Bump the pytorch group across 1 directory with 9 updates

[dependabot]

Bumps the pytorch group with 9 updates in the /pytorch directory:

Package	From	To
onnxruntime-extensions	0.11.0	0.12.0
onnxruntime	1.18.1	1.19.0
protobuf	5.27.3	5.28.0
tokenizers	0.19.1	0.20.0
transformers	4.44.0	4.44.2
numpy	1.26.4	2.1.0
jupyterlab	4.3.0b0	4.3.0b1
neural-compressor	3.0	3.0.1
torchtext	0.18.0	0.18.0+cpu

Updates onnxruntime-extensions from 0.11.0 to 0.12.0

Release notes

Sourced from onnxruntime-extensions's releases.

v0.12.0

What's Changed

• Added C APIs for language, vision and audio processors including new FeatureExtractor for Whisper model
• Support for Phi-3 Small Tokenizer and new OpenAI tiktoken format for fast loading of BPE tokenizers
• Added new CUDA custom operators such as MulSigmoid, Transpose2DCast, ReplaceZero, AddSharedInput and MulSharedInput
• Enhanced Custom Op Lite API on GPU and fused kernels for DORT
• Bug fixes, including null bos_token for Qwen2 tokenizer and SentencePiece converted FastTokenizer issue on non-ASCII characters, as well as necessary updates for MSVC 19.40 and numpy 2.0 release

New Contributors

• @​yihonglyu made their first contribution in microsoft/onnxruntime-extensions#702
• @​skyline75489 made their first contribution in microsoft/onnxruntime-extensions#748

Full Changelog: microsoft/onnxruntime-extensions@v.0.11.0...v0.12.0

Commits

• cb47d2c Update nuget extraction path for iOS xcframework (#792)
• b27fbbe Update macosx framework packaging to follow apple guidelines (#776) (#789)
• c7a2d45 Update build-package-for-windows.yml (#784)
• 3ce1e9f Upgrade ESRP signing task from v2 to v5 (#780)
• e113ed3 removed OpenAIAudioToText from config (#777)
• c9c11b4 Fix the windows API missing issue and Linux shared library size issue for Jav...
• c3145b8 add the decoder_prompt_id for whisper tokenizer (#775)
• 620050f reimplement resize cpu kernel for image processing (#768)
• d79299e increase timeout (#773)
• 735041e increase timeout (#772)
• Additional commits viewable in compare view

Updates onnxruntime from 1.18.1 to 1.19.0

Release notes

Sourced from onnxruntime's releases.

ONNX Runtime v1.19

Announcements

• Training (pypi) packages are delayed from package manager release due to some publishing errors. Feel free to contact @​maanavd if you need release candidates for some workflows ASAP. In the meantime, binaries are attached to this post. This message will be deleted once this ceases to be the case. Thanks for your understanding :)
• Second note that the wrong commit was initially tagged with v1.19.0. The final commit has since been correctly tagged: microsoft/onnxruntime@26250ae. This shouldn't effect much, but sorry for the inconvenience!

Build System & Packages

• Numpy support for 2.x has been added
• Qualcomm SDK has been upgraded to 2.25
• ONNX has been upgraded from 1.16 → 1.16.1
• Default GPU packages use CUDA 12.x and Cudnn 9.x (previously CUDA 11.x/CuDNN 8.x) CUDA 11.x/CuDNN 8.x packages are moved to the aiinfra VS feed.
• TensorRT 10.2 support added
• Introduced Java CUDA 12 packages on Maven.
• Discontinued support for Xamarin. (Xamarin reached EOL on May 1, 2024)
• Discontinued support for macOS 11 and increasing the minimum supported macOS version to 12. (macOS 11 reached EOL in September 2023)
• Discontinued support for iOS 12 and increasing the minimum supported iOS version to 13.

Core

• Implemented DeformConv
• Fixed big-endian and support build on AIX

Performance

• Added QDQ support for INT4 quantization in CPU and CUDA Execution Providers
• Implemented FlashAttention on CPU to improve performance for GenAI prompt cases
• Improved INT4 performance on CPU (X64, ARM64) and NVIDIA GPUs

Execution Providers

• TensorRT

  • Updated to support TensorRT 10.2
  • Remove calls to deprecated api’s
  • Enable refittable embedded engine when ONNX model provided as byte stream

• CUDA

  • Upgraded cutlass to 3.5.0 for performance improvement of memory efficient attention.
  • Updated MultiHeadAttention and Attention operators to be thread-safe.
  • Added sdpa_kernel provider option to choose kernel for Scaled Dot-Product Attention.
  • Expanded op support - Tile (bf16)

• CPU

  • Expanded op support - GroupQueryAttention, SparseAttention (for Phi-3 small)

• QNN

  • Updated to support QNN SDK 2.25
  • Expanded op support - HardSigmoid, ConvTranspose 3d, Clip (int32 data), Matmul (int4 weights), Conv (int4 weights), prelu (fp16)
  • Expanded fusion support – Conv + Clip/Relu fusion

• OpenVINO

  • Added support for OpenVINO 2024.3
  • Support for enabling EpContext using session options

• DirectML

... (truncated)

Commits

• 26250ae ORT 1.19.0 Release: Cherry-Pick Round 2 (#21726)
• ccf6a28 ORT 1.19.0 Release: Cherry-Pick Round 1 (#21619)
• ee2fe87 ORT 1.19.0 Release: Cherry-Pick Round 0 (#21609)
• 530a2d7 Enable FP16 Clip and Handle Bias in FP16 Depthwise Conv (#21493)
• 82036b0 Remove references to the outdated CUDA EP factory method (#21549)
• 07d3be5 CoreML: Add ML Program Split Op (#21456)
• 5d78b9a [TensorRT EP] Update TRT OSS Parser to 10.2 (#21552)
• 8417c32 Keep QDQ nodes w/ nonpositive scale around MaxPool (#21182)
• d985814 Update labeling bot (#21548)
• 7543dd0 Propagate NaNs in the CPU min and max operators (#21492)
• Additional commits viewable in compare view

Updates protobuf from 5.27.3 to 5.28.0

Commits

• 439c42c Updating version.json and repo version numbers to: 28.0
• c9454f4 Remove --copt="-Werror" from .bazelrc (#18005)
• f5a1b17 Move -Werror to our test/dev bazelrc files. (#17938)
• 0c9e14a Merge pull request #17917 from thomasvl/patch_objc_to_28
• 6a6ebe4 Merge pull request #17919 from protocolbuffers/28.x-202408221734
• 09ba2bb Updating version.json and repo version numbers to: 28.0-dev
• e340f52 Updating version.json and repo version numbers to: 28.0-rc3
• b276420 [ObjC] Issue stderr warnings for deprecated generation options.
• 13f850d Merge pull request #17913 from protocolbuffers/cp-compat-upgrade
• 6bf01c5 Binary compatibility shims for GeneratedMessageV3, SingleFieldBuilderV3, Repe...
• Additional commits viewable in compare view

Updates tokenizers from 0.19.1 to 0.20.0

Release notes

Sourced from tokenizers's releases.

Release v0.20.0: faster encode, better python support

Release v0.20.0

This release is focused on performances and user experience.

Performances:

First off, we did a bit of benchmarking, and found some place for improvement for us! With a few minor changes (mostly #1587) here is what we get on Llama3 running on a g6 instances on AWS https://github.com/huggingface/tokenizers/blob/main/bindings/python/benches/test_tiktoken.py :

Python API

We shipped better deserialization errors in general, and support for __str__ and __repr__ for all the object. This allows for a lot easier debugging see this:

>>> from tokenizers import Tokenizer;
>>> tokenizer = Tokenizer.from_pretrained("bert-base-uncased");
>>> print(tokenizer)
Tokenizer(version="1.0", truncation=None, padding=None, added_tokens=[{"id":0, "content":"[PAD]", "single_word":False, "lstrip":False, "rstrip":False, ...}, {"id":100, "content":"[UNK]", "single_word":False, "lstrip":False, "rstrip":False, ...}, {"id":101, "content":"[CLS]", "single_word":False, "lstrip":False, "rstrip":False, ...}, {"id":102, "content":"[SEP]", "single_word":False, "lstrip":False, "rstrip":False, ...}, {"id":103, "content":"[MASK]", "single_word":False, "lstrip":False, "rstrip":False, ...}], normalizer=BertNormalizer(clean_text=True, handle_chinese_chars=True, strip_accents=None, lowercase=True), pre_tokenizer=BertPreTokenizer(), post_processor=TemplateProcessing(single=[SpecialToken(id="[CLS]", type_id=0), Sequence(id=A, type_id=0), SpecialToken(id="[SEP]", type_id=0)], pair=[SpecialToken(id="[CLS]", type_id=0), Sequence(id=A, type_id=0), SpecialToken(id="[SEP]", type_id=0), Sequence(id=B, type_id=1), SpecialToken(id="[SEP]", type_id=1)], special_tokens={"[CLS]":SpecialToken(id="[CLS]", ids=[101], tokens=["[CLS]"]), "[SEP]":SpecialToken(id="[SEP]", ids=[102], tokens=["[SEP]"])}), decoder=WordPiece(prefix="##", cleanup=True), model=WordPiece(unk_token="[UNK]", continuing_subword_prefix="##", max_input_chars_per_word=100, vocab={"[PAD]":0, "[unused0]":1, "[unused1]":2, "[unused2]":3, "[unused3]":4, ...}))
>>> tokenizer
Tokenizer(version="1.0", truncation=None, padding=None, added_tokens=[{"id":0, "content":"[PAD]", "single_word":False, "lstrip":False, "rstrip":False, "normalized":False, "special":True}, {"id":100, "content":"[UNK]", "single_word":False, "lstrip":False, "rstrip":False, "normalized":False, "special":True}, {"id":101, "content":"[CLS]", "single_word":False, "lstrip":False, "rstrip":False, "normalized":False, "special":True}, {"id":102, "content":"[SEP]", "single_word":False, "lstrip":False, "rstrip":False, "normalized":False, "special":True}, {"id":103, "content":"[MASK]", "single_word":False, "lstrip":False, "rstrip":False, "normalized":False, "special":True}], normalizer=BertNormalizer(clean_text=True, handle_chinese_chars=True, strip_accents=None, lowercase=True), pre_tokenizer=BertPreTokenizer(), post_processor=TemplateProcessing(single=[SpecialToken(id="[CLS]", type_id=0), Sequence(id=A, type_id=0), SpecialToken(id="[SEP]", type_id=0)], pair=[SpecialToken(id="[CLS]", type_id=0), Sequence(id=A, type_id=0), SpecialToken(id="[SEP]", type_id=0), Sequence(id=B, type_id=1), SpecialToken(id="[SEP]", type_id=1)], special_tokens={"[CLS]":SpecialToken(id="[CLS]", ids=[101], tokens=["[CLS]"]), "[SEP]":SpecialToken(id="[SEP]", ids=[102], tokens=["[SEP]"])}), decoder=WordPiece(prefix="##", cleanup=True), model=WordPiece(unk_token="[UNK]", continuing_subword_prefix="##", max_input_chars_per_word=100, vocab={"[PAD]":0, "[unused0]":1, "[unused1]":2, ...}))

The pre_tokenizer.Sequence and normalizer.Sequence are also more accessible now:

from tokenizers import normalizers
norm = normalizers.Sequence([normalizers.Strip(), normalizers.BertNormalizer()])
norm[0]
norm[1].lowercase=False

What's Changed

• remove enforcement of non special when adding tokens by @​ArthurZucker in huggingface/tokenizers#1521
• [BREAKING CHANGE] Ignore added_tokens (both special and not) in the decoder by @​Narsil in huggingface/tokenizers#1513
• Make USED_PARALLELISM atomic by @​nathaniel-daniel in huggingface/tokenizers#1532
• Fixing for clippy 1.78 by @​Narsil in huggingface/tokenizers#1548
• feat(ci): add trufflehog secrets detection by @​McPatate in huggingface/tokenizers#1551
• Switch from cached_download to hf_hub_download in tests by @​Wauplin in huggingface/tokenizers#1547
• Fix "dictionnary" typo by @​nprisbrey in huggingface/tokenizers#1511
• make sure we don't warn on empty tokens by @​ArthurZucker in huggingface/tokenizers#1554
• Enable dropout = 0.0 as an equivalent to none in BPE by @​mcognetta in huggingface/tokenizers#1550
• Revert "[BREAKING CHANGE] Ignore added_tokens (both special and not) … by @​ArthurZucker in huggingface/tokenizers#1569
• Add bytelevel normalizer to fix decode when adding tokens to BPE by @​ArthurZucker in huggingface/tokenizers#1555
• Fix clippy + feature test management. by @​Narsil in huggingface/tokenizers#1580
• Bump spm_precompiled to 0.1.3 by @​MikeIvanichev in huggingface/tokenizers#1571
• Add benchmark vs tiktoken by @​Narsil in huggingface/tokenizers#1582
• Fixing the benchmark. by @​Narsil in huggingface/tokenizers#1583
• Tiny improvement by @​Narsil in huggingface/tokenizers#1585
• Enable fancy regex by @​Narsil in huggingface/tokenizers#1586
• Fixing release CI strict (taken from safetensors). by @​Narsil in huggingface/tokenizers#1593
• Adding some serialization testing around the wrapper. by @​Narsil in huggingface/tokenizers#1594

... (truncated)

Commits

• a5adaac version 0.20.0
• a8def07 Merge branch 'fix_release' of github.com:huggingface/tokenizers into branch_v...
• fe50673 Fix CI
• b253835 push cargo
• fc3bb76 update dependencies
• bfd9cde Perf improvement 16% by removing offsets. (#1587)
• bd27fa5 add deserialize for pre tokenizers (#1603)
• 56c9c70 Tests + Deserialization improvement for normalizers. (#1604)
• 49dafd7 Fix strip python type (#1602)
• bded212 Support None to reset pre_tokenizers and normalizers, and index sequences (...
• Additional commits viewable in compare view

Updates transformers from 4.44.0 to 4.44.2

Release notes

Sourced from transformers's releases.

Release v4.44.2

Patch release v4.44.2, mostly 2 regressions that were not caught for Jamba and for processors!

• Fix: Jamba cache fails to use torch.nn.module (#32894) Authored by @​xgal
• Fix: No need to dtype A in Jamba (#32924) @​xgal
• Fix: Regression on Processor.save_pretrained caused by #31691 (#32921) Authored by @​leloykun

Patch release v4.44.1

Here are the different fixes, mostly Gemma2 context length, nits here and there, and generation issues

• is_torchdynamo_compiling -- cast a wide exception net (#32476) by @​gante
• Revert "fixes to properly shard FSDP across cpu and meta for cpu_effcient_loading for prequantized 4bit (#32276)" (#32477) by @​gante and @​matthewdouglas
• Gemma2: fix FA2 generation (#32553) by @​zucchini-nlp
• Fix: FA2 with packed training (#32487) by @​zucchini-nlp
• Fix sliding window attention used in Gemma2FlashAttention2 (#32522) by @​brcps12
• Automatically add transformers tag to the modelcard (#32623) by @​LysandreJik
• add back the position ids (#32554) by @​ArthurZucker
• Use head_dim if in config for RoPE (#32495) @​suiyoubi @​ArthurZucker
• Revert PR 32299, flag users when Zero-3 was missed (#32851) by @​muellerzr
• fix multi-gpu with static cache (#32543) by @​SunMarc
• Reduce the error log when using core models that need their weights r… (#32656) by @​muellerzr
• Fix VLM generation issues (#32836) by @​zucchini-nlp
• Fix generate with inputs_embeds as input (#32493) (this PR has some cherry-pick)

Full Changelog: huggingface/transformers@v4.44.0...v4.44.1

Commits

• 1748902 v4.44.2
• 6845144 Fix regression on Processor.save_pretrained caused by #31691 (#32921)
• 3d8cba8 fix: no need to dtype A in jamba (#32924)
• c1df7f8 fix: jamba cache fails to use torch.nn.module (#32894)
• ca56cd7 v4.44.1
• 6e931e1 Gemma2: fix FA2 generation (#32553)
• 74f57df Fix generate with inputs_embeds as input (#32493)
• 084fe2e Merge branch 'v4.44-release' of github.com:huggingface/transformers into v4.4...
• fff9be1 Reduce the error log when using core models that need their weights renamed, ...
• 4fd0f48 Fix VLM generation issues (#32836)
• Additional commits viewable in compare view

Updates numpy from 1.26.4 to 2.1.0

Release notes

Sourced from numpy's releases.

2.1.0 (Aug 18, 2024)

NumPy 2.1.0 Release Notes

NumPy 2.1.0 provides support for the upcoming Python 3.13 release and drops support for Python 3.9. In addition to the usual bug fixes and updated Python support, it helps get us back into our usual release cycle after the extended development of 2.0. The highlights for this release are:

• Support for the array-api 2023.12 standard.
• Support for Python 3.13.
• Preliminary support for free threaded Python 3.13.

Python versions 3.10-3.13 are supported in this release.

New functions

New function numpy.unstack

A new function np.unstack(array, axis=...) was added, which splits an array into a tuple of arrays along an axis. It serves as the inverse of [numpy.stack]{.title-ref}.

(gh-26579)

Deprecations

• The fix_imports keyword argument in numpy.save is deprecated. Since NumPy 1.17, numpy.save uses a pickle protocol that no longer supports Python 2, and ignored fix_imports keyword. This keyword is kept only for backward compatibility. It is now deprecated.

  (gh-26452)

• Passing non-integer inputs as the first argument of [bincount]{.title-ref} is now deprecated, because such inputs are silently cast to integers with no warning about loss of precision.

  (gh-27076)

Expired deprecations

• Scalars and 0D arrays are disallowed for numpy.nonzero and numpy.ndarray.nonzero.

  (gh-26268)

• set_string_function internal function was removed and PyArray_SetStringFunction was stubbed out.

... (truncated)

Commits

• 2f7fe64 Merge pull request #27236 from charris/prepare-2.1.0
• b6f434f REL: Prepare for the NumPy 2.1.0 release [wheel build]
• 3cf9394 Merge pull request #27234 from charris/backport-25984
• 7443dcc Merge pull request #27233 from charris/backport-27223
• 85b1cab BUG: Allow fitting of degree zero polynomials with Polynomial.fit
• 395a81d DOC: reword discussion about shared arrays to hopefully be clearer
• 5af2e96 Move NUMUSERTYPES thread safety discussion to legacy DType API docs
• d902c24 DOC: add docs on thread safety in NumPy
• c080180 Merge pull request #27229 from charris/backport-27226
• 44ce7e8 BUG: Fix PyArray_ZeroContiguousBuffer (resize) with struct dtypes
• Additional commits viewable in compare view

Updates jupyterlab from 4.3.0b0 to 4.3.0b1

Release notes

Sourced from jupyterlab's releases.

v4.3.0b1

4.3.0b1

(Full Changelog)

Enhancements made

• Clean up SVG icons from @jupyterlab/ui-components and update SVGO #16678 (@​joaopalmeiro)

Bugs fixed

• Use locale name instead of display/native name to toggle language #16710 (@​maitreya2954)
• Add null checks for "input" variable #16705 (@​JasonWeill)
• Null checks to guard against cell toolbar errors on startup #16704 (@​JasonWeill)
• Update contents model on file change due to save from RTC #16695 (@​krassowski)
• Add a guard on uninitialized nodes when resizing, remove log #16693 (@​krassowski)
• Fix output streaming in RTC #16692 (@​davidbrochart)
• Prevent replacing code with find and replace in read-only cells #16682 (@​itsmevichu)
• Avoid changing type of read-only cells #16679 (@​cmarmo)

Maintenance and upkeep improvements

• Bump axios from 1.6.1 to 1.7.4 #16691 (@​dependabot)
• Update to Playwright 1.46.1 #16684 (@​jtpio)

Documentation improvements

• User-facing changelog for JupyterLab 4.3 #16709 (@​krassowski)
• Update to Playwright 1.46.1 #16684 (@​jtpio)
• Fix JupyterLab install instructions in the debugger docs #16683 (@​jtpio)

Contributors to this release

(GitHub contributors page for this release)

@​cmarmo | @​davidbrochart | @​dependabot | @​itsmevichu | @​JasonWeill | @​joaopalmeiro | @​jtpio | @​jupyterlab-probot | @​krassowski | @​maitreya2954

Changelog

Sourced from jupyterlab's changelog.

4.3.0b1

(Full Changelog)

Enhancements made

• Clean up SVG icons from @jupyterlab/ui-components and update SVGO #16678 (@​joaopalmeiro)

Bugs fixed

• Use locale name instead of display/native name to toggle language #16710 (@​maitreya2954)
• Add null checks for "input" variable #16705 (@​JasonWeill)
• Null checks to guard against cell toolbar errors on startup #16704 (@​JasonWeill)
• Update contents model on file change due to save from RTC #16695 (@​krassowski)
• Add a guard on uninitialized nodes when resizing, remove log #16693 (@​krassowski)
• Fix output streaming in RTC #16692 (@​davidbrochart)
• Prevent replacing code with find and replace in read-only cells #16682 (@​itsmevichu)
• Avoid changing type of read-only cells #16679 (@​cmarmo)

Maintenance and upkeep improvements

• Bump axios from 1.6.1 to 1.7.4 #16691 (@​dependabot)
• Update to Playwright 1.46.1 #16684 (@​jtpio)

Documentation improvements

• User-facing changelog for JupyterLab 4.3 #16709 (@​krassowski)
• Update to Playwright 1.46.1 #16684 (@​jtpio)
• Fix JupyterLab install instructions in the debugger docs #16683 (@​jtpio)

Contributors to this release

(GitHub contributors page for this release)

@​cmarmo | @​davidbrochart | @​dependabot | @​itsmevichu | @​JasonWeill | @​joaopalmeiro | @​jtpio | @​jupyterlab-probot | @​krassowski | @​maitreya2954

Commits

• f7ca6ad [ci skip] Publish 4.3.0b1
• 594d340 User-facing changelog for JupyterLab 4.3 (#16709)
• f06c3e6 Merge commit from fork
• 53819cc Use locale name instead of display/native name to toggle language (#16710)
• 91f1c7c Fix stream output (#16692)
• 16611e1 Add a guard on uninitialized nodes when resizing, remove log (#16693)
• 6c60d71 Update contents model on file change due to save from RTC (#16695)
• 88eb874 Add null checks for "input" variable (#16705)
• a3b2d64 Null checks to guard against cell toolbar errors on startup (#16704)
• 3c12e59 Clean up SVG icons from @jupyterlab/ui-components and update SVGO (#16678)
• Additional commits viewable in compare view

Updates neural-compressor from 3.0 to 3.0.1

Commits

• efb5100 update 3x pt binary build (#1992)
• f478012 bump version
• 6f57eef Update installation_guide.md (#1989)
• 3cdcd3c add quantize, save, load function for transformers-like api (#1986)
• 65235e4 add hasattr check for torch fp8 dtype (#1985)
• 0e88b25 update installation and ci test for 3x api (#1991)
• 9486bf3 Fix UT env and upgrade torch to 2.4.0 (#1978)
• See full diff in compare view

Updates torchtext from 0.18.0 to 0.18.0+cpu

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

pytorch/hf-genai-requirements.txt

Package	Version	License	Issue Type
protobuf	5.28.0	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
pip/onnxruntime	1.19.0	🟢 6.8	Details Check Score Reason Code-Review 🟢 10 all last 30 commits are reviewed through GitHub Maintained 🟢 10 30 commit(s) out of 30 and 8 issue activity out of 30 found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Signed-Releases ⚠️ 0 0 out of 5 artifacts are signed or have provenance Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 no published package detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Dependency-Update-Tool 🟢 10 update tool detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
pip/onnxruntime-extensions	0.12.0	🟢 6.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 29/30 approved changesets -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Binary-Artifacts 🟢 7 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
pip/protobuf	5.28.0	🟢 7	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 20 out of 20 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review ⚠️ 1 found 25 unreviewed changesets out of 30 -- score normalized to 1 Contributors 🟢 10 13 different organizations found -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Maintained 🟢 10 30 commit(s) out of 30 and 1 issue activity out of 30 found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 no published package detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 3 SAST tool is not run on all commits -- score normalized to 3 Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ 0 0 out of 5 artifacts are signed or have provenance Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 7 3 existing vulnerabilities detected
pip/tokenizers	0.20.0	🟢 5.3	Details Check Score Reason Code-Review 🟢 8 Found 24/27 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 3 7 existing vulnerabilities detected
pip/transformers	4.44.2	🟢 4.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 466 existing vulnerabilities detected
pip/jupyterlab	4.3.0b1	🟢 5.5	Details Check Score Reason Code-Review 🟢 8 Found 26/29 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 9 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during GetBranch(4.2.x): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected
pip/neural-compressor	3.0.1	🟢 7.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 24/29 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 92 existing vulnerabilities detected
pip/torchtext	0.18.0+cpu	🟢 5.3	Details Check Score Reason Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
pip/numpy	2.1.0	🟢 8.1	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 19 out of 19 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 10 project has 93 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Maintained 🟢 10 30 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 9 security policy file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected

Scanned Manifest Files

pytorch/hf-genai-requirements.txt

• onnxruntime@1.19.0
• onnxruntime-extensions@0.12.0
• protobuf@5.28.0
• tokenizers@0.20.0
• transformers@4.44.2
• onnxruntime@1.18.1
• onnxruntime-extensions@0.11.0
• protobuf@5.27.3
• tokenizers@0.19.1
• transformers@4.44.0

pytorch/jupyter-requirements.txt

• jupyterlab@4.3.0b1
• jupyterlab@4.3.0b0

pytorch/multinode/requirements.txt

• neural-compressor@3.0.1
• neural-compressor@3.0

pytorch/serving/torchserve-requirements.txt

• torchtext@0.18.0+cpu
• torchtext@0.18.0

pytorch/serving/torchserve-xpu-requirements.txt

• numpy@2.1.0
• numpy@1.26.4

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.