Bump the pip group across 1 directory with 3 updates #2

dependabot · 2024-05-03T21:31:51Z

Bumps the pip group with 3 updates in the / directory: onnx, pillow and tqdm.

Updates onnx from 1.14.0 to 1.16.0

Release notes

v1.16.0

ONNX v1.16.0 is now available with exciting new features! We would like to thank everyone who contributed to this release! Please visit onnx.ai to learn more about ONNX and associated projects.

Key Updates

ai.onnx Opset 21

Update to support int4 and uint4:

Cast, CastLike, Constant, ConstantOfShape, Identity, If, Loop, Reshape, Scan, Shape, Size

Update to support float8e4m3fnuz, float8e5m2, float8e5m2fnuz, int4 and uint4:

Flatten, Pad, Squeeze, Transpose, Unsqueeze

Support blocked quantization. Support int4, uint4, int16, and uint16:

DequantizeLinear, QuantizeLinear,

Support bfloat16 and float16 scales. Support float8e4m3fn, float8e4m3fnuz, float8e5m2, float8e5m2fnuz quantized tensors:

QLinearMatMul,

Add stash_type attribute and change input shape of scale and bias from (G) to (C) for GroupNormalization

ai.onnx.ml Opset 4

Addeded new operator TreeEnsemble

IR Version 10

Added support for UINT4, INT4 types

GraphProto, FunctionProto, NodeProto, TensorProto added metadata_props field

FunctionProto added value_info field

FunctionProto and NodeProto added overload field to support overloaded functions.

Python Changes

Support registering custom OpSchemas via Python interface

Support Python3.12

Security Updates

Fix path sanitization bypass leading to arbitrary read (CVE-2024-27318)

Fix Out of bounds read due to lack of string termination in assert (CVE-2024-27319)

Deprecation notice

Deprecated using C++14 to compile ONNX from source. Use C++17 instead #5612

Deprecated TreeEnsembleClassifier and TreeEnsembleRegressor

Remove FormalParameter properties that were depreciated in ONNX 1.14 by 5074

Bug fixes and infrastructure improvements

Enable empty list of values as attribute (#5559)

Add backward conversions from 18->17 for reduce ops (#5606)

DFT-20 version converter (#5613)

Fix version-converter to generate valid identifiers (#5628)

Reserve removed proto fields (#5643)

Cleanup shape inference implementation (#5596)

Do not use LFS64 on non-glibc linux (#5669)

Drop "one of" default attribute check in LabelEncoder (#5673)

TreeEnsemble base values for the reference implementation (#5665)

Parser/printer support external data format (#5688)

[cmake] Place export target file in the correct directory (#5677)

... (truncated)

Commits

990217f Set version number for official release (#6033)
2159934 [Cherry-pick] Fix builds from source and pip tar.gz on s390x systems (#5986)
f46a3f8 [Cherry-pick] Use CMAKE_PREFIX_PATH in finding libprotobuf (#5975) (#5997)
c867683 [Cherry-pick]Fix SegFault bug in shape inference (#5995)
e6ff7b9 [Cherry-pick] Fix unique_name (#5994)
34e00dd Set version in rel-1.16.0 to 1.16.0rc2 (#5987)
309a0b0 [Cherry-pick] Fix Check URLs errors in rel-1.16 (#5973)
69ec4b6 Set version in rel-1.16.0 to 1.16.0rc1 (#5969)
ff60ddc Update top-k documentation (#5948)
833575e Prepare for rel-1.16.0 (#5959)
Additional commits viewable in compare view

Updates pillow from 10.0.0 to 10.3.0

Release notes

Sourced from pillow's releases.

10.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html

Changes

CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [@hugovk]

Use functools.lru_cache for hopper() #7912 [@hugovk]

Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [@radarhere]

Improve speed of loading QOI images #7925 [@radarhere]

Added RGB to I;16N conversion #7920 [@radarhere]

Add --report argument to main.py to omit supported formats #7818 [@nulano]

Added RGB to I;16, I;16L and I;16B conversion #7918 [@radarhere]

Fix editable installation with custom build backend and configuration options #7658 [@nulano]

Fix putdata() for I;16N on big-endian #7209 [@Yay295]

Determine MPO size from markers, not EXIF data #7884 [@radarhere]

Improved conversion from RGB to RGBa, LA and La #7888 [@radarhere]

Support FITS images with GZIP_1 compression #7894 [@radarhere]

Use I;16 mode for 9-bit JPEG 2000 images #7900 [@scaramallion]

Raise ValueError if kmeans is negative #7891 [@radarhere]

Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [@radarhere]

Raise ValueError for negative values when loading P1-P3 PPM images #7882 [@radarhere]

Added reading of JPEG2000 palettes #7870 [@radarhere]

Added alpha_quality argument when saving WebP images #7872 [@radarhere]

Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #7881 [@radarhere]

Removed Python and NumPy pinning on Cygwin #7880 [@radarhere]

Update UnidentifiedImageError and version imports #7644 [@radarhere]

Stop reading EPS image at EOF marker #7753 [@radarhere]

PSD layer co-ordinates may be negative #7706 [@radarhere]

Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #7791 [@radarhere]

When saving GIF frame that restores to background color, do not fill identical pixels #7788 [@radarhere]

Fixed reading PNG iCCP compression method #7823 [@radarhere]

Allow writing IFDRational to UNDEFINED tag #7840 [@radarhere]

Fix logged tag name when loading Exif data #7842 [@radarhere]

Use maximum frame size in IHDR chunk when saving APNG images #7821 [@radarhere]

Prevent opening P TGA images without a palette #7797 [@radarhere]

Use palette when loading ICO images #7798 [@radarhere]

Use consistent arguments for load_read and load_seek #7713 [@radarhere]

Turn off nullability warnings for macOS SDK #7827 [@radarhere]

Fix shift-sign issue in Convert.c #7838 [@r-barnes]

winbuild: Refactor dependency versions into constants #7843 [@hugovk]

Build macOS arm64 wheels natively #7852 [@radarhere]

Fixed typo #7855 [@radarhere]

Open 16-bit grayscale PNGs as I;16 #7849 [@radarhere]

Handle truncated chunks at the end of PNG images #7709 [@lajiyuan]

Match mask size to pasted image size in GifImagePlugin #7779 [@radarhere]

Changed SupportsGetMesh protocol to be public #7841 [@radarhere]

Release GIL while calling WebPAnimDecoderGetNext #7782 [@evanmiller]

Fixed reading FLI/FLC images with a prefix chunk #7804 [@twolife]

Updated package name for Tidelift #7810 [@radarhere]

Removed unused code #7744 [@radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

10.3.0 (2024-04-01)

CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [radarhere, hugovk]

Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #7927 [radarhere, hugovk]

Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [radarhere]

Add --report argument to __main__.py to omit supported formats #7818 [nulano, radarhere, hugovk]

Added RGB to I;16, I;16L, I;16B and I;16N conversion #7918, #7920 [radarhere]

Fix editable installation with custom build backend and configuration options #7658 [nulano, radarhere]

Fix putdata() for I;16N on big-endian #7209 [Yay295, hugovk, radarhere]

Determine MPO size from markers, not EXIF data #7884 [radarhere]

Improved conversion from RGB to RGBa, LA and La #7888 [radarhere]

Support FITS images with GZIP_1 compression #7894 [radarhere]

Use I;16 mode for 9-bit JPEG 2000 images #7900 [scaramallion, radarhere]

Raise ValueError if kmeans is negative #7891 [radarhere]

Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [radarhere]

Raise ValueError for negative values when loading P1-P3 PPM images #7882 [radarhere]

Added reading of JPEG2000 palettes #7870 [radarhere]

Added alpha_quality argument when saving WebP images #7872 [radarhere]

... (truncated)

Commits

5c89d88 10.3.0 version bump
63cbfcf Update CHANGES.rst [ci skip]
2776126 Merge pull request #7928 from python-pillow/lcms
aeb51cb Merge branch 'main' into lcms
5beb0b6 Update CHANGES.rst [ci skip]
cac6ffa Merge pull request #7927 from python-pillow/imagemath
f5eeeac Name as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated eval
facf3af Added release notes
2a93aba Use strncpy to avoid buffer overflow
a670597 Update CHANGES.rst [ci skip]
Additional commits viewable in compare view

Updates tqdm from 4.65.0 to 4.66.3

Release notes

Sourced from tqdm's releases.

tqdm v4.66.3 stable

cli: eval safety (fixes CVE-2024-34062, GHSA-g7vv-2v7x-gj9p)

tqdm v4.66.2 stable

pandas: add DataFrame.progress_map (#1549)

notebook: fix HTML padding (#1506)

keras: fix resuming training when verbose>=2 (#1508)

fix format_num negative fractions missing leading zero (#1548)

fix Python 3.12 DeprecationWarning on import (#1519)

linting: use f-strings (#1549)

update tests (#1549)

fix pandas warnings

fix asv (airspeed-velocity/asv#1323)

fix macos notebook docstring indentation

CI: bump actions (#1549)

tqdm v4.66.1 stable

fix utils.envwrap types (#1493 <- #1491, #1320 <- #966, #1319)

e.g. cloudwatch & kubernetes workaround: export TQDM_POSITION=-1

drop mentions of unsupported Python versions

tqdm v4.66.0 stable

environment variables to override defaults (TQDM_*) (#1491 <- #1061, #950 <- #614, #1318, #619, #612, #370)

e.g. in CI jobs, export TQDM_MININTERVAL=5 to avoid log spam

add tests & docs for tqdm.utils.envwrap

fix & update CLI completion

fix & update API docs

minor code tidy: replace os.path => pathlib.Path

fix docs image hosting

release with CI bot account again (cli/cli#6680)

tqdm v4.65.2 stable

exclude examples from distributed wheel (#1492)

tqdm v4.65.1 stable

migrate setup.{cfg,py} => pyproject.toml (#1490)

fix asv benchmarks

update docs

fix snap build (#1490)

fix & update tests (#1490)

fix flaky notebook tests

bump pre-commit

bump workflow actions

Commits

4e613f8 Merge pull request from GHSA-g7vv-2v7x-gj9p
b53348c cli: eval safety
cc372d0 bump version, merge pull request #1549 from tqdm/devel
e9f0c05 use PyPI trusted publishing
7323d5b slight makefile clean
5306125 tests: bump pre-commit
4a6fd4f fix datetime.utcfromtimestamp py3.12 warning (#1519)
6f13759 tests: fix macos notebook indentation
3abcd2a tests: fix asv
a4d15c8 tests: fix pandas warnings
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the pip group with 3 updates in the / directory: [onnx](https://github.com/onnx/onnx), [pillow](https://github.com/python-pillow/Pillow) and [tqdm](https://github.com/tqdm/tqdm). Updates `onnx` from 1.14.0 to 1.16.0 - [Release notes](https://github.com/onnx/onnx/releases) - [Changelog](https://github.com/onnx/onnx/blob/main/docs/Changelog-ml.md) - [Commits](onnx/onnx@v1.14.0...v1.16.0) Updates `pillow` from 10.0.0 to 10.3.0 - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@10.0.0...10.3.0) Updates `tqdm` from 4.65.0 to 4.66.3 - [Release notes](https://github.com/tqdm/tqdm/releases) - [Commits](tqdm/tqdm@v4.65.0...v4.66.3) --- updated-dependencies: - dependency-name: onnx dependency-type: direct:production dependency-group: pip - dependency-name: pillow dependency-type: direct:production dependency-group: pip - dependency-name: tqdm dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added the dependencies Pull requests that update a dependency file label May 3, 2024

dependabot bot mentioned this pull request May 3, 2024

Bump the pip group across 1 directory with 2 updates #1

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the pip group across 1 directory with 3 updates #2

Bump the pip group across 1 directory with 3 updates #2

dependabot bot commented on behalf of github May 3, 2024

Bump the pip group across 1 directory with 3 updates #2

Are you sure you want to change the base?

Bump the pip group across 1 directory with 3 updates #2

Conversation

dependabot bot commented on behalf of github May 3, 2024

v1.16.0

Key Updates

ai.onnx Opset 21

ai.onnx.ml Opset 4

IR Version 10

Python Changes

Security Updates

Deprecation notice

Bug fixes and infrastructure improvements

10.3.0

Changes

10.3.0 (2024-04-01)

tqdm v4.66.3 stable

tqdm v4.66.2 stable

tqdm v4.66.1 stable

tqdm v4.66.0 stable

tqdm v4.65.2 stable

tqdm v4.65.1 stable