Skip to content

Bump the pip group across 3 directories with 5 updates#4139

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/src/dependencies/requirements/base_requirements/pip-79b0469b16
Open

Bump the pip group across 3 directories with 5 updates#4139
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/src/dependencies/requirements/base_requirements/pip-79b0469b16

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown

Bumps the pip group with 2 updates in the /src/dependencies/requirements/base_requirements directory: setuptools and torch.
Bumps the pip group with 1 update in the /src/dependencies/requirements/generated_requirements directory: torch.
Bumps the pip group with 3 updates in the /src/maxtext/inference/mlperf directory: sentencepiece, transformers and nltk.

Updates setuptools from 78.1.0 to 78.1.1

Changelog

Sourced from setuptools's changelog.

v78.1.1

Bugfixes

  • More fully sanitized the filename in PackageIndex._download. (#4946)
Commits

Updates torch from 2.11.0 to 2.12.0

Release notes

Sourced from torch's releases.

PyTorch 2.12.0 Release Notes

Highlights

For more details about these highlighted features, you can look at the release blogpost. Below are the full release notes for this release.

Backwards Incompatible Changes

Build Frontend

  • Strengthened SVE compile checks in FindARM.cmake, which may reject previously accepted but incorrect SVE configurations (#176646)

    Source builds that enable SVE now validate the compiler configuration more strictly. If a build previously passed with an incomplete or mismatched SVE setup, it may now fail during CMake configuration instead of later in compilation. Update the compiler/toolchain flags so they accurately describe the target SVE support, or disable SVE for that build.

  • Updated the minimum CUDA version required to build PyTorch from source to CUDA 12.6 (#178925)

    Building PyTorch from source with CUDA versions older than 12.6 is no longer supported. Users building custom binaries should install CUDA 12.6 or newer and make sure CUDA_HOME points to that installation.

    Version 2.11:

    CUDA_HOME=/usr/local/cuda-12.4 python setup.py develop

    Version 2.12:

    CUDA_HOME=/usr/local/cuda-12.6 python setup.py develop

  • Enforced a C++20 minimum in CMake build files (#178662)

... (truncated)

Commits
  • 0d62256 [release] Dockerfile: skip torchaudio install when CUDA_PATH=cu132 (#183346)
  • 7661cd9 [MPS] Fix SDPA wrong output for permuted q/k/v with B > 1 (#181886)
  • 9da6087 Fix stale PYTORCH_RELEASES_CODE_CC dict (fixes #182250) (#182369)
  • e4c37cc Avoid raw stream name collisions in Inductor (#182178)
  • 822d047 [MPS] Fix bool mask handling in 1-pass SDPA decode kernel (#182285) (#182311)
  • 5c5e523 Add enable_gqa parameter to SDPA MPS meta registration (#181550)
  • eece52e [AOTI] Add BC-safe c_shim v2 for _scaled_dot_product_attention_math_for_mps e...
  • b39330b [Inductor] Call latest c_shim version for versioned fallback ops (#181548)
  • 06f10d0 Revert "[FSDP2] add fqn to communication ops" (#182100) (#182157)
  • 449e339 Revert "[Inductor] Improve materialization heuristic for a chain of computaio...
  • Additional commits viewable in compare view

Updates torch from 2.11.0+cpu to 2.12.0

Release notes

Sourced from torch's releases.

PyTorch 2.12.0 Release Notes

Highlights

For more details about these highlighted features, you can look at the release blogpost. Below are the full release notes for this release.

Backwards Incompatible Changes

Build Frontend

  • Strengthened SVE compile checks in FindARM.cmake, which may reject previously accepted but incorrect SVE configurations (#176646)

    Source builds that enable SVE now validate the compiler configuration more strictly. If a build previously passed with an incomplete or mismatched SVE setup, it may now fail during CMake configuration instead of later in compilation. Update the compiler/toolchain flags so they accurately describe the target SVE support, or disable SVE for that build.

  • Updated the minimum CUDA version required to build PyTorch from source to CUDA 12.6 (#178925)

    Building PyTorch from source with CUDA versions older than 12.6 is no longer supported. Users building custom binaries should install CUDA 12.6 or newer and make sure CUDA_HOME points to that installation.

    Version 2.11:

    CUDA_HOME=/usr/local/cuda-12.4 python setup.py develop

    Version 2.12:

    CUDA_HOME=/usr/local/cuda-12.6 python setup.py develop

  • Enforced a C++20 minimum in CMake build files (#178662)

... (truncated)

Commits
  • 0d62256 [release] Dockerfile: skip torchaudio install when CUDA_PATH=cu132 (#183346)
  • 7661cd9 [MPS] Fix SDPA wrong output for permuted q/k/v with B > 1 (#181886)
  • 9da6087 Fix stale PYTORCH_RELEASES_CODE_CC dict (fixes #182250) (#182369)
  • e4c37cc Avoid raw stream name collisions in Inductor (#182178)
  • 822d047 [MPS] Fix bool mask handling in 1-pass SDPA decode kernel (#182285) (#182311)
  • 5c5e523 Add enable_gqa parameter to SDPA MPS meta registration (#181550)
  • eece52e [AOTI] Add BC-safe c_shim v2 for _scaled_dot_product_attention_math_for_mps e...
  • b39330b [Inductor] Call latest c_shim version for versioned fallback ops (#181548)
  • 06f10d0 Revert "[FSDP2] add fqn to communication ops" (#182100) (#182157)
  • 449e339 Revert "[Inductor] Improve materialization heuristic for a chain of computaio...
  • Additional commits viewable in compare view

Updates sentencepiece from 0.1.99 to 0.2.1

Release notes

Sourced from sentencepiece's releases.

v0.2.1

Major changes

New features

  • [ALL]: Added new build mode to prevent the precompiled normalization rules being embedded in *.so and *.a. (-DSPM_DISABLE_EMBEDDED_DATA=ON). This reduces the runtime size by approximately 1-2 MB. This mode is enabled to build python wheels. The rules are loaded as the data package.

Bug fixes & minor changes

  • [ALL]: Security fix to address a heap overflow issue that could occur when using a model containing an invalid precompiled normalization model.
  • [Python]: Deprecates the wheel package for Linux i686.
  • [Python]: Supported wheel for Windows Arm64. #1114
  • [Python]: Fixed the crash issue on batch decoding #1051
  • [ALL]: Updated the Unicode normalization rule with the latest ICU/Unicode rules.
  • [ALL]: Unused code and build mode cleanup.

v0.2.1pre2

Major changes

New features

  • [ALL]: Added new build mode to prevent the precompiled normalization rules being embedded in *.so and *.a. (-DSPM_DISABLE_EMBEDDED_DATA=ON). This reduces the runtime size by approximately 1-2 MB. This mode is enabled to build python wheels. The rules are loaded as the data package.

Bug fixes & minor changes

  • [ALL]: Security fix to address a heap overflow issue that could occur when using a model containing an invalid precompiled normalization model.
  • [Python]: Deprecates the wheel package for Linux i686.
  • [Python]: Supported wheel for Windows Arm64.
  • [Python]: Fixed the crash issue on batch decoding #1051
  • [ALL]: Updated the Unicode normalization rule with the latest ICU/Unicode rules.
  • [ALL]: Unused code and build mode cleanup.

v0.2.0

Major changes

N/A

New features

  • [ALL] Added SentencePieceNormalizer class in C++/Python. It supports almost the equivalent feature of spm_normalize. Python Sample C++ Sample
  • [ALL] Added SentencePieceProcessor::Normalize method in C++/Python Python Sample C++ Sample
  • [ALL] Added functionality to override the normalization spec before the processing. Python Sample

Bug fixes & minor changes

... (truncated)

Commits
  • 31646a4 Merge pull request #1136 from crusaderky/pytest-run-parallel
  • bcd44b9 free-threading tests
  • 135747f install twine before checking wheel
  • 69fe0b2 install setuptools before making sdist
  • ee1422b install setuptools before making sdist
  • 5ac2fd2 use windows-11-arm runner to test ARM64 wheel on native env.
  • 36b9745 use windows-11-arm runner to test ARM64 wheel on native env.
  • 4f043ae use auto-mode to make wheel with the native binary.
  • 623196e uses arm docker image to build and test wheel
  • 559fd65 re-enable QEMU to enable arm execution
  • Additional commits viewable in compare view

Updates transformers from 4.31.0 to 5.0.0rc3

Release notes

Sourced from transformers's releases.

Release candidate v5.0.0rc3

New models:

What's Changed

We are getting closer and closer to the official release! This RC is focused on removing more of the deprecated stuff, fixing some minors issues, doc updates.

... (truncated)

Commits

Updates nltk from 3.8.1 to 3.9.4

Changelog

Sourced from nltk's changelog.

Version 3.9.4 2026-03-24

  • Support Python 3.14
  • Fix bug in Levenshtein distance when substitution_cost > 2
  • Fix bug in Treebank detokeniser re quote ordering
  • Fix bug in Jaro similarity for empty strings
  • Several security enhancements
  • Fix GHSA-rf74-v2fm-23pw: unbounded recursion in JSONTaggedDecoder
  • Implement TextTiling vocabulary introduction method (Hearst 1997)
  • Fix ALINE feature matrix errors and add comprehensive tests
  • Support multiple VerbNet versions, fix longid/shortid regex for VerbNet ids
  • Let downloader fallback to md5 when sha256 is unavailable
  • Several other minor bugfixes and code cleanups

Thanks to the following contributors to 3.9.4: Min-Yen Kan, Eric Kafe, Emily Voss, bowiechen, Hrudhai01, jancallewaert, Mr-Neutr0n, pollak.peter89, ylwango613,

Version 3.9.3 2026-02-21

  • Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
  • Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
  • Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
  • Validate external StanfordSegmenter JARs using SHA256 (#3477)
  • Add optional sandbox enforcement for filestring() (#3485)
  • Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

  • Update download checksums to use SHA256 in built index
  • Fix percentage escape in new-style string formatting
  • replace shortened URLs using goo.gl
  • Make Wordnet interoperable with various taggers and tagged corpora
  • Fix saving PerceptronTagger
  • Document how to reproduce old Wordnet studies
  • properly initialize Portuguese corpus reader
  • support for mixed rules conversion into Chomsky Normal Form
  • only import tkinter if a GUI is needed
  • issue #2112 with Corenlp
  • new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
  • Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

... (truncated)

Commits
  • ad9c96b Update copyright year
  • 7edcddf Updates for 3.9.4 release
  • 67a2736 Merge pull request #3180 from yzhaoinuw/bug-on-edit_distance_align
  • 2b17ac5 Fix edit_distance_align backtrace for high substitution costs
  • 4b72976 Merge pull request #3018 from JuanIMartinezB/bug/shortid-longid
  • 8a5619f Merge pull request #3222 from Syzygy2048/feature/texttiling-vocabulary-introd...
  • c6574d7 Merge pull request #3289 from ihitamandal/codeflash/optimize-windowdiff-2024-...
  • 98ff5d9 Merge pull request #3435 from Hrudhai01/fix-3260-detokenize-quotes
  • aec4fce Merge pull request #3522 from ekaf/pathsec
  • eec4ee3 Merge pull request #3526 from nltk/update-contributing
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the pip group across 3 directories with 5 updates
5cd911b 
Bumps the pip group with 2 updates in the /src/dependencies/requirements/base_requirements directory: [setuptools](https://github.com/pypa/setuptools) and [torch](https://github.com/pytorch/pytorch).
Bumps the pip group with 1 update in the /src/dependencies/requirements/generated_requirements directory: [torch](https://github.com/pytorch/pytorch).
Bumps the pip group with 3 updates in the /src/maxtext/inference/mlperf directory: [sentencepiece](https://github.com/google/sentencepiece), [transformers](https://github.com/huggingface/transformers) and [nltk](https://github.com/nltk/nltk).


Updates `setuptools` from 78.1.0 to 78.1.1
- [Release notes](https://github.com/pypa/setuptools/releases)
- [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst)
- [Commits](pypa/setuptools@v78.1.0...v78.1.1)

Updates `torch` from 2.11.0 to 2.12.0
- [Release notes](https://github.com/pytorch/pytorch/releases)
- [Changelog](https://github.com/pytorch/pytorch/blob/main/RELEASE.md)
- [Commits](pytorch/pytorch@v2.11.0...v2.12.0)

Updates `torch` from 2.11.0+cpu to 2.12.0
- [Release notes](https://github.com/pytorch/pytorch/releases)
- [Changelog](https://github.com/pytorch/pytorch/blob/main/RELEASE.md)
- [Commits](pytorch/pytorch@v2.11.0...v2.12.0)

Updates `sentencepiece` from 0.1.99 to 0.2.1
- [Release notes](https://github.com/google/sentencepiece/releases)
- [Commits](google/sentencepiece@v0.1.99...v0.2.1)

Updates `transformers` from 4.31.0 to 5.0.0rc3
- [Release notes](https://github.com/huggingface/transformers/releases)
- [Commits](huggingface/transformers@v4.31.0...v5.0.0rc3)

Updates `nltk` from 3.8.1 to 3.9.4
- [Changelog](https://github.com/nltk/nltk/blob/develop/ChangeLog)
- [Commits](nltk/nltk@3.8.1...3.9.4)

---
updated-dependencies:
- dependency-name: setuptools
  dependency-version: 78.1.1
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: torch
  dependency-version: 2.12.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: torch
  dependency-version: 2.12.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: sentencepiece
  dependency-version: 0.2.1
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: transformers
  dependency-version: 5.0.0rc3
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: nltk
  dependency-version: 3.9.4
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 10, 2026
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 10, 2026
@dependabot dependabot Bot added the python Pull requests that update python code label Jun 10, 2026
@dependabot dependabot Bot mentioned this pull request Jun 10, 2026
Closed
@codecov

codecov Bot commented Jun 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bvandermoon bvandermoon Awaiting requested review from bvandermoon bvandermoon is a code owner

@SurbhiJainUSC SurbhiJainUSC Awaiting requested review from SurbhiJainUSC SurbhiJainUSC is a code owner

@parambole parambole Awaiting requested review from parambole parambole is a code owner

@richjames0 richjames0 Awaiting requested review from richjames0 richjames0 is a code owner

@shralex shralex Awaiting requested review from shralex shralex is a code owner

@darisoy darisoy Awaiting requested review from darisoy darisoy is a code owner

@vipannalla vipannalla Awaiting requested review from vipannalla vipannalla is a code owner

@mitalisi mitalisi Awaiting requested review from mitalisi mitalisi is a code owner

@gpolovets1 gpolovets1 Awaiting requested review from gpolovets1 gpolovets1 is a code owner

@mailvijayasingh mailvijayasingh Awaiting requested review from mailvijayasingh mailvijayasingh is a code owner

@jrplatin jrplatin Awaiting requested review from jrplatin jrplatin is a code owner

@patemotter patemotter Awaiting requested review from patemotter patemotter is a code owner

@Lumosis Lumosis Awaiting requested review from Lumosis Lumosis is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants