Bump the pip group across 1 directory with 5 updates

[dependabot]

Updates the requirements on torch, mlflow, transformers, werkzeug and flask to permit the latest version.
Updates torch to 2.5.0

Release notes

Sourced from torch's releases.

PyTorch 2.5.0 Release, SDPA CuDNN backend, Flex Attention

PyTorch 2.5 Release Notes

• Highlights
• Backwards Incompatible Change
• Deprecations
• New Features
• Improvements
• Bug fixes
• Performance
• Documentation
• Developers
• Security

Highlights

We are excited to announce the release of PyTorch® 2.5! This release features a new CuDNN backend for SDPA, enabling speedups by default for users of SDPA on H100s or newer GPUs. As well, regional compilation of torch.compile offers a way to reduce the cold start up time for torch.compile by allowing users to compile a repeated nn.Module (e.g. a transformer layer in LLM) without recompilations. Finally, TorchInductor CPP backend offers solid performance speedup with numerous enhancements like FP16 support, CPP wrapper, AOT-Inductor mode, and max-autotune mode. This release is composed of 4095 commits from 504 contributors since PyTorch 2.4. We want to sincerely thank our dedicated community for your contributions. As always, we encourage you to try these out and report any issues as we improve 2.5. More information about how to get started with the PyTorch 2-series can be found at our Getting Started page. As well, please check out our new ecosystem projects releases with TorchRec and TorchFix.

Beta	Prototype
CuDNN backend for SDPA	FlexAttention
torch.compile regional compilation without recompilations	Compiled Autograd
TorchDynamo added support for exception handling & MutableMapping types	Flight Recorder
TorchInductor CPU backend optimization	Max-autotune Support on CPU with GEMM Template
	TorchInductor on Windows
	FP16 support on CPU path for both eager mode and TorchInductor CPP backend
	Autoload Device Extension
	Enhanced Intel GPU support

*To see a full list of public feature submissions click here.

BETA FEATURES

[Beta] CuDNN backend for SDPA

The cuDNN "Fused Flash Attention" backend was landed for torch.nn.functional.scaled_dot_product_attention. On NVIDIA H100 GPUs this can provide up to 75% speed-up over FlashAttentionV2. This speedup is enabled by default for all users of SDPA on H100 or newer GPUs.

[Beta] torch.compile regional compilation without recompilations

Regional compilation without recompilations, via torch._dynamo.config.inline_inbuilt_nn_modules which default to True in 2.5+. This option allows users to compile a repeated nn.Module (e.g. a transformer layer in LLM) without recompilations. Compared to compiling the full model, this option can result in smaller compilation latencies with 1%-5% performance degradation compared to full model compilation.

See the tutorial for more information.

[Beta] TorchInductor CPU backend optimization

This feature advances Inductor’s CPU backend optimization, including CPP backend code generation and FX fusions with customized CPU kernels. The Inductor CPU backend supports vectorization of common data types and all Inductor IR operations, along with the static and symbolic shapes. It is compatible with both Linux and Windows OS and supports the default Python wrapper, the CPP wrapper, and AOT-Inductor mode.

Additionally, it extends the max-autotune mode of the GEMM template (prototyped in 2.5), offering further performance gains. The backend supports various FX fusions, lowering to customized kernels such as oneDNN for Linear/Conv operations and SDPA. The Inductor CPU backend consistently achieves performance speedups across three benchmark suites—TorchBench, Hugging Face, and timms—outperforming eager mode in 97.5% of the 193 models tested.

PROTOTYPE FEATURES

[Prototype] FlexAttention

We've introduced a flexible API that enables implementing various attention mechanisms such as Sliding Window, Causal Mask, and PrefixLM with just a few lines of idiomatic PyTorch code. This API leverages torch.compile to generate a fused FlashAttention kernel, which eliminates extra memory allocation and achieves performance comparable to handwritten implementations. Additionally, we automatically generate the backwards pass using PyTorch's autograd machinery. Furthermore, our API can take advantage of sparsity in the attention mask, resulting in significant improvements over standard attention implementations.

For more information and examples, please refer to the official blog post and Attention Gym.

... (truncated)

Changelog

Sourced from torch's changelog.

Releasing PyTorch

• Release Compatibility Matrix
• Release Cadence
• General Overview
  • Frequently Asked Questions
• Cutting a release branch preparations
• Cutting release branches
  • pytorch/pytorch
  • pytorch/builder / PyTorch domain libraries
  • Making release branch specific changes for PyTorch
  • Making release branch specific changes for domain libraries
• Running Launch Execution team Core XFN sync
• Drafting RCs (https://github.com/pytorch/pytorch/blob/main/Release Candidates) for PyTorch and domain libraries
  • Release Candidate Storage
  • Release Candidate health validation
  • Cherry Picking Fixes
    • How to do Cherry Picking
  • Cherry Picking Reverts
• Preparing and Creating Final Release candidate
• Promoting RCs to Stable
• Additional Steps to prepare for release day
  • Modify release matrix
  • Open Google Colab issue
• Patch Releases
  • Patch Release Criteria
  • Patch Release Process
    • Patch Release Process Description
    • Triage
    • Issue Tracker for Patch releases
    • Building a release schedule / cherry picking
    • Building Binaries / Promotion to Stable
• Hardware / Software Support in Binary Build Matrix
  • Python
  • Accelerator Software
    • Special support cases
  • Operating Systems
• Submitting Tutorials
• Special Topics
  • Updating submodules for a release
  • Triton dependency for the release

Release Compatibility Matrix

Following is the Release Compatibility Matrix for PyTorch releases:

... (truncated)

Commits

• 32f585d [Release only] use triton 3.1.x from pypi (#137895)
• 417a076 [split build] move periodic split builds into own concurrency group (#135510)...
• 119e734 [RELEASE-ONLY CHANGES] Fix dependency on filesystem on Linux (#137242)
• 783a6a4 [MPS] Add regression test for fft.fftfreq (#137215)
• 5375201 [MPS] Add missing dispatch to rshift.Tensor (#137212)
• 1de132e [MPS] Fix 5D+ reductions over negative dimentions (#137211)
• 0b1b609 [NCCL] Don't override waitUntilInitialized's setting of `comm->initialized_...
• 0b45af9 Fix addmm silent correctness on aarch64 (#137208)
• 1a0b166 [ONNX] Add assertion nodes to ignoring list (#137214)
• 3a541ef Clarify that libtorch API is C++17 compatible (#137206)
• Additional commits viewable in compare view

Updates mlflow to 2.17.1

Release notes

Sourced from mlflow's releases.

MLflow 2.17.1 is a patch release that includes several major features and improvements

Features:

• [Tracking] Support custom chat endpoint without endpoint type set as llm judge (#13538, @​B-Step62)
• [Tracking] Support tracing for OpenAI Swarm (#13497, @​B-Step62)
• [Tracking] Support UC Connections as model dependency and resources (#13481, #13491 @​sunishsheth2009)
• [Tracking] Support Genie Spaces as model resources (#13441, @​aravind-segu)
• [Models] Support new Transformers task for llm/v1/embedding (#13468, @​B-Step62)

Bug fixes:

• [Tracking] Fix tool span inputs/outputs format in LangChain autolog (#13527, @​B-Step62)
• [Models] Fix code_path handling for LlamaIndex flavor (#13486, @​B-Step62)
• [Models] Fix signature inference for subclass and optional dataclasses (#13440, @​bbqiu)
• [Tracking] Fix error thrown in set_retriever_schema's behavior when it's called twice (#13422, @​sunishsheth2009)
• [Tracking] Fix dependency extraction from RunnableCallables (#13423, @​aravind-segu)

Documentation updates:

• [Docs] Fixed typo in docs: endpoing -> endpoint (#13478, @​JAMNESIA)
• [Docs] Improve CLI docs - attention about setting MLFLOW_TRACKING_URI (#13465, @​BartoszLitwiniuk)
• [Docs] Add documentation for infer_signature usage with GenAI flavors (#13407, @​serena-ruan)

Small bug fixes and documentation updates:

#13293, #13510, #13501, #13506, #13446, @​harupy; #13341, #13342, @​WeichenXu123; #13396, @​dvorst; #13535, @​chenmoneygithub; #13503, #13469, #13416, @​B-Step62; #13519, #13516, @​serena-ruan; #13504, @​sunishsheth2009; #13508, @​KamilStachera; #13397, @​kriscon-db

Changelog

Sourced from mlflow's changelog.

2.17.1 (2024-10-25)

MLflow 2.17.1 includes several major features and improvements

Features:

• [Tracking] Support custom chat endpoint without endpoint type set as llm judge (#13538, @​B-Step62)
• [Tracking] Support tracing for OpenAI Swarm (#13497, @​B-Step62)
• [Tracking] Support UC Connections as model dependency and resources (#13481, #13491 @​sunishsheth2009)
• [Tracking] Support Genie Spaces as model resources (#13441, @​aravind-segu)
• [Models] Support new Transformers task for llm/v1/embedding (#13468, @​B-Step62)

Bug fixes:

• [Tracking] Fix tool span inputs/outputs format in LangChain autolog (#13527, @​B-Step62)
• [Models] Fix code_path handling for LlamaIndex flavor (#13486, @​B-Step62)
• [Models] Fix signature inference for subclass and optional dataclasses (#13440, @​bbqiu)
• [Tracking] Fix error thrown in set_retriever_schema's behavior when it's called twice (#13422, @​sunishsheth2009)
• [Tracking] Fix dependency extraction from RunnableCallables (#13423, @​aravind-segu)

Documentation updates:

• [Docs] Fixed typo in docs: endpoing -> endpoint (#13478, @​JAMNESIA)
• [Docs] Improve CLI docs - attention about setting MLFLOW_TRACKING_URI (#13465, @​BartoszLitwiniuk)
• [Docs] Add documentation for infer_signature usage with GenAI flavors (#13407, @​serena-ruan)

Small bug fixes and documentation updates:

#13293, #13510, #13501, #13506, #13446, @​harupy; #13341, #13342, @​WeichenXu123; #13396, @​dvorst; #13535, @​chenmoneygithub; #13503, #13469, #13416, @​B-Step62; #13519, #13516, @​serena-ruan; #13504, @​sunishsheth2009; #13508, @​KamilStachera; #13397, @​kriscon-db

2.17.0 (2024-09-26)

We are excited to announce the release of MLflow 2.17.0! This release includes several enhancements to extend the functionality of MLflow's ChatModel interface to further extend its versatility for handling custom GenAI application use cases. Additionally, we've improved the interface within the tracing UI to provide a structured output for retrieved documents, enhancing the ability to read the contents of those documents within the UI. We're also starting the work on improving both the utility and the versatility of MLflow's evaluate functionality for GenAI, initially with support for callable GenAI evaluation metrics.

Major Features and notifications:

• ChatModel enhancements - As the GenAI-focused 'cousin' of PythonModel, ChatModel is getting some sizable functionality extensions. From native support for tool calling (a requirement for creating a custom agent), simpler conversions to the internal dataclass constructs needed to interface with ChatModel via the introduction of from_dict methods to all data structures, the addition of a metadata field to allow for full input payload customization, handling of the new refusal response type, to the inclusion of the interface type to the response structure to allow for greater integration compatibility. (#13191, #13180, #13143, @​daniellok-db, #13102, #13071, @​BenWilson2)

• Callable GenAI Evaluation Metrics - As the intial step in a much broader expansion of the functionalities of mlflow.evaluate for GenAI use cases, we've converted the GenAI evaluation metrics to be callable. This allows you to use them directly in packages that support

... (truncated)

Commits

• 4e711a9 Run python3 dev/update_mlflow_versions.py pre-release ... (#13550)
• 5eb0cdb Add prompt_tokens_details in llama-index tests (#13293)
• 9a14639 Fix spacy CI (#13341)
• 355e7ba Fix transformer CI (#13342)
• 57a7438 fix broken tests
• c174238 Support custom chat endpoint without endpoint type set as llm judge (#13538)
• 14e0987 Doc: Fix mlflow-spark JAR URL (#13396)
• 56e0da7 Keras output conversion for serving purpose (#13535)
• b38aa26 Remove warnings during Settings serialization (#13503)
• 882fb42 Fix update_model_requirements (#13519)
• Additional commits viewable in compare view

Updates transformers from 4.5.0 to 4.38.0

Release notes

Sourced from transformers's releases.

v4.38: Gemma, Depth Anything, Stable LM; Static Cache, HF Quantizer, AQLM

New model additions

💎 Gemma 💎

Gemma is a new opensource Language Model series from Google AI that comes with a 2B and 7B variant. The release comes with the pre-trained and instruction fine-tuned versions and you can use them via AutoModelForCausalLM, GemmaForCausalLM or pipeline interface!

Read more about it in the Gemma release blogpost: https://hf.co/blog/gemma

from transformers import AutoTokenizer, AutoModelForCausalLM
tokenizer = AutoTokenizer.from_pretrained("google/gemma-2b")
model = AutoModelForCausalLM.from_pretrained("google/gemma-2b", device_map="auto", torch_dtype=torch.float16)
input_text = "Write me a poem about Machine Learning."
input_ids = tokenizer(input_text, return_tensors="pt").to("cuda")
outputs = model.generate(**input_ids)

You can use the model with Flash Attention, SDPA, Static cache and quantization API for further optimizations !

• Flash Attention 2

from transformers import AutoTokenizer, AutoModelForCausalLM
tokenizer = AutoTokenizer.from_pretrained("google/gemma-2b")
model = AutoModelForCausalLM.from_pretrained(
"google/gemma-2b", device_map="auto", torch_dtype=torch.float16, attn_implementation="flash_attention_2"
)
input_text = "Write me a poem about Machine Learning."
input_ids = tokenizer(input_text, return_tensors="pt").to("cuda")
outputs = model.generate(**input_ids)

• bitsandbytes-4bit

from transformers import AutoTokenizer, AutoModelForCausalLM
tokenizer = AutoTokenizer.from_pretrained("google/gemma-2b")
model = AutoModelForCausalLM.from_pretrained(
"google/gemma-2b", device_map="auto", load_in_4bit=True
)
</tr></table>

... (truncated)

Commits

• 08ab54a [ gemma] Adds support for Gemma 💎 (#29167)
• 2de9314 [Maskformer] safely get backbone config (#29166)
• 476957b 🚨 Llama: update rope scaling to match static cache changes (#29143)
• 7a4bec6 Release: 4.38.0
• ee3af60 Add support for fine-tuning CLIP-like models using contrastive-image-text exa...
• 0996a10 Revert low cpu mem tie weights (#29135)
• 15cfe38 [Core tokenization] add_dummy_prefix_space option to help with latest is...
• efdd436 FIX [PEFT / Trainer ] Handle better peft + quantized compiled models (#29...
• 5e95dca [cuda kernels] only compile them when initializing (#29133)
• a7755d2 Generate: unset GenerationConfig parameters do not raise warning (#29119)
• Additional commits viewable in compare view

Updates werkzeug from 0.16.1 to 3.0.6

Release notes

Sourced from werkzeug's releases.

3.0.6

This is the Werkzeug 3.0.6 security fix release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.6/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-0-6

• Fix how max_form_memory_size is applied when parsing large non-file fields. GHSA-q34m-jh98-gwm2
• safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. GHSA-f9vj-2wh5-fj8j

3.0.5

This is the Werkzeug 3.0.5 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.5/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-0-5 Milestone: https://github.com/pallets/werkzeug/milestone/37?closed=1

• The Watchdog reloader ignores file closed no write events. #2945
• Logging works with client addresses containing an IPv6 scope. #2952
• Ignore invalid authorization parameters. #2955
• Improve type annotation fore SharedDataMiddleware. #2958
• Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. #2957

3.0.4

This is the Werkzeug 3.0.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.4/ Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-4 Milestone: https://github.com/pallets/werkzeug/milestone/36?closed=1

• Restore behavior where parsing multipart/x-www-form-urlencoded data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. #2930
• Improve parse_options_header performance when parsing unterminated quoted string values. #2904
• Debugger pin auth is synchronized across threads/processes when tracking failed entries. #2916
• Dev server handles unexpected SSLEOFError due to issue in Python < 3.13. #2926
• Debugger pin auth works when the URL already contains a query string. #2918

3.0.3

This is the Werkzeug 3.0.3 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.3/ Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3 Milestone: https://github.com/pallets/werkzeug/milestone/35?closed=1

• Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. GHSA-2g68-c3qc-8985
• Make reloader more robust when "" is in sys.path. #2823

... (truncated)

Changelog

Sourced from werkzeug's changelog.

Version 3.0.6

Released 2024-10-25

• Fix how max_form_memory_size is applied when parsing large non-file fields. :ghsa:q34m-jh98-gwm2

• safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. :ghsa:f9vj-2wh5-fj8j

Version 3.0.5

Released 2024-10-24

• The Watchdog reloader ignores file closed no write events. :issue:2945
• Logging works with client addresses containing an IPv6 scope :issue:2952
• Ignore invalid authorization parameters. :issue:2955
• Improve type annotation fore SharedDataMiddleware. :issue:2958
• Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. :issue:2957

Version 3.0.4

Released 2024-08-21

• Restore behavior where parsing multipart/x-www-form-urlencoded data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. :issue:2930
• Improve parse_options_header performance when parsing unterminated quoted string values. :issue:2904
• Debugger pin auth is synchronized across threads/processes when tracking failed entries. :issue:2916
• Dev server handles unexpected SSLEOFError due to issue in Python < 3.13. :issue:2926
• Debugger pin auth works when the URL already contains a query string. :issue:2918

Version 3.0.3

Released 2024-05-05

• Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional

... (truncated)

Commits

• 5eaefc3 release version 3.0.6
• 2767bcb Merge commit from fork
• 87cc78a catch special absolute path on Windows Python < 3.11
• 50cfeeb Merge commit from fork
• 8760275 apply max_form_memory_size another level up in the parser
• 8d6a12e start version 3.0.6
• a7b121a release version 3.0.5 (#2961)
• 9caf72a release version 3.0.5
• e28a245 catch OSError from getpass.getuser (#2960)
• e6b4cce catch OSError from getpass.getuser
• Additional commits viewable in compare view

Updates flask to 3.0.3

Release notes

Sourced from flask's releases.

3.0.3

This is a fix release for the 3.0.x feature branch.

PyPI: https://pypi.org/project/Flask/3.0.3/ Changes: https://flask.palletsprojects.com/en/3.0.x/changes/#version-3-0-3 Milestone: https://github.com/pallets/flask/milestone/35?closed=1

• The default hashlib.sha1 may not be available in FIPS builds. Don't access it at import time so the developer has time to change the default. #5448
• Don't initialize the cli attribute in the sansio scaffold, but rather in the Flask concrete class. #5270

Changelog

Sourced from flask's changelog.

Version 3.0.3

Released 2024-04-07

• The default hashlib.sha1 may not be available in FIPS builds. Don't access it at import time so the developer has time to change the default. :issue:5448
• Don't initialize the cli attribute in the sansio scaffold, but rather in the Flask concrete class. :pr:5270

Version 3.0.2

Released 2024-02-03

• Correct type for jinja_loader property. :issue:5388
• Fix error with --extra-files and --exclude-patterns CLI options. :issue:5391

Version 3.0.1

Released 2024-01-18

• Correct type for path argument to send_file. :issue:5336
• Fix a typo in an error message for the flask run --key option. :pr:5344
• Session data is untagged without relying on the built-in json.loads object_hook. This allows other JSON providers that don't implement that. :issue:5381
• Address more type findings when using mypy strict mode. :pr:5383

Version 3.0.0

Released 2023-09-30

• Remove previously deprecated code. :pr:5223
• Deprecate the __version__ attribute. Use feature detection, or importlib.metadata.version("flask"), instead. :issue:5230
• Restructure the code such that the Flask (app) and Blueprint classes have Sans-IO bases. :pr:5127
• Allow self as an argument to url_for. :pr:5264
• Require Werkzeug >= 3.0.0.

Version 2.3.3

... (truncated)

Commits

• c12a5d8 release version 3.0.3
• 5e22cc9 Don't set the cli attribute in the sansio scaffold (#5270)
• 5fdce4c Don't set the cli attribute in the sansio scaffold
• adb7dd9 don't access app.logger when configuring app.logger
• b739390 support FIPS builds without SHA-1 (#5460)
• db46111 access sha1 lazily
• 7320e31 start version 3.0.3
• 87d5f5b update project files (#5457)
• d5e321b release version 3.0.2 (#5403)
• d203059 release version 3.0.2
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.