Bump the uv group across 6 directories with 5 updates

[dependabot]

Bumps the uv group with 3 updates in the / directory: onnx, nltk and requests.
Bumps the uv group with 1 update in the /examples/llm_ptq directory: transformers.
Bumps the uv group with 1 update in the /examples/windows/onnx_ptq/genai_llm directory: onnx.
Bumps the uv group with 1 update in the /examples/windows/onnx_ptq/sam2 directory: onnx.
Bumps the uv group with 2 updates in the /examples/windows/onnx_ptq/whisper directory: torch and onnx.
Bumps the uv group with 2 updates in the /experimental/dms directory: nltk and requests.

Updates onnx from 1.19.1 to 1.21.0rc1

Release notes

Sourced from onnx's releases.

v1.20.1

[!NOTE] This patch release includes important bug fixes to ONNX build.

What's Changed

• Export functions (onnx/onnx#7505)
• Revert ONNX CMake changes (onnx/onnx#7515)
• Export functions used in PyTorch (onnx/onnx#7524)
• Export protobuf symbols (onnx/onnx#7525)

Commits

• Bump version to 1.20.1rc1 by @​justinchuby in onnx/onnx#7561
• Cherry pick into 1.20.1 by @​cyyever @​justinchuby in onnx/onnx#7560
• Remove rc for 1.20.1 release by @​titaiwangms in onnx/onnx#7567

Full Changelog: onnx/onnx@v1.20.0...v1.20.1

v1.20.0

ONNX v1.20.0 is now available with exciting new features! We would like to thank everyone who contributed to this release! Please visit onnx.ai to learn more about ONNX and associated projects.

Updated Op list:

Cast, CastLike, Constant, ConstantOfShape, DequantizeLinear, Flatten, Identity, If, Loop, Pad, QuantizeLinear, Reshape, Scan, Shape, Size, Squeeze, Transpose, Unsqueeze

Key Updates:

• Support for Python 3.14 via Python's stable ABI. (#7276)
• Opset 25
• 2-bit dtype support (#7446)
• A new "node determinism" attribute in operator schemas (#7176)

Breaking Changes and Deprecations

• Update manylinux_2014 -> manylinux_2_28 (#7151)
• Update attention gqa to use repeat interleave within repeat kv (#7274)
• Update required Python version to 3.10 and related fixes (#7220)
• Remove Python 3.9 wheel build (#7217)
• Remove deprecated methods (#7214)

Spec and Operator

• Add 2 bit support to onnx (#7446)
• Remove enforcement to node determinism attribute (#7473)
• Fix handling of empty inputs for the Softmax operator (#7206)
• Fix OneHotEncoder segfault due to missing input shape validation (#7302)
• Fix Attention backend test: correct dimension of Range input (#7300)
• Fix Range input rank in Attention op function definition (#7240)

... (truncated)

Commits

• See full diff in compare view

Updates nltk from 3.9.3 to 3.9.4

Changelog

Sourced from nltk's changelog.

Version 3.9.4 2026-03-24

• Support Python 3.14
• Fix bug in Levenshtein distance when substitution_cost > 2
• Fix bug in Treebank detokeniser re quote ordering
• Fix bug in Jaro similarity for empty strings
• Several security enhancements
• Fix GHSA-rf74-v2fm-23pw: unbounded recursion in JSONTaggedDecoder
• Implement TextTiling vocabulary introduction method (Hearst 1997)
• Fix ALINE feature matrix errors and add comprehensive tests
• Support multiple VerbNet versions, fix longid/shortid regex for VerbNet ids
• Let downloader fallback to md5 when sha256 is unavailable
• Several other minor bugfixes and code cleanups

Thanks to the following contributors to 3.9.4: Min-Yen Kan, Eric Kafe, Emily Voss, bowiechen, Hrudhai01, jancallewaert, Mr-Neutr0n, pollak.peter89, ylwango613,

Version 3.9.3 2026-02-21

• Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
• Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
• Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
• Validate external StanfordSegmenter JARs using SHA256 (#3477)
• Add optional sandbox enforcement for filestring() (#3485)
• Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

• Update download checksums to use SHA256 in built index
• Fix percentage escape in new-style string formatting
• replace shortened URLs using goo.gl
• Make Wordnet interoperable with various taggers and tagged corpora
• Fix saving PerceptronTagger
• Document how to reproduce old Wordnet studies
• properly initialize Portuguese corpus reader
• support for mixed rules conversion into Chomsky Normal Form
• only import tkinter if a GUI is needed
• issue #2112 with Corenlp
• new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
• Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

... (truncated)

Commits

• ad9c96b Update copyright year
• 7edcddf Updates for 3.9.4 release
• 67a2736 Merge pull request #3180 from yzhaoinuw/bug-on-edit_distance_align
• 2b17ac5 Fix edit_distance_align backtrace for high substitution costs
• 4b72976 Merge pull request #3018 from JuanIMartinezB/bug/shortid-longid
• 8a5619f Merge pull request #3222 from Syzygy2048/feature/texttiling-vocabulary-introd...
• c6574d7 Merge pull request #3289 from ihitamandal/codeflash/optimize-windowdiff-2024-...
• 98ff5d9 Merge pull request #3435 from Hrudhai01/fix-3260-detokenize-quotes
• aec4fce Merge pull request #3522 from ekaf/pathsec
• eec4ee3 Merge pull request #3526 from nltk/update-contributing
• Additional commits viewable in compare view

Updates requests from 2.32.5 to 2.33.0

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

Commits

• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• 753fd08 docs: fix FAQ grammar in httplib2 example
• 774a0b8 docs(socks): same block as other sections
• 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
• ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
• 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
• d568f47 docs: clarify Quickstart POST example (#6960)
• Additional commits viewable in compare view

Updates transformers from 4.48.0 to 4.53.0

Release notes

Sourced from transformers's releases.

Release v4.53.0

Gemma3n

Gemma 3n models are designed for efficient execution on low-resource devices. They are capable of multimodal input, handling text, image, video, and audio input, and generating text outputs, with open weights for pre-trained and instruction-tuned variants. These models were trained with data in over 140 spoken languages.

Gemma 3n models use selective parameter activation technology to reduce resource requirements. This technique allows the models to operate at an effective size of 2B and 4B parameters, which is lower than the total number of parameters they contain. For more information on Gemma 3n's efficient parameter management technology, see the Gemma 3n page.

from transformers import pipeline
import torch
pipe = pipeline(
"image-text-to-text",
torch_dtype=torch.bfloat16,
model="google/gemma-3n-e4b",
device="cuda",
)
output = pipe(
"https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/bee.jpg",
text="<image_soft_token> in this image, there is"
)
print(output)

Dia

Dia is an opensource text-to-speech (TTS) model (1.6B parameters) developed by Nari Labs. It can generate highly realistic dialogue from transcript including nonverbal communications such as laughter and coughing. Furthermore, emotion and tone control is also possible via audio conditioning (voice cloning).

Model Architecture: Dia is an encoder-decoder transformer based on the original transformer architecture. However, some more modern features such as rotational positional embeddings (RoPE) are also included. For its text portion (encoder), a byte tokenizer is utilized while for the audio portion (decoder), a pretrained codec model DAC is used - DAC encodes speech into discrete codebook tokens and decodes them back into audio.

• Add Dia model by @​buttercrab in #38405

Kyutai Speech-to-Text

Kyutai STT is a speech-to-text model architecture based on the Mimi codec, which encodes audio into discrete tokens in a streaming fashion, and a Moshi-like autoregressive decoder. Kyutai’s lab has released two model checkpoints:

• kyutai/stt-1b-en_fr: a 1B-parameter model capable of transcribing both English and French

... (truncated)

Commits

• 67ddc82 Release: v4.53.0
• 0a8081b [Modeling] Fix encoder CPU offloading for whisper (#38994)
• c63cfd6 Gemma 3n (#39059)
• 3e5cc12 [tests] remove tests from libraries with deprecated support (flax, tensorflow...
• cfff7ca [Whisper] Pipeline: handle long form generation (#35750)
• 02ecdcf add _keep_in_fp32_modules_strict (#39058)
• d973e62 fix condition where torch_dtype auto collides with model_kwargs. (#39054)
• 44b2316 [qwen2-vl] fix vision attention scaling (#39043)
• ae15715 polishing docs: error fixes for clarity (#39042)
• 3abeaba Create test for #38916 (custom generate from local dir with imports) (#39015)
• Additional commits viewable in compare view

Updates onnx from 1.19.0 to 1.21.0rc1

Release notes

Sourced from onnx's releases.

v1.20.1

[!NOTE] This patch release includes important bug fixes to ONNX build.

What's Changed

• Export functions (onnx/onnx#7505)
• Revert ONNX CMake changes (onnx/onnx#7515)
• Export functions used in PyTorch (onnx/onnx#7524)
• Export protobuf symbols (onnx/onnx#7525)

Commits

• Bump version to 1.20.1rc1 by @​justinchuby in onnx/onnx#7561
• Cherry pick into 1.20.1 by @​cyyever @​justinchuby in onnx/onnx#7560
• Remove rc for 1.20.1 release by @​titaiwangms in onnx/onnx#7567

Full Changelog: onnx/onnx@v1.20.0...v1.20.1

v1.20.0

ONNX v1.20.0 is now available with exciting new features! We would like to thank everyone who contributed to this release! Please visit onnx.ai to learn more about ONNX and associated projects.

Updated Op list:

Cast, CastLike, Constant, ConstantOfShape, DequantizeLinear, Flatten, Identity, If, Loop, Pad, QuantizeLinear, Reshape, Scan, Shape, Size, Squeeze, Transpose, Unsqueeze

Key Updates:

• Support for Python 3.14 via Python's stable ABI. (#7276)
• Opset 25
• 2-bit dtype support (#7446)
• A new "node determinism" attribute in operator schemas (#7176)

Breaking Changes and Deprecations

• Update manylinux_2014 -> manylinux_2_28 (#7151)
• Update attention gqa to use repeat interleave within repeat kv (#7274)
• Update required Python version to 3.10 and related fixes (#7220)
• Remove Python 3.9 wheel build (#7217)
• Remove deprecated methods (#7214)

Spec and Operator

• Add 2 bit support to onnx (#7446)
• Remove enforcement to node determinism attribute (#7473)
• Fix handling of empty inputs for the Softmax operator (#7206)
• Fix OneHotEncoder segfault due to missing input shape validation (#7302)
• Fix Attention backend test: correct dimension of Range input (#7300)
• Fix Range input rank in Attention op function definition (#7240)

... (truncated)

Commits

• See full diff in compare view

Updates onnx from 1.17.0 to 1.21.0rc1

Release notes

Sourced from onnx's releases.

v1.20.1

[!NOTE] This patch release includes important bug fixes to ONNX build.

What's Changed

• Export functions (onnx/onnx#7505)
• Revert ONNX CMake changes (onnx/onnx#7515)
• Export functions used in PyTorch (onnx/onnx#7524)
• Export protobuf symbols (onnx/onnx#7525)

Commits

• Bump version to 1.20.1rc1 by @​justinchuby in onnx/onnx#7561
• Cherry pick into 1.20.1 by @​cyyever @​justinchuby in onnx/onnx#7560
• Remove rc for 1.20.1 release by @​titaiwangms in onnx/onnx#7567

Full Changelog: onnx/onnx@v1.20.0...v1.20.1

v1.20.0

ONNX v1.20.0 is now available with exciting new features! We would like to thank everyone who contributed to this release! Please visit onnx.ai to learn more about ONNX and associated projects.

Updated Op list:

Cast, CastLike, Constant, ConstantOfShape, DequantizeLinear, Flatten, Identity, If, Loop, Pad, QuantizeLinear, Reshape, Scan, Shape, Size, Squeeze, Transpose, Unsqueeze

Key Updates:

• Support for Python 3.14 via Python's stable ABI. (#7276)
• Opset 25
• 2-bit dtype support (#7446)
• A new "node determinism" attribute in operator schemas (#7176)

Breaking Changes and Deprecations

• Update manylinux_2014 -> manylinux_2_28 (#7151)
• Update attention gqa to use repeat interleave within repeat kv (#7274)
• Update required Python version to 3.10 and related fixes (#7220)
• Remove Python 3.9 wheel build (#7217)
• Remove deprecated methods (#7214)

Spec and Operator

• Add 2 bit support to onnx (#7446)
• Remove enforcement to node determinism attribute (#7473)
• Fix handling of empty inputs for the Softmax operator (#7206)
• Fix OneHotEncoder segfault due to missing input shape validation (#7302)
• Fix Attention backend test: correct dimension of Range input (#7300)
• Fix Range input rank in Attention op function definition (#7240)

... (truncated)

Commits

• See full diff in compare view

Updates torch from 2.7.0+cu128 to 2.8.0

Release notes

Sourced from torch's releases.

PyTorch 2.8.0 Release Notes

• Highlights
• Backwards Incompatible Changes
• Deprecations
• New Features
• Improvements
• Bug fixes
• Performance
• Documentation
• Developers

Highlights

... (truncated)

Commits

• See full diff in compare view

Updates onnx from 1.19.0 to 1.21.0rc1

Release notes

Sourced from onnx's releases.

v1.20.1

[!NOTE] This patch release includes important bug fixes to ONNX build.

What's Changed

• Export functions (onnx/onnx#7505)
• Revert ONNX CMake changes (onnx/onnx#7515)
• Export functions used in PyTorch (onnx/onnx#7524)
• Export protobuf symbols (onnx/onnx#7525)

Commits

• Bump version to 1.20.1rc1 by @​justinchuby in onnx/onnx#7561
• Cherry pick into 1.20.1 by @​cyyever @​justinchuby in onnx/onnx#7560
• Remove rc for 1.20.1 release by @​titaiwangms in onnx/onnx#7567

Full Changelog: onnx/onnx@v1.20.0...v1.20.1

v1.20.0

ONNX v1.20.0 is now available with exciting new features! We would like to thank everyone who contributed to this release! Please visit onnx.ai to learn more about ONNX and associated projects.

Updated Op list:

Cast, CastLike, Constant, ConstantOfShape, DequantizeLinear, Flatten, Identity, If, Loop, Pad, QuantizeLinear, Reshape, Scan, Shape, Size, Squeeze, Transpose, Unsqueeze

Key Updates:

• Support for Python 3.14 via Python's stable ABI. (#7276)
• Opset 25
• 2-bit dtype support (#7446)
• A new "node determinism" attribute in operator schemas (#7176)

Breaking Changes and Deprecations

• Update manylinux_2014 -> manylinux_2_28 (#7151)
• Update attention gqa to use repeat interleave within repeat kv (#7274)
• Update required Python version to 3.10 and related fixes (#7220)
• Remove Python 3.9 wheel build (#7217)
• Remove deprecated methods (#7214)

Spec and Operator

• Add 2 bit support to onnx (#7446)
• Remove enforcement to node determinism attribute (#7473)
• Fix handling of empty inputs for the Softmax operator (#7206)
• Fix OneHotEncoder segfault due to missing input shape validation (#7302)
• Fix Attention backend test: correct dimension of Range input (#7300)
• Fix Range input rank in Attention op function definition (#7240)

... (truncated)

Commits

• See full diff in compare view

Updates nltk from 3.9.3 to 3.9.4

Changelog

Sourced from nltk's changelog.

Version 3.9.4 2026-03-24

• Support Python 3.14
• Fix bug in Levenshtein distance when substitution_cost > 2
• Fix bug in Treebank detokeniser re quote ordering
• Fix bug in Jaro similarity for empty strings
• Several security enhancements
• Fix GHSA-rf74-v2fm-23pw: unbounded recursion in JSONTaggedDecoder
• Implement TextTiling vocabulary introduction method (Hearst 1997)
• Fix ALINE feature matrix errors and add comprehensive tests
• Support multiple VerbNet versions, fix longid/shortid regex for VerbNet ids
• Let downloader fallback to md5 when sha256 is unavailable
• Several other minor bugfixes and code cleanups

Thanks to the following contributors to 3.9.4: Min-Yen Kan, Eric Kafe, Emily Voss, bowiechen, Hrudhai01, jancallewaert, Mr-Neutr0n, pollak.peter89, ylwango613,

Version 3.9.3 2026-02-21

• Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
• Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
• Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
• Validate external StanfordSegmenter JARs using SHA256 (#3477)
• Add optional sandbox enforcement for filestring() (#3485)
• Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

• Update download checksums to use SHA256 in built index
• Fix percentage escape in new-style string formatting
• replace shortened URLs using goo.gl
• Make Wordnet interoperable with various taggers and tagged corpora
• Fix saving PerceptronTagger
• Document how to reproduce old Wordnet studies
• properly initialize Portuguese corpus reader
• support for mixed rules conversion into Chomsky Normal Form
• only import tkinter if a GUI is needed
• issue #2112 with Corenlp
• new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
• Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

... (truncated)

Commits

• ad9c96b Update copyright year
• 7edcddf Updates for 3.9.4 release
• 67a2736 Merge pull request #3180 from yzhaoinuw/bug-on-edit_distance_align
• 2b17ac5 Fix edit_distance_align backtrace for high substitution costs
• 4b72976 Merge pull request #3018 from JuanIMartinezB/bug/shortid-longid
• 8a5619f Merge pull request #3222 from Syzygy2048/feature/texttiling-vocabulary-introd...
• c6574d7 Merge pull request #3289 from ihitamandal/codeflash/optimize-windowdiff-2024-...
• 98ff5d9 Merge pull request #3435 from Hrudhai01/fix-3260-detokenize-quotes
• aec4fce Merge pull request #3522 from ekaf/pathsec
• eec4ee3 Merge pull request #3526 from nltk/update-contributing
• Additional commits viewable in compare view

Updates requests from 2.32.5 to 2.33.0

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

Commits

• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• 753fd08 docs: fix FAQ grammar in httplib2 example
• 774a0b8 docs(socks): same block as other sections
• 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
• ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
• 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
• d568f47 docs: clarify Quickstart POST example (#6960)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[cjluo-nv]

Summary: Dependabot bumps 5 dependencies (onnx, nltk, requests, transformers, torch) across 6 directories. The most significant changes are transformers from 4.x to 5.4.0, onnx to a release candidate (1.21.0rc1), and torch to 2.8.0/2.11.0 (inconsistent across files).

Issues Found:

1. [Correctness] transformers bumped to 5.4.0 but runtime warning not updated — pyproject.toml:84 changes the constraint from <5.0 to <6.0, but modelopt/torch/__init__.py:35 still checks < _Version("5.0"). Users running transformers 5.4.0 will get a spurious warning. The comment in pyproject.toml explicitly says # Should match modelopt/torch/__init__.py and tox.ini. This is the exact same three-way sync problem flagged in prior PR #1151. tox.ini also needs updating — tf_min: transformers~=4.56.0 doesn't test transformers 5.x at all.

2. [Correctness] onnx bumped to a release candidate (1.21.0rc1) — All onnx pins across pyproject.toml, examples/windows/onnx_ptq/genai_llm/requirements.txt, sam2/requirements.txt, and whisper/requirements.txt are pinned to 1.21.0rc1. Release candidates should not be used in production dependencies. The pyproject.toml range >=1.19,<1.22 also permits the RC to be installed by default. Wait for onnx==1.21.0 stable.

3. [Correctness] torch/torchaudio version mismatch in whisper requirements — examples/windows/onnx_ptq/whisper/requirements.txt bumps torch from 2.7.0+cu128 to 2.8.0 but leaves torchaudio==2.7.0+cu128 unchanged. torch and torchaudio must have matching versions — this will likely fail at install time or runtime.

4. [Correctness] Inconsistent torch versions across files — genai_llm/requirements.txt pins torch==2.11.0, while whisper/requirements.txt pins torch==2.8.0, and the main uv.lock resolves torch to 2.11.0. The genai_llm pin also lost its CUDA suffix (+cu128), which may install a CPU-only build on Windows.

5. [Correctness] VILA requirements bumped to incompatible range — examples/vlm_ptq/requirements-vila.txt changes transformers<=4.50.0 to transformers<=5.4.0. The original <=4.50.0 pin exists because VILA requires that version or lower. This bump should be validated that VILA actually supports transformers 5.x.

6. [Correctness] Inconsistent transformers versions across example files — examples/llm_ptq/requirements-t5.txt pins transformers==4.53.0, while genai_llm and whisper pin transformers==5.4.0, and experimental/dms/pyproject.toml also pins 5.4.0. The T5 example was only bumped from 4.48.0 to 4.53.0, not to 5.x — is this intentional, or did Dependabot partially miss it?

7. [Correctness] transformers 5.x is a major version bump with breaking changes — The diff shows transformers went from 4.57.x to 5.4.0, dropping filelock and requests as dependencies and adding typer. huggingface-hub also jumped from 0.36.2 to 1.8.0 (also dropping requests, adding httpx). These are significant transitive dependency changes that could break code relying on requests being available via these packages.

Suggestions:

• Split this PR: handle the safe minor bumps (nltk 3.9.3→3.9.4, requests 2.32.5→2.33.0) separately from the risky major bumps (transformers 4.x→5.x, onnx to RC).
• Add CI validation that the example requirements files actually install and run before merging.

Overall Assessment: This PR has multiple correctness issues that would cause build failures or runtime warnings. The transformers major version bump requires coordinated changes across __init__.py, tox.ini, and pyproject.toml. The onnx RC pin is inappropriate for production. The torch/torchaudio mismatch is a guaranteed breakage.