Skip to content

Bump tract-onnx from 0.22.1 to 0.22.3 in the cargo group across 1 directory#1221

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/cargo-f0abaf91fb
Open

Bump tract-onnx from 0.22.1 to 0.22.3 in the cargo group across 1 directory#1221
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/cargo-f0abaf91fb

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps the cargo group with 1 update in the / directory: tract-onnx.

Updates tract-onnx from 0.22.1 to 0.22.3

Changelog

Sourced from tract-onnx's changelog.

0.22.x → 0.23 in a nutshell

  • tract facade is now the recommended public API. Renamed from tract-rs; sole crate under semver, one curated surface (Model/Runnable/State/Tensor/TDim + nnef()/onnx()/runtime_for_name). ndarray removed from public types in favour of opt-in impl_ndarray_interop!(). Most other API renames in this release fall out of this consolidation (ValueTensor, concretize_symbolsset_symbols, default runtime → cpu, …).
  • GPU is first-class. cuda + metal Runtime impls with f16 conv + cuDNN, CUDA 13 (CUDA 12 dropped), automatic per-node CPU fallback when GPU rejects a shape; virtual gpu / gpu-or-cpu names for portable downstream code.
  • Supply-chain hardening. Cargo.lock tracked; CDX + SPDX SBOMs on release binaries plus PEP 770 SBOMs in wheels (cargo-auditable + GitHub attestations);

Migrating from 0.22.x to 0.23

For normal usage we recommend adopting the tract facade crate (the public API at api/rs) instead of wiring tract-core, tract-nnef, tract-onnx, tract-pulse, tract-cuda, tract-metal, etc. directly. The facade exposes one stable surface — nnef(), onnx(), runtime_for_name("cpu" | "gpu" | "gpu-or-cpu" | "cuda" | "metal" | ...), plus Model, Runnable, State, Tensor, TDim, and a SetSymbols transform builder — with all the backends curated behind it. impl_ndarray_interop!() (0.23.0-dev.5) keeps ndarray interop opt-in without leaking an ndarray version into the public API. Downstream code that pinned tract-core + tract-onnx directly can usually drop those deps in favour of tract = "0.23" and use tract::prelude::*;. Examples are now organised around this facade — see examples/onnx-mobilenet-v2, examples/nnef-mobilenet-v2, and examples/causal_llm.

0.23.3 - 2026-06-19

GPU

  • Native STFT / FFT on GPU. Backend-agnostic GpuStft (CUDA + Metal) backed by a 512-point Stockham FFT kernel, generalized to power-of-two frames (256/512/1024/2048), plus inverse FFT and lowering of the standalone Fft op.

CPU / linalg

  • SVE2 RmsNorm. VLA SVE2 rms_norm_f32 kernel for aarch64 SVE2 hosts.

Transformers / LLM

  • KV-cache quantization (KIVI-style). QuantizedKvSdpa op with packed u8 storage and configurable bit-width, an auto-wiring transform, and NNEF de/serialization round-trip.

Core / NNEF / ONNX

  • Resize / GridSample in core. A clean Resize subset and GridSample moved into tract-core: f16 resize, a sizes input on tract_core_resize, a clamped resize floor for negative source coordinates, and a retained grid_sample alias.

0.23.2 - 2026-06-16

Security

  • fix for CVE-2026-55832 in tract-onnx (moderate): lack of sanitation in ONNX split tensor file paths.

0.23.1 - 2026-06-10

Security

  • fix for CVE-2026-55093 in tract-nnef (moderate): validation of tensor shapes in NNEF .dat files to prevent of multiplication overflow in buffer size computation.

CPU / linalg

  • int8 GEMM kernels across backends. aarch64 SDOT (FEAT_DotProd), x86_64 AVX-512-VNNI (avx512vnni_mmm_i32_8x8), and ARM SME2 SMOPA (sme_qmmm_i32_32x32) int8→i32 matmul micro-kernels.

... (truncated)

Commits
  • 1541d40 release 0.22.3
  • 5f994bc Sanitize ONNX external_data location and bound offset/length
  • df98b34 release.sh: push the release commit and only its version tag. The script push...
  • 5fcd0c0 post-release 0.22.3-pre
  • 19a2c2a release 0.22.2
  • 4773e92 fix(nnef): reject overflowing block-quant tensor dims
  • ee5f019 fix(nnef): reject overflowing tensor dims
  • a213cbc Support value_ints, value_floats, value_string(s) in ONNX Constant op
  • 0eb5ced backport wheels build from amin
  • c92b8a1 post-release 0.22.2-pre
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the cargo group with 1 update in the / directory: [tract-onnx](https://github.com/snipsco/tract).


Updates `tract-onnx` from 0.22.1 to 0.22.3
- [Release notes](https://github.com/snipsco/tract/releases)
- [Changelog](https://github.com/sonos/tract/blob/main/CHANGELOG.md)
- [Commits](sonos/tract@0.22.1...0.22.3)

---
updated-dependencies:
- dependency-name: tract-onnx
  dependency-version: 0.22.3
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file Rust labels Jul 6, 2026
@dependabot dependabot Bot requested a review from ladvoc as a code owner July 6, 2026 15:02
@dependabot dependabot Bot added Rust dependencies Pull requests that update a dependency file labels Jul 6, 2026

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 2 potential issues.

Open in Devin Review

Comment thread Cargo.toml
prost-build = "0.14"
prost-types = "0.14"
rand = "0.9"
rand = "0.10"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Missing changeset file for dependency version bump

No changeset was added for this dependency upgrade (Cargo.toml:76), violating the repository's mandatory changeset requirement.

Impact: The PR cannot be merged according to repository contribution rules without a changeset documenting the change.

AGENTS.md changeset requirement

AGENTS.md states under "Documenting changes":

  • "Every PR needs a changeset"
  • "Changeset must list any crates which need to be bumped stemming from the change"
  • "Document changes interactively from the CLI with knope document-change or create manually in /.changeset"

The PR bumps rand from 0.9 to 0.10 in the workspace dependencies, which affects livekit-api, livekit-datatrack, and several example crates. No corresponding changeset file was created in the /.changeset directory.

Prompt for agents
A changeset file needs to be created in the .changeset/ directory documenting this rand version bump. Run knope document-change from the CLI or manually create a markdown file in .changeset/ that lists the affected crates (livekit-api, livekit-datatrack, and any example crates that depend on rand) and describes the rand 0.9 to 0.10 upgrade.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Comment thread Cargo.toml
prost-build = "0.14"
prost-types = "0.14"
rand = "0.9"
rand = "0.10"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔍 Multiple rand versions now coexist in the dependency tree

After this bump, the Cargo.lock shows three versions of rand in the tree: 0.8.5 (transitive, pre-existing), 0.9.4 (used by fake and quinn-proto), and 0.10.2 (workspace crates). The livekit-datatrack crate implements fake::Dummy trait methods with bounds like R: rand::Rng + ?Sized (livekit-datatrack/src/packet/time.rs:120, livekit-datatrack/src/packet/handle.rs:90, livekit-datatrack/src/packet/mod.rs:70). Since fake depends on rand 0.9.4 and livekit-datatrack now resolves rand to 0.10.2, the Rng trait from these two versions are distinct types, which could cause trait mismatch issues in the Dummy implementations.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file Rust

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants