Skip to content

Bump the pip group across 6 directories with 6 updates#426

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/dot-aitk/requirements/pip-1a29238a72
Open

Bump the pip group across 6 directories with 6 updates#426
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/dot-aitk/requirements/pip-1a29238a72

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 19, 2026

Updates the requirements on transformers, diffusers, idna, onnx, torch and urllib3 to permit the latest version.
Updates transformers from 4.51.3 to 5.0.0rc3

Release notes

Sourced from transformers's releases.

Release candidate v5.0.0rc3

New models:

What's Changed

We are getting closer and closer to the official release! This RC is focused on removing more of the deprecated stuff, fixing some minors issues, doc updates.

... (truncated)

Commits

Updates diffusers from 0.35.0 to 0.38.0

Release notes

Sourced from diffusers's releases.

Diffusers 0.38.0: New image and audio pipelines, Core library improvements, and more

New Pipelines

LLaDA2

LLaDA2 is a family of discrete diffusion language models that generate text through block-wise iterative refinement. Instead of autoregressive token-by-token generation, LLaDA2 starts with a fully masked sequence and progressively unmasks tokens by confidence over multiple refinement steps.

Nucleus-MoE

NucleusMoE-Image is a 2B active 17B parameter model trained with efficiency at its core. Our novel architecture highlights the scalability of a sparse MoE architecture for Image generation.

Thanks to @​sippycoder for the contribution.

Ernie-Image

ERNIE-Image is a powerful and highly efficient image generation model with 8B parameters.

Thanks to @​HsiaWinter for the contribution.

LongCat-AudioDiT

LongCat-AudioDiT is a text-to-audio diffusion model from Meituan LongCat.

Thanks to @​RuixiangMa for the contribution.

Ace-Step 1.5

ACE-Step 1.5 generates variable-length stereo audio at 48 kHz (10 seconds to 10 minutes) from text prompts and optional lyrics. The full system pairs a Language Model planner with a Diffusion Transformer (DiT) synthesizer; this pipeline wraps the DiT half of that stack, and consists of three components: an AutoencoderOobleck VAE that compresses waveforms into 25 Hz stereo latents, a Qwen3-based text encoder for prompt and lyric conditioning, and an AceStepTransformer1DModel DiT that operates in the VAE latent space using flow matching.

Thanks to @ChuxiJ for the contribution.

Flux.2 Small Decoder

Make your Flux.2 decoding faster with this new small decoder model from the Black Forest Labs. You can check it out here. It was contributed by @​huemin-art in this PR.

... (truncated)

Commits
  • 275869d Release: v0.38.0-release
  • 42a46e4 Fix missing latents_bn_std dtype cast in VAE normalization (#13299)
  • 1a8a17b Add ACE-Step pipeline for text-to-music generation (#13095)
  • 303c1d8 [Ernie-Image] Add lora support (#13575)
  • 716f246 Fix UniPC scheduler device mismatch when using offloading (#13489)
  • a5bc046 NucleusMoE docs (#13661)
  • 4744648 [ci] use tokenizers stable installtion in CI. (#13562)
  • 50cb2db feat: support ring attention with arbitrary KV sequence lengths (#13545)
  • 0fff459 Fix ErnieImagePipeline pre-computed prompt_embeds + num_images_per_prompt sha...
  • 2173c55 [docs] fix typo in AutoencoderOobleck docs (#13642) (#13645)
  • Additional commits viewable in compare view

Updates idna from 3.10 to 3.15

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

  • Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
  • Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
  • Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
  • Allow flit_core 4.x in the build backend.
  • Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
  • Add Dependabot configuration for GitHub Actions.
  • Convert README and HISTORY from reStructuredText to Markdown.
  • Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

  • Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

3.13 (2026-04-22)

  • Correct classification error for codepoint U+A7F1

3.12 (2026-04-21)

  • Update to Unicode 17.0.0.
  • Issue a deprecation warning for the transitional argument.
  • Added lazy-loading to provide some performance improvements.
  • Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

3.11 (2025-10-12)

  • Update to Unicode 16.0.0, including significant changes to UTS46 processing. As a result of Unicode ending support for it, transitional processing no longer has an effect and returns the same result.

... (truncated)

Commits
  • af30a09 Release 3.15
  • 30314d4 Pre-release 3.15rc0
  • 05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
  • 2987fdb Convert README and HISTORY from reStructuredText to Markdown
  • 59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
  • def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
  • bbd8004 Merge pull request #234 from StanFromIreland/patch-1
  • edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
  • 5557db0 Merge branch 'master' into patch-1
  • f11746c Merge pull request #235 from StanFromIreland/patch-2
  • Additional commits viewable in compare view

Updates onnx from 1.17.0 to 1.21.0

Release notes

Sourced from onnx's releases.

v1.21.0

ONNX v1.21.0 is now available with exciting new features! We would like to thank everyone who contributed to this release! Please visit onnx.ai to learn more about ONNX and associated projects.

What's Changed

Breaking Changes and Deprecations

Spec and Operator

Reference Implementation

Utilities and Tools

Build, CI and Tests

... (truncated)

Commits

Updates torch from 2.6.0 to 2.7.1+cu128

Updates urllib3 from 2.6.3 to 2.7.0

Release notes

Sourced from urllib3's releases.

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

  • Decompression-bomb safeguards of the streaming API were bypassed:

    1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. (Reported by @​Cycloctane)
    2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli library. (Reported by @​kimkou2024)

    See GHSA-mf9v-mfxr-j63j for details.

  • HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by @​christos-spearbit)

Deprecations and Removals

  • Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (urllib3/urllib3#3763)
  • Removed support for end-of-life Python 3.9. (urllib3/urllib3#3720)
  • Removed support for end-of-life PyPy3.10. (urllib3/urllib3#4979)
  • Bumped the minimum supported pyOpenSSL version to 19.0.0. (urllib3/urllib3#3777)

Bugfixes

  • Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (urllib3/urllib3#3636)
  • Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (urllib3/urllib3#4967)
  • Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (urllib3/urllib3#3793)
  • Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (urllib3/urllib3#3798)
  • Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (urllib3/urllib3#3352)
  • Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (urllib3/urllib3#3764)
Changelog

Sourced from urllib3's changelog.

2.7.0 (2026-05-07)

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

  • Decompression-bomb safeguards of the streaming API were bypassed:

    1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially.
    2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli <https://pypi.org/project/brotli/>__ library.

    See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__ for details.

  • HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

  • Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. ([#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763>__)
  • Removed support for end-of-life Python 3.9. ([#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720>__)
  • Removed support for end-of-life PyPy3.10. ([#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979>__)
  • Bumped the minimum supported pyOpenSSL version to 19.0.0. ([#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

  • Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. ([#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636>__)
  • Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True.

... (truncated)

Commits

Updates transformers from 4.51.3 to 5.0.0rc3

Release notes

Sourced from transformers's releases.

Release candidate v5.0.0rc3

New models:

What's Changed

We are getting closer and closer to the official release! This RC is focused on removing more of the deprecated stuff, fixing some minors issues, doc updates.

... (truncated)

Commits

Updates diffusers from 0.35.0 to 0.38.0

Release notes

Sourced from diffusers's releases.

Diffusers 0.38.0: New image and audio pipelines, Core library improvements, and more

New Pipelines

LLaDA2

LLaDA2 is a family of discrete diffusion language models that generate text through block-wise iterative refinement. Instead of autoregressive token-by-token generation, LLaDA2 starts with a fully masked sequence and progressively unmasks tokens by confidence over multiple refinement steps.

Nucleus-MoE

NucleusMoE-Image is a 2B active 17B parameter model trained with efficiency at its core. Our novel architecture highlights the scalability of a sparse MoE architecture for Image generation.

Thanks to @​sippycoder for the contribution.

Ernie-Image

ERNIE-Image is a powerful and highly efficient image generation model with 8B parameters.

Thanks to @​HsiaWinter for the contribution.

LongCat-AudioDiT

LongCat-AudioDiT is a text-to-audio diffusion model from Meituan LongCat.

Thanks to @​RuixiangMa for the contribution.

Ace-Step 1.5

ACE-Step 1.5 generates variable-length stereo audio at 48 kHz (10 seconds to 10 minutes) from text prompts and optional lyrics. The full system pairs a Language Model planner with a Diffusion Transformer (DiT) synthesizer; this pipeline wraps the DiT half of that stack, and consists of three components: an AutoencoderOobleck VAE that compresses waveforms into 25 Hz stereo latents, a Qwen3-based text encoder for prompt and lyric conditioning, and an AceStepTransformer1DModel DiT that operates in the VAE latent space using flow matching.

Thanks to @ChuxiJ for the contribution.

Flux.2 Small Decoder

Make your Flux.2 decoding faster with this new small decoder model from the Black Forest Labs. You can check it out here. It was contributed by @​huemin-art in this PR.

... (truncated)

Commits
  • 275869d Release: v0.38.0-release
  • 42a46e4 Fix missing latents_bn_std dtype cast in VAE normalization (#13299)
  • 1a8a17b Add ACE-Step pipeline for text-to-music generation (#13095)
  • 303c1d8 [Ernie-Image] Add lora support (#13575)
  • 716f246 Fix UniPC scheduler device mismatch when using offloading (#13489)
  • a5bc046 NucleusMoE docs (#13661)
  • 4744648 [ci] use tokenizers stable installtion in CI. (#13562)
  • 50cb2db feat: support ring attention with arbitrary KV sequence lengths (

@dependabot
Bump the pip group across 6 directories with 6 updates
68933c3 
Updates the requirements on [transformers](https://github.com/huggingface/transformers), [diffusers](https://github.com/huggingface/diffusers), [idna](https://github.com/kjd/idna), [onnx](https://github.com/onnx/onnx), torch and [urllib3](https://github.com/urllib3/urllib3) to permit the latest version.

Updates `transformers` from 4.51.3 to 5.0.0rc3
- [Release notes](https://github.com/huggingface/transformers/releases)
- [Commits](huggingface/transformers@v4.51.3...v5.0.0rc3)

Updates `diffusers` from 0.35.0 to 0.38.0
- [Release notes](https://github.com/huggingface/diffusers/releases)
- [Commits](huggingface/diffusers@v0.35.0...v0.38.0)

Updates `idna` from 3.10 to 3.15
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md)
- [Commits](kjd/idna@v3.10...v3.15)

Updates `onnx` from 1.17.0 to 1.21.0
- [Release notes](https://github.com/onnx/onnx/releases)
- [Changelog](https://github.com/onnx/onnx/blob/main/docs/Changelog-ml.md)
- [Commits](onnx/onnx@v1.17.0...v1.21.0)

Updates `torch` from 2.6.0 to 2.7.1+cu128

Updates `urllib3` from 2.6.3 to 2.7.0
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.6.3...2.7.0)

Updates `transformers` from 4.51.3 to 5.0.0rc3
- [Release notes](https://github.com/huggingface/transformers/releases)
- [Commits](huggingface/transformers@v4.51.3...v5.0.0rc3)

Updates `diffusers` from 0.35.0 to 0.38.0
- [Release notes](https://github.com/huggingface/diffusers/releases)
- [Commits](huggingface/diffusers@v0.35.0...v0.38.0)

Updates `idna` from 3.10 to 3.15
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md)
- [Commits](kjd/idna@v3.10...v3.15)

Updates `onnx` from 1.17.0 to 1.21.0
- [Release notes](https://github.com/onnx/onnx/releases)
- [Changelog](https://github.com/onnx/onnx/blob/main/docs/Changelog-ml.md)
- [Commits](onnx/onnx@v1.17.0...v1.21.0)

Updates `torch` from 2.7.0 to 2.8.0

Updates `urllib3` from 2.6.3 to 2.7.0
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.6.3...2.7.0)

Updates `transformers` to 5.8.1
- [Release notes](https://github.com/huggingface/transformers/releases)
- [Commits](huggingface/transformers@v4.51.3...v5.0.0rc3)

Updates `diffusers` to 0.38.0
- [Release notes](https://github.com/huggingface/diffusers/releases)
- [Commits](huggingface/diffusers@v0.35.0...v0.38.0)

Updates `transformers` from 4.50.1 to 5.0.0rc3
- [Release notes](https://github.com/huggingface/transformers/releases)
- [Commits](huggingface/transformers@v4.51.3...v5.0.0rc3)

Updates `idna` from 3.11 to 3.15
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md)
- [Commits](kjd/idna@v3.10...v3.15)

Updates `onnx` to 1.21.0
- [Release notes](https://github.com/onnx/onnx/releases)
- [Changelog](https://github.com/onnx/onnx/blob/main/docs/Changelog-ml.md)
- [Commits](onnx/onnx@v1.17.0...v1.21.0)

Updates `torch` to 2.12.0

Updates `urllib3` from 2.6.3 to 2.7.0
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.6.3...2.7.0)

Updates `transformers` from 4.52.3 to 5.0.0rc3
- [Release notes](https://github.com/huggingface/transformers/releases)
- [Commits](huggingface/transformers@v4.51.3...v5.0.0rc3)

Updates `torch` from 2.7.0 to 2.8.0

Updates `transformers` from 4.51.3 to 5.0.0rc3
- [Release notes](https://github.com/huggingface/transformers/releases)
- [Commits](huggingface/transformers@v4.51.3...v5.0.0rc3)

Updates `diffusers` from 0.31.0 to 0.38.0
- [Release notes](https://github.com/huggingface/diffusers/releases)
- [Commits](huggingface/diffusers@v0.35.0...v0.38.0)

---
updated-dependencies:
- dependency-name: transformers
  dependency-version: 5.0.0rc3
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: diffusers
  dependency-version: 0.38.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: idna
  dependency-version: '3.15'
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: onnx
  dependency-version: 1.21.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: torch
  dependency-version: 2.7.1+cu128
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: urllib3
  dependency-version: 2.7.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: transformers
  dependency-version: 5.0.0rc3
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: diffusers
  dependency-version: 0.38.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: idna
  dependency-version: '3.15'
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: onnx
  dependency-version: 1.21.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: torch
  dependency-version: 2.8.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: urllib3
  dependency-version: 2.7.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: transformers
  dependency-version: 5.8.1
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: diffusers
  dependency-version: 0.38.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: transformers
  dependency-version: 5.0.0rc3
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: idna
  dependency-version: '3.15'
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: onnx
  dependency-version: 1.21.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: torch
  dependency-version: 2.12.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: urllib3
  dependency-version: 2.7.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: transformers
  dependency-version: 5.0.0rc3
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: torch
  dependency-version: 2.8.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: transformers
  dependency-version: 5.0.0rc3
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: diffusers
  dependency-version: 0.38.0
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels May 19, 2026
Copilot AI review requested due to automatic review settings May 19, 2026 19:33
@dependabot dependabot Bot requested review from a team as code owners May 19, 2026 19:33
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels May 19, 2026
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@dependabot dependabot Bot mentioned this pull request May 19, 2026
Closed
@xieofxie
Copy link
Copy Markdown
Contributor

xieofxie commented May 20, 2026

sigh..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xieofxie