 5.1	Details Check Score Reason Code-Review 🟢 4 Found 14/30 approved changesets -- score normalized to 4 Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy ⚠️ 0 security policy file not detected Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Manifest Files

pytorch/hf-genai-requirements.txt

• onnxruntime@1.19.0
• onnxruntime-extensions@0.12.0
• tokenizers@0.20.0
• transformers@4.44.2
• onnxruntime@1.18.1
• onnxruntime-extensions@0.11.0
• tokenizers@0.19.1
• transformers@4.44.0

pytorch/jupyter-requirements.txt

• jupyterlab@4.3.0b1
• jupyterlab@4.3.0b0

pytorch/serving/torchserve-requirements.txt

• torchtext@0.18.0+cpu
• torchvision@0.19.0+cpu
• torchtext@0.18.0
• torchvision@0.19.0

pytorch/serving/torchserve-xpu-requirements.txt

• setuptools@69.5.1
• intel_extension_for_pytorch@2.4.0+cpu
• numpy@2.1.0
• setuptools@73.0.1
• torchaudio@2.4.0+cpu
• torchvision@0.19.0+cpu
• intel_extension_for_pytorch@2.1.40+xpu
• numpy@1.26.4
• torchaudio@2.1.0.post3+cxx11.abi
• torchvision@0.16.0.post3+cxx11.abi

pytorch/xpu-requirements.txt

• setuptools@69.5.1
• intel_extension_for_pytorch@2.4.0+cpu
• oneccl_bind_pt@2.4.0+cpu
• setuptools@73.0.1
• torchaudio@2.4.0+cpu
• torchvision@0.19.0+cpu
• intel_extension_for_pytorch@2.1.40+xpu
• oneccl_bind_pt@2.1.400+xpu
• torchaudio@2.1.0.post3+cxx11.abi
• torchvision@0.16.0.post3+cxx11.abi

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.