Sourced from tensorflow's releases.

TensorFlow 2.7.1

Release 2.7.1

This releases introduces several vulnerability fixes:

• Fixes a floating point division by 0 when executing convolution operators (CVE-2022-21725)
• Fixes a heap OOB read in shape inference for ReverseSequence (CVE-2022-21728)
• Fixes a heap OOB access in Dequantize (CVE-2022-21726)
• Fixes an integer overflow in shape inference for Dequantize (CVE-2022-21727)
• Fixes a heap OOB access in FractionalAvgPoolGrad (CVE-2022-21730)
• Fixes an overflow and divide by zero in UnravelIndex (CVE-2022-21729)
• Fixes a type confusion in shape inference for ConcatV2 (CVE-2022-21731)
• Fixes an OOM in ThreadPoolHandle (CVE-2022-21732)
• Fixes an OOM due to integer overflow in StringNGrams (CVE-2022-21733)
• Fixes more issues caused by incomplete validation in boosted trees code (CVE-2021-41208)
• Fixes an integer overflows in most sparse component-wise ops (CVE-2022-23567)
• Fixes an integer overflows in AddManySparseToTensorsMap (CVE-2022-23568)
• Fixes a number of CHECK-failures in MapStage (CVE-2022-21734)
• Fixes a division by zero in FractionalMaxPool (CVE-2022-21735)
• Fixes a number of CHECK-fails when building invalid/overflowing tensor shapes (CVE-2022-23569)
• Fixes an undefined behavior in SparseTensorSliceDataset (CVE-2022-21736)
• Fixes an assertion failure based denial of service via faulty bin count operations (CVE-2022-21737)
• Fixes a reference binding to null pointer in QuantizedMaxPool (CVE-2022-21739)
• Fixes an integer overflow leading to crash in SparseCountSparseOutput (CVE-2022-21738)
• Fixes a heap overflow in SparseCountSparseOutput (CVE-2022-21740)
• Fixes an FPE in BiasAndClamp in TFLite (CVE-2022-23557)
• Fixes an FPE in depthwise convolutions in TFLite (CVE-2022-21741)
• Fixes an integer overflow in TFLite array creation (CVE-2022-23558)
• Fixes an integer overflow in TFLite (CVE-2022-23559)
• Fixes a dangerous OOB write in TFLite (CVE-2022-23561)
• Fixes a vulnerability leading to read and write outside of bounds in TFLite (CVE-2022-23560)
• Fixes a set of vulnerabilities caused by using insecure temporary files (CVE-2022-23563)
• Fixes an integer overflow in Range resulting in undefined behavior and OOM (CVE-2022-23562)
• Fixes a vulnerability where missing validation causes tf.sparse.split to crash when axis is a tuple (CVE-2021-41206)
• Fixes a CHECK-fail when decoding resource handles from proto (CVE-2022-23564)
• Fixes a CHECK-fail with repeated AttrDef (CVE-2022-23565)
• Fixes a heap OOB write in Grappler (CVE-2022-23566)
• Fixes a CHECK-fail when decoding invalid tensors from proto (CVE-2022-23571)
• Fixes a null-dereference when specializing tensor type (CVE-2022-23570)
• Fixes a crash when type cannot be specialized (CVE-2022-23572)
• Fixes a heap OOB read/write in SpecializeType (CVE-2022-23574)
• Fixes an unitialized variable access in AssignOp (CVE-2022-23573)
• Fixes an integer overflow in OpLevelCostEstimator::CalculateTensorSize (CVE-2022-23575)
• Fixes an integer overflow in OpLevelCostEstimator::CalculateOutputSize (CVE-2022-23576)
• Fixes a null dereference in GetInitOp (CVE-2022-23577)
• Fixes a memory leak when a graph node is invalid (CVE-2022-23578)
• Fixes an abort caused by allocating a vector that is too large (CVE-2022-23580)
• Fixes multiple CHECK-failures during Grappler's IsSimplifiableReshape (CVE-2022-23581)
• Fixes multiple CHECK-failures during Grappler's SafeToRemoveIdentity (CVE-2022-23579)
• Fixes multiple CHECK-failures in TensorByteSize (CVE-2022-23582)

... (truncated)

Sourced from tensorflow's changelog.

Release 2.7.1

This releases introduces several vulnerability fixes:

• Fixes a floating point division by 0 when executing convolution operators (CVE-2022-21725)
• Fixes a heap OOB read in shape inference for ReverseSequence (CVE-2022-21728)
• Fixes a heap OOB access in Dequantize (CVE-2022-21726)
• Fixes an integer overflow in shape inference for Dequantize (CVE-2022-21727)
• Fixes a heap OOB access in FractionalAvgPoolGrad (CVE-2022-21730)
• Fixes an overflow and divide by zero in UnravelIndex (CVE-2022-21729)
• Fixes a type confusion in shape inference for ConcatV2 (CVE-2022-21731)
• Fixes an OOM in ThreadPoolHandle (CVE-2022-21732)
• Fixes an OOM due to integer overflow in StringNGrams (CVE-2022-21733)
• Fixes more issues caused by incomplete validation in boosted trees code (CVE-2021-41208)
• Fixes an integer overflows in most sparse component-wise ops (CVE-2022-23567)
• Fixes an integer overflows in AddManySparseToTensorsMap (CVE-2022-23568)
• Fixes a number of CHECK-failures in MapStage (CVE-2022-21734)
• Fixes a division by zero in FractionalMaxPool (CVE-2022-21735)
• Fixes a number of CHECK-fails when building invalid/overflowing tensor shapes (CVE-2022-23569)
• Fixes an undefined behavior in SparseTensorSliceDataset (CVE-2022-21736)
• Fixes an assertion failure based denial of service via faulty bin count operations (CVE-2022-21737)
• Fixes a reference binding to null pointer in QuantizedMaxPool (CVE-2022-21739)
• Fixes an integer overflow leading to crash in SparseCountSparseOutput (CVE-2022-21738)
• Fixes a heap overflow in SparseCountSparseOutput (CVE-2022-21740)
• Fixes an FPE in BiasAndClamp in TFLite (CVE-2022-23557)
• Fixes an FPE in depthwise convolutions in TFLite (CVE-2022-21741)

... (truncated)

• 2a0f59e Merge pull request #54212 from tensorflow/disable-flaky-tests-on-r2.7
• 937f21f Disable flaky test
• 9998338 Merge pull request #54202 from tensorflow/fix-sanity-on-r2.7
• 2c50ffd Reorder tags to fix buildifier linting
• f5f1bd7 Merge pull request #54199 from tensorflow/cherrypick-510ae18200d0a4fad797c0bf...
• f6bb419 Set Env Variable to override Setuptools new behavior
• 28d73d4 Merge pull request #54175 from tensorflow-jenkins/relnotes-2.7.1-14226
• afffde4 Update RELEASE.md
• daa1073 Merge pull request #54189 from tensorflow/revert-54188-revert-54183-cherrypic...
• 3d53027 Update third_party/icu/workspace.bzl
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from tensorflow's releases.

TensorFlow 2.8.0

Release 2.8.0

Major Features and Improvements

• tf.lite:

  • Added TFLite builtin op support for the following TF ops:
    • tf.raw_ops.Bucketize op on CPU.
    • tf.where op for data types tf.int32/tf.uint32/tf.int8/tf.uint8/tf.int64.
    • tf.random.normal op for output data type tf.float32 on CPU.
    • tf.random.uniform op for output data type tf.float32 on CPU.
    • tf.random.categorical op for output data type tf.int64 on CPU.

• tensorflow.experimental.tensorrt:

  • conversion_params is now deprecated inside TrtGraphConverterV2 in favor of direct arguments: max_workspace_size_bytes, precision_mode, minimum_segment_size, maximum_cached_engines, use_calibration and allow_build_at_runtime.
  • Added a new parameter called save_gpu_specific_engines to the .save() function inside TrtGraphConverterV2. When False, the .save() function won't save any TRT engines that have been built. When True (default), the original behavior is preserved.
  • TrtGraphConverterV2 provides a new API called .summary() which outputs a summary of the inference converted by TF-TRT. It namely shows each TRTEngineOp with their input(s)' and output(s)' shape and dtype. A detailed version of the summary is available which prints additionally all the TensorFlow OPs included in each of the TRTEngineOps.

• tf.tpu.experimental.embedding:

  • tf.tpu.experimental.embedding.FeatureConfig now takes an additional argument output_shape which can specify the shape of the output activation for the feature.
  • tf.tpu.experimental.embedding.TPUEmbedding now has the same behavior as tf.tpu.experimental.embedding.serving_embedding_lookup which can take arbitrary rank of dense and sparse tensor. For ragged tensor, though the input tensor remains to be rank 2, the activations now can be rank 2 or above by specifying the output shape in the feature config or via the build method.

• Add tf.config.experimental.enable_op_determinism, which makes TensorFlow ops run deterministically at the cost of performance. Replaces the TF_DETERMINISTIC_OPS environmental variable, which is now deprecated. The "Bug Fixes and Other Changes" section lists more determinism-related changes.

• (Since TF 2.7) Add PluggableDevice support to TensorFlow Profiler.

Bug Fixes and Other Changes

• tf.data:

  • The optimization parallel_batch now becomes default if not disabled by users, which will parallelize copying of batch elements.
  • Added the ability for TensorSliceDataset to identify and handle inputs that are files. This enables creating hermetic SavedModels when using datasets created from files.
    • The optimization parallel_batch now becomes default if not disabled by users, which will parallelize copying of batch elements.
    • Added the ability for TensorSliceDataset to identify and handle inputs that are files. This enables creating hermetic SavedModels when using datasets created from files.

• tf.lite:

  • Adds GPU Delegation support for serialization to Java API. This boosts initialization time up to 90% when OpenCL is available.
  • Deprecated Interpreter::SetNumThreads, in favor of InterpreterBuilder::SetNumThreads.

• tf.keras:

  • Adds tf.compat.v1.keras.utils.get_or_create_layer to aid migration to TF2 by enabling tracking of nested keras models created in TF1-style, when used with the tf.compat.v1.keras.utils.track_tf1_style_variables decorator.
  • Added a tf.keras.layers.experimental.preprocessing.HashedCrossing layer which applies the hashing trick to the concatenation of crossed scalar inputs. This provides a stateless way to try adding feature crosses of integer or string data to a model.
  • Removed keras.layers.experimental.preprocessing.CategoryCrossing. Users should migrate to the HashedCrossing layer or use tf.sparse.cross/tf.ragged.cross directly.
  • Added additional standardize and split modes to TextVectorization:
    • standardize="lower" will lowercase inputs.
    • standardize="string_punctuation" will remove all puncuation.
    • split="character" will split on every unicode character.
  • Added an output_mode argument to the Discretization and Hashing layers with the same semantics as other preprocessing layers. All categorical preprocessing layers now support output_mode.
  • All preprocessing layer output will follow the compute dtype of a tf.keras.mixed_precision.Policy, unless constructed with output_mode="int" in which case output will be tf.int64. The output type of any preprocessing layer can be controlled individually by passing a dtype argument to the layer.
  • tf.random.Generator for keras initializers and all RNG code.
  • Added 3 new APIs for enable/disable/check the usage of tf.random.Generator in keras backend, which will be the new backend for all the RNG in Keras. We plan to switch on the new code path by default in tf 2.8, and the behavior change will likely to cause some breakage on user side (eg if the test is checking against some golden nubmer). These 3 APIs will allow user to disable and switch back to legacy behavior if they prefer. In future (eg TF 2.10), we expect to totally remove the legacy code path (stateful random Ops), and these 3 APIs will be removed as well.

... (truncated)

Sourced from tensorflow's changelog.

Release 2.8.0

Major Features and Improvements

• tf.lite:

  • Added TFLite builtin op support for the following TF ops:
    • tf.raw_ops.Bucketize op on CPU.
    • tf.where op for data types tf.int32/tf.uint32/tf.int8/tf.uint8/tf.int64.
    • tf.random.normal op for output data type tf.float32 on CPU.
    • tf.random.uniform op for output data type tf.float32 on CPU.
    • tf.random.categorical op for output data type tf.int64 on CPU.

• tensorflow.experimental.tensorrt:

  • conversion_params is now deprecated inside TrtGraphConverterV2 in favor of direct arguments: max_workspace_size_bytes, precision_mode, minimum_segment_size, maximum_cached_engines, use_calibration and allow_build_at_runtime.
  • Added a new parameter called save_gpu_specific_engines to the .save() function inside TrtGraphConverterV2. When False, the .save() function won't save any TRT engines that have been built. When True (default), the original behavior is preserved.
  • TrtGraphConverterV2 provides a new API called .summary() which outputs a summary of the inference converted by TF-TRT. It namely shows each TRTEngineOp with their input(s)' and output(s)' shape and dtype. A detailed version of the summary is available which prints additionally all the TensorFlow OPs included in each of the TRTEngineOps.

• tf.tpu.experimental.embedding:

  • tf.tpu.experimental.embedding.FeatureConfig now takes an additional argument output_shape which can specify the shape of the output activation for the feature.
  • tf.tpu.experimental.embedding.TPUEmbedding now has the same behavior as tf.tpu.experimental.embedding.serving_embedding_lookup which can take arbitrary rank of dense and sparse tensor. For ragged tensor, though the input tensor remains to be rank 2, the activations now can be rank 2 or above by specifying the output shape in the feature config or via the build method.

• Add tf.config.experimental.enable_op_determinism, which makes TensorFlow ops run deterministically at the cost of performance. Replaces the TF_DETERMINISTIC_OPS environmental variable, which is now deprecated. The "Bug Fixes and Other Changes" section lists more determinism-related changes.

• (Since TF 2.7) Add

... (truncated)

• 3f878cf Merge pull request #54226 from tensorflow-jenkins/version-numbers-2.8.0-22199
• 54307e6 Update version numbers to 2.8.0
• 2f2bdd2 Merge pull request #54193 from tensorflow/update-release-notes
• 97e2f16 Update release notes with security advisories/updates
• 93e224e Merge pull request #54182 from tensorflow/cherrypick-93323537ac0581a88af827af...
• 14defd0 Bump ICU to 69.1 to handle CVE-2020-10531.
• 0a20763 Merge pull request #54159 from tensorflow/cherrypick-b1756cf206fc4db86f05c420...
• b7ecb36 Bump the maximum threshold before erroring
• e542736 Merge pull request #54123 from terryheo/windows-fix-r2.8
• 8dd07bd lite: Update Windows tensorflowlite_flex.dll build
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from numpy's releases.

v1.21.0

NumPy 1.21.0 Release Notes

The NumPy 1.21.0 release highlights are

• continued SIMD work covering more functions and platforms,
• initial work on the new dtype infrastructure and casting,
• universal2 wheels for Python 3.8 and Python 3.9 on Mac,
• improved documentation,
• improved annotations,
• new PCG64DXSM bitgenerator for random numbers.

In addition there are the usual large number of bug fixes and other improvements.

The Python versions supported for this release are 3.7-3.9. Official support for Python 3.10 will be added when it is released.

:warning: Warning: there are unresolved problems compiling NumPy 1.21.0 with gcc-11.1 .

• Optimization level -O3 results in many wrong warnings when running the tests.
• On some hardware NumPy will hang in an infinite loop.

New functions

Add PCG64DXSM BitGenerator

Uses of the PCG64 BitGenerator in a massively-parallel context have been shown to have statistical weaknesses that were not apparent at the first release in numpy 1.17. Most users will never observe this weakness and are safe to continue to use PCG64. We have introduced a new PCG64DXSM BitGenerator that will eventually become the new default BitGenerator implementation used by default_rng in future releases. PCG64DXSM solves the statistical weakness while preserving the performance and the features of PCG64.

See upgrading-pcg64 for more details.

(gh-18906)

Expired deprecations

• The shape argument numpy.unravel_index cannot be passed as dims keyword argument anymore. (Was deprecated in NumPy 1.16.)

... (truncated)

• b235f9e Merge pull request #19283 from charris/prepare-1.21.0-release
• 34aebc2 MAINT: Update 1.21.0-notes.rst
• 493b64b MAINT: Update 1.21.0-changelog.rst
• 07d7e72 MAINT: Remove accidentally created directory.
• 032fca5 Merge pull request #19280 from charris/backport-19277
• 7d25b81 BUG: Fix refcount leak in ResultType
• fa5754e BUG: Add missing DECREF in new path
• 61127bb Merge pull request #19268 from charris/backport-19264
• 143d45f Merge pull request #19269 from charris/backport-19228
• d80e473 BUG: Removed typing for == and != in dtypes
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

• e321e76 release 7.31.1
• 67ca2b3 Merge pull request from GHSA-pq7m-3gw7-gq5x
• 2794330 back to dev
• be343e7 release 7.31.0
• 0fcf2c4 Merge pull request #13428 from meeseeksmachine/auto-backport-of-pr-13427-on-7.x
• b8db9b1 Backport PR #13427: wn 731
• 7f253dc Merge pull request #13412 from bnavigator/backport-inspect
• 4f26796 fix xxlimited_35 import name
• 77ca4a6 don't run nose-based iptest on py310, only pytest
• 533e509 back to decorator skip
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.