Bump onnx from 1.12.0 to 1.22.0#21
Conversation
Bumps [onnx](https://github.com/onnx/onnx) from 1.12.0 to 1.22.0. - [Release notes](https://github.com/onnx/onnx/releases) - [Changelog](https://github.com/onnx/onnx/blob/main/docs/Changelog-ml.md) - [Commits](onnx/onnx@v1.12.0...v1.22.0) --- updated-dependencies: - dependency-name: onnx dependency-version: 1.22.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 5952cc2. Configure here.
| oauthlib==3.2.2 | ||
| omegaconf==2.3.0 | ||
| onnx==1.12.0 | ||
| onnx==1.22.0 |
There was a problem hiding this comment.
Onnx bump breaks dependency pins
High Severity
Bumping onnx to 1.22.0 without updating other pins leaves requirements.txt internally inconsistent: onnx 1.22 requires protobuf ≥4.25.1, ml-dtypes ≥0.5.4, typing_extensions ≥4.15.0, and Python ≥3.10, while the file still pins older versions and CI still tests 3.8–3.9.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit 5952cc2. Configure here.
There was a problem hiding this comment.
Risk: medium. Not approving: Bugbot reported an unresolved high-severity dependency pin conflict (onnx==1.22.0 vs pinned protobuf, ml-dtypes, typing_extensions, and Python 3.8–3.9 CI). Human review needed to reconcile pins or reject the bump; reviewers assigned.
Sent by Cursor Approval Agent: Pull Request Approver




Bumps onnx from 1.12.0 to 1.22.0.
Release notes
Sourced from onnx's releases.
... (truncated)
Commits
2bb5046Fix windows workflows on rel-1.22.0 branch (#8087)eda0385Update version number to 1.22.0 (#8086)b124e01Bump version number to 1.22.0rc2 (#8071)8de2cf6Cherrypicks for 1.22.0rc2 (#8066)53d6120Cherry-pick: Address shape inference issues in Conv (#8051) to rel-1.22.0 (#8...bc3be77Set version number to 1.22.0rc1 (#8024)e945daffeat(generator): extend Range operator with float16 and bfloat16 support (ops...293ad62Run lints also on Windows (#8014)8847da4Follow up for scikit-build-core migration (#8017)882a5efFix/sdist missing SBOM cdx json (#8010)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Medium Risk
Large semver jump in a core ML serialization library used transitively for ONNX inference; possible install or runtime incompatibility with onnxruntime, NudeNet, or protobuf pins without application code changes.
Overview
Dependabot bumps the pinned
onnxpackage inrequirements.txtfrom 1.12.0 to 1.22.0 (the only code change in this PR).onnxis not imported directly in the repo; it sits in the lockfile as a transitive dependency for stacks like NudeNet / onnxruntime and related ML tooling. ONNX 1.22 adds new operators and includes breaking spec changes (e.g.qk_matmul_output_modeordering) across many intermediate releases since 1.12.Reviewers should confirm
pip check/ CI install still pass and that ONNX-based inference (e.g. NudeNet’s.onnxclassifier) behaves as before with the pinnedonnxruntime==1.18.0andprotobuf==3.19.6.Reviewed by Cursor Bugbot for commit 5952cc2. Bugbot is set up for automated code reviews on this repo. Configure here.