dependabot[bot] opened a new pull request, #1023: URL: https://github.com/apache/opennlp/pull/1023
Bumps `onnxruntime.version` from 1.24.3 to 1.25.0. Updates `com.microsoft.onnxruntime:onnxruntime` from 1.24.3 to 1.25.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/microsoft/onnxruntime/releases";>com.microsoft.onnxruntime:onnxruntime's releases</a>.</em></p> <blockquote> <h2>ONNX Runtime v1.25.0</h2> <h2>📢 Announcements & Breaking Changes</h2> <h3>Build & Platform</h3> <ul> <li><strong>C++20 is now required</strong> to build ONNX Runtime from source. Minimum toolchains: MSVC 19.29+, GCC 10+, Clang 10+. Users of prebuilt packages are unaffected. (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27178";>#27178</a>)</li> <li><strong>CUDA minimum version raised to 12.0</strong> — CUDA 11.x is no longer supported. Users pinned to CUDA 11.x should stay on ORT 1.24.x or upgrade their CUDA toolkit/driver. (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27570";>#27570</a>)</li> <li><strong>ONNX upgraded to 1.21.0</strong> (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27601";>#27601</a>)</li> <li><strong>sympy is now an optional dependency</strong> for Python builds. (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27200";>#27200</a>)</li> </ul> <h3>Execution Provider Changes</h3> <ul> <li><strong>ArmNN EP has been removed.</strong> Users should remove any <code>--use_armnn</code> build flags and migrate to the MLAS/KleidiAI-backed CPU EP or QNN EP for Qualcomm hardware. (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27447";>#27447</a>)</li> </ul> <h3>API Version</h3> <ul> <li><strong>ORT_API_VERSION</strong> updated to <strong>25</strong>. (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27280";>#27280</a>)</li> </ul> <hr /> <h2>🔒 Security Fixes</h2> <ul> <li>Fixed <strong>potential integer truncation leading to heap out-of-bounds read/write</strong> (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27544";>#27544</a>)</li> <li>Addressed <strong>Pad Reflect vulnerability</strong> (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27652";>#27652</a>)</li> <li><strong>Security fix for transpose optimizer</strong> (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27555";>#27555</a>)</li> <li>Upgraded minimatch 3.1.2 → 3.1.4 for <strong>CVE-2026-27904</strong> (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27667";>#27667</a>)</li> <li>Hardened shell command handling for constant strings (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27840";>#27840</a>)</li> <li>Added validation of <code>onnx::TensorProto</code> data size before allocation (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27547";>#27547</a>)</li> <li>Cleaned up external data path validation (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27539";>#27539</a>)</li> <li>Fixed misaligned address reads for tensor attributes from raw data buffers (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27312";>#27312</a>)</li> <li>Fixed <strong>CPU Attention overflow</strong> issue (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27822";>#27822</a>)</li> <li>Fixed <strong>CPU LRN integer overflow</strong> issues (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27886";>#27886</a>)</li> <li>Additional input validation hardening: <ul> <li>Tile kernel dim overflow (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27566";>#27566</a>)</li> <li>Out-of-bounds read in cross entropy (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27568";>#27568</a>)</li> <li>TreeEnsembleClassifier attributes (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27571";>#27571</a>)</li> <li>AffineGrid (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27572";>#27572</a>)</li> <li>EmbedLayerNorm position_ids (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27573";>#27573</a>)</li> <li>RotaryEmbedding position_ids (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27597";>#27597</a>)</li> <li>RoiAlign batch_indices (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27603";>#27603</a>)</li> <li>MaxUnpool indices (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27432";>#27432</a>)</li> <li>QMoECPU swiglu OOB (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27748";>#27748</a>)</li> <li>SVMClassifier initializer (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27699";>#27699</a>)</li> <li>Col2Im SafeInt (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27625";>#27625</a>)</li> </ul> </li> </ul> <hr /> <h2>✨ New Features</h2> <h3>🔌 Execution Provider Plugin API & CUDA Plugin EP</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/microsoft/onnxruntime/commit/7a71bc575b189cdedea7fa2c0f87389f870bd10e";><code>7a71bc5</code></a> Cherry-pick CI/pipeline fixes for rel-1.25.0 (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/28106";>#28106</a>)</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/211edbc9a7fb5c26bf4e669de251c8d880fdf244";><code>211edbc</code></a> FF rel-1.25 to last merge prior to version bump & add first round of cherry p...</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/57b265ee17b4581bef85e28630d0acf32ef6681f";><code>57b265e</code></a> [MLAS] Add depthwise with multiplier conv special kernel for NCHW data layout...</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/bec279255b32b5dfef9657870ac2b92afe165527";><code>bec2792</code></a> Plugin EP event profiling APIs (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/27649";>#27649</a>)</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/a997c4fd4335e70a295c8714d84383be689cfe89";><code>a997c4f</code></a> [VitisAI] external_ep_library typo fix (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/27647";>#27647</a>)</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/f2c28e2c2573e960fe27d4f8cac29e18a666bd08";><code>f2c28e2</code></a> S390x test fixes (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/27404";>#27404</a>)</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/0f43e16189e8a0d4073b9ea53b0aeaf148a9a0e1";><code>0f43e16</code></a> [QNN-EP] Fix use-after-free of logger object (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/27804";>#27804</a>)</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/f22e3a997eb2edfe3201db6572aa9d2b95ee8008";><code>f22e3a9</code></a> webgpu: Optimize DP4A SmallM MatMulNBits tiling (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/27910";>#27910</a>)</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/048e7dc63326c23c9110565bf9371655445c4006";><code>048e7dc</code></a> [Plugin EP] Add plugin EP APIs to retrieve ONNX operator schemas (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/27713";>#27713</a>)</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/e43d3064dc6002e697139fa1c08daa355a77367a";><code>e43d306</code></a> [CI] fix: missing <code>branch</code> specifier in <code>schedule</code> directive (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/27914";>#27914</a>)</li> <li>Additional commits viewable in <a href="https://github.com/microsoft/onnxruntime/compare/v1.24.3...v1.25.0";>compare view</a></li> </ul> </details> <br /> Updates `com.microsoft.onnxruntime:onnxruntime_gpu` from 1.24.3 to 1.25.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/microsoft/onnxruntime/releases";>com.microsoft.onnxruntime:onnxruntime_gpu's releases</a>.</em></p> <blockquote> <h2>ONNX Runtime v1.25.0</h2> <h2>📢 Announcements & Breaking Changes</h2> <h3>Build & Platform</h3> <ul> <li><strong>C++20 is now required</strong> to build ONNX Runtime from source. Minimum toolchains: MSVC 19.29+, GCC 10+, Clang 10+. Users of prebuilt packages are unaffected. (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27178";>#27178</a>)</li> <li><strong>CUDA minimum version raised to 12.0</strong> — CUDA 11.x is no longer supported. Users pinned to CUDA 11.x should stay on ORT 1.24.x or upgrade their CUDA toolkit/driver. (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27570";>#27570</a>)</li> <li><strong>ONNX upgraded to 1.21.0</strong> (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27601";>#27601</a>)</li> <li><strong>sympy is now an optional dependency</strong> for Python builds. (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27200";>#27200</a>)</li> </ul> <h3>Execution Provider Changes</h3> <ul> <li><strong>ArmNN EP has been removed.</strong> Users should remove any <code>--use_armnn</code> build flags and migrate to the MLAS/KleidiAI-backed CPU EP or QNN EP for Qualcomm hardware. (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27447";>#27447</a>)</li> </ul> <h3>API Version</h3> <ul> <li><strong>ORT_API_VERSION</strong> updated to <strong>25</strong>. (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27280";>#27280</a>)</li> </ul> <hr /> <h2>🔒 Security Fixes</h2> <ul> <li>Fixed <strong>potential integer truncation leading to heap out-of-bounds read/write</strong> (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27544";>#27544</a>)</li> <li>Addressed <strong>Pad Reflect vulnerability</strong> (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27652";>#27652</a>)</li> <li><strong>Security fix for transpose optimizer</strong> (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27555";>#27555</a>)</li> <li>Upgraded minimatch 3.1.2 → 3.1.4 for <strong>CVE-2026-27904</strong> (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27667";>#27667</a>)</li> <li>Hardened shell command handling for constant strings (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27840";>#27840</a>)</li> <li>Added validation of <code>onnx::TensorProto</code> data size before allocation (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27547";>#27547</a>)</li> <li>Cleaned up external data path validation (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27539";>#27539</a>)</li> <li>Fixed misaligned address reads for tensor attributes from raw data buffers (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27312";>#27312</a>)</li> <li>Fixed <strong>CPU Attention overflow</strong> issue (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27822";>#27822</a>)</li> <li>Fixed <strong>CPU LRN integer overflow</strong> issues (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27886";>#27886</a>)</li> <li>Additional input validation hardening: <ul> <li>Tile kernel dim overflow (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27566";>#27566</a>)</li> <li>Out-of-bounds read in cross entropy (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27568";>#27568</a>)</li> <li>TreeEnsembleClassifier attributes (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27571";>#27571</a>)</li> <li>AffineGrid (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27572";>#27572</a>)</li> <li>EmbedLayerNorm position_ids (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27573";>#27573</a>)</li> <li>RotaryEmbedding position_ids (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27597";>#27597</a>)</li> <li>RoiAlign batch_indices (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27603";>#27603</a>)</li> <li>MaxUnpool indices (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27432";>#27432</a>)</li> <li>QMoECPU swiglu OOB (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27748";>#27748</a>)</li> <li>SVMClassifier initializer (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27699";>#27699</a>)</li> <li>Col2Im SafeInt (<a href="https://redirect.github.com/microsoft/onnxruntime/pull/27625";>#27625</a>)</li> </ul> </li> </ul> <hr /> <h2>✨ New Features</h2> <h3>🔌 Execution Provider Plugin API & CUDA Plugin EP</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/microsoft/onnxruntime/commit/7a71bc575b189cdedea7fa2c0f87389f870bd10e";><code>7a71bc5</code></a> Cherry-pick CI/pipeline fixes for rel-1.25.0 (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/28106";>#28106</a>)</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/211edbc9a7fb5c26bf4e669de251c8d880fdf244";><code>211edbc</code></a> FF rel-1.25 to last merge prior to version bump & add first round of cherry p...</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/57b265ee17b4581bef85e28630d0acf32ef6681f";><code>57b265e</code></a> [MLAS] Add depthwise with multiplier conv special kernel for NCHW data layout...</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/bec279255b32b5dfef9657870ac2b92afe165527";><code>bec2792</code></a> Plugin EP event profiling APIs (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/27649";>#27649</a>)</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/a997c4fd4335e70a295c8714d84383be689cfe89";><code>a997c4f</code></a> [VitisAI] external_ep_library typo fix (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/27647";>#27647</a>)</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/f2c28e2c2573e960fe27d4f8cac29e18a666bd08";><code>f2c28e2</code></a> S390x test fixes (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/27404";>#27404</a>)</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/0f43e16189e8a0d4073b9ea53b0aeaf148a9a0e1";><code>0f43e16</code></a> [QNN-EP] Fix use-after-free of logger object (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/27804";>#27804</a>)</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/f22e3a997eb2edfe3201db6572aa9d2b95ee8008";><code>f22e3a9</code></a> webgpu: Optimize DP4A SmallM MatMulNBits tiling (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/27910";>#27910</a>)</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/048e7dc63326c23c9110565bf9371655445c4006";><code>048e7dc</code></a> [Plugin EP] Add plugin EP APIs to retrieve ONNX operator schemas (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/27713";>#27713</a>)</li> <li><a href="https://github.com/microsoft/onnxruntime/commit/e43d3064dc6002e697139fa1c08daa355a77367a";><code>e43d306</code></a> [CI] fix: missing <code>branch</code> specifier in <code>schedule</code> directive (<a href="https://redirect.github.com/microsoft/onnxruntime/issues/27914";>#27914</a>)</li> <li>Additional commits viewable in <a href="https://github.com/microsoft/onnxruntime/compare/v1.24.3...v1.25.0";>compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
