Skip to content

build(deps): bump onnxruntime from 1.26.0 to 1.27.0#28

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/onnxruntime-1.27.0
Closed

build(deps): bump onnxruntime from 1.26.0 to 1.27.0#28
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/onnxruntime-1.27.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 28, 2026

Copy link
Copy Markdown

Bumps onnxruntime from 1.26.0 to 1.27.0.

Release notes

Sourced from onnxruntime's releases.

ONNX Runtime v1.27.0

n.b. This release is targeting ONNX 1.21. ONNX 1.22 will be supported in ORT 1.28. n.b. This changelog was generated via LLM. Only the contributor list has been verified. As always, only trust the commit history.

Announcements & Breaking Changes

  • CUDA 12 package files are now explicitly named as such.
  • CUDA 12 packages are deprecated, please move to CUDA 13 ASAP.

Security Fixes

  • Fixed out-of-bounds read in SoftmaxCrossEntropyLoss via label bounds validation (#28004)
  • Hardened OneHot input validation and output-size computation (#28014)
  • Added SafeInt overflow protection in Expand and capped constant-folding output sizes (#28055)
  • Bounded total output allocation size in Tile kernel (#28070)
  • Added mask/input shape consistency checks in MaxpoolWithMask::Compute (#28223)
  • Fixed BitShift UB for shift amounts greater than or equal to bit width (#28272)
  • Validated sequence bounds in GQA (seqlens_k vs cos_cache) (#28277)
  • Validated conv bias shape in WordConvEmbedding to prevent OOB reads (#28279)
  • Fixed int32 overflow in CUDA Cast and UnaryElementWise kernels for very large tensors (#28386)
  • Fixed out-of-bounds read in CropBase scale handling (#28399)
  • Fixed rank-underflow bug in Inverse kernel trailing-dimension indexing (#28400)
  • Added sparse tensor external file path validation and additional external-path hardening (#28408, #28709, #28725)
  • Switched remaining torch.load() calls to weights_only=True (#28421)
  • Added CPU cache-indirection beam-index validation (#28486)
  • Added additional overflow/bounds checks and test coverage in runtime buffers (#28713, #28747)

New Features

Execution Provider Plugin API

  • Added zero-copy I/O for plugin EPs with HOST_ACCESSIBLE memory (#28037)
  • Added OrtEp::OnSessionInitializationEnd() callback (#28319)
  • Added plugin EP session-options getters (#28377)
  • Added CUDA Plugin EP provider options for streams and external allocators (#28603)

Core APIs & Runtime

  • Added support for ONNX overloaded functions (IR v10+) (#28275)
  • Added FLOAT8E8M0 datatype support in ONNX Runtime (#28381)
  • Added CPU Cast support for FLOAT8E8M0 (#28435)
  • Added kOrtEpDevice_EpMetadataKey_OSDriverVersion example and docs (#28282)

Quantization & Training Tooling

  • Added calibration cache support to quantize_static (#28221)

... (truncated)

Commits
  • 8f0278c [CUDA] Optimize QMoE SoftmaxTopK router for small-batch decode (#29026)
  • 66916b0 fix: NodeJS pkging stage needs to use CFS (#29007)
  • af99e19 Disable OrtEp::ort_version_supported sanity check to work around EPs that don...
  • 6fc112f 1.27.0 - cherry pick 2 (#28900)
  • 8f5403c 1.27.0 - cherry pick 1 (#28817)
  • 0b451f5 Switch NPM publishing to consume from CUDA 13 pipeline (#28773) (#28792)
  • a8baf5c Skip SetupDi device discovery if Win32k system calls are disabled (#28535)
  • 5c34495 fix(quantization): validate bias scale in QDQ Conv → QLinearConv fusion (#28229)
  • 8da5e91 Use abseil for readable POSIX stack traces in debug builds (#28405)
  • 8fcb725 feat(quantization): add opset-21 block_size attribute to QDQ (#28522)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [onnxruntime](https://github.com/microsoft/onnxruntime) from 1.26.0 to 1.27.0.
- [Release notes](https://github.com/microsoft/onnxruntime/releases)
- [Changelog](https://github.com/microsoft/onnxruntime/blob/main/docs/ReleaseManagement.md)
- [Commits](microsoft/onnxruntime@v1.26.0...v1.27.0)

---
updated-dependencies:
- dependency-name: onnxruntime
  dependency-version: 1.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 28, 2026
@Mike-Zhuang

Copy link
Copy Markdown
Owner

已在 main 的 0bf0bbe 统一升级到相同或更高版本,并通过本地构建/测试验证;关闭该 Dependabot PR。

@dependabot @github

dependabot Bot commented on behalf of github Jun 28, 2026

Copy link
Copy Markdown
Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/uv/onnxruntime-1.27.0 branch June 28, 2026 14:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant