chore(deps): bump the pip group across 7 directories with 3 updates

[dependabot]

Bumps the pip group with 2 updates in the /composer/2022_airflow_summit directory: apache-airflow and gunicorn.
Bumps the pip group with 1 update in the /composer/airflow_1_samples directory: gunicorn.
Bumps the pip group with 2 updates in the /composer/cicd_sample directory: apache-airflow and gunicorn.
Bumps the pip group with 2 updates in the /composer/workflows directory: apache-airflow and gunicorn.
Bumps the pip group with 1 update in the /dataflow/run-inference directory: transformers.
Bumps the pip group with 1 update in the /kubernetes_engine/django_tutorial directory: gunicorn.
Bumps the pip group with 1 update in the /people-and-planet-ai/weather-forecasting/serving/weather-model directory: transformers.

Updates apache-airflow from 2.8.0 to 2.9.0

Release notes

Sourced from apache-airflow's releases.

Apache Airflow 2.9.0

Significant Changes

Following Listener API methods are considered stable and can be used for production system (were experimental feature in older Airflow versions) (#36376):

Lifecycle events:

• on_starting
• before_stopping

DagRun State Change Events:

• on_dag_run_running
• on_dag_run_success
• on_dag_run_failed

TaskInstance State Change Events:

• on_task_instance_running
• on_task_instance_success
• on_task_instance_failed

Support for Microsoft SQL-Server for Airflow Meta Database has been removed (#36514)

After discussion <https://lists.apache.org/thread/r06j306hldg03g2my1pd4nyjxg78b3h4>__ and a voting process <https://lists.apache.org/thread/pgcgmhf6560k8jbsmz8nlyoxosvltph2>__, the Airflow's PMC and Committers have reached a resolution to no longer maintain MsSQL as a supported Database Backend.

As of Airflow 2.9.0 support of MsSQL has been removed for Airflow Database Backend.

A migration script which can help migrating the database before upgrading to Airflow 2.9.0 is available in airflow-mssql-migration repo on Github <https://github.com/apache/airflow-mssql-migration>_. Note that the migration script is provided without support and warranty.

This does not affect the existing provider packages (operators and hooks), DAGs can still access and process data from MsSQL.

Dataset URIs are now validated on input (#37005)

Datasets must use a URI that conform to rules laid down in AIP-60, and the value will be automatically normalized when the DAG file is parsed. See documentation on Datasets <https://airflow.apache.org/docs/apache-airflow/stable/authoring-and-scheduling/datasets.html>_ for a more detailed description on the rules.

You may need to change your Dataset identifiers if they look like a URI, but are used in a less mainstream way, such as relying on the URI's auth section, or have a case-sensitive protocol name.

The method get_permitted_menu_items in BaseAuthManager has been renamed filter_permitted_menu_items (#37627)

Add REST API actions to Audit Log events (#37734)

... (truncated)

Changelog

Sourced from apache-airflow's changelog.

Airflow 2.9.0 (2024-04-08)

Significant Changes ^^^^^^^^^^^^^^^^^^^

Following Listener API methods are considered stable and can be used for production system (were experimental feature in older Airflow versions) (#36376): """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" Lifecycle events:

• on_starting
• before_stopping

DagRun State Change Events:

• on_dag_run_running
• on_dag_run_success
• on_dag_run_failed

TaskInstance State Change Events:

• on_task_instance_running
• on_task_instance_success
• on_task_instance_failed

Support for Microsoft SQL-Server for Airflow Meta Database has been removed (#36514) """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

After discussion <https://lists.apache.org/thread/r06j306hldg03g2my1pd4nyjxg78b3h4>__ and a voting process <https://lists.apache.org/thread/pgcgmhf6560k8jbsmz8nlyoxosvltph2>__, the Airflow's PMC and Committers have reached a resolution to no longer maintain MsSQL as a supported Database Backend.

As of Airflow 2.9.0 support of MsSQL has been removed for Airflow Database Backend.

A migration script which can help migrating the database before upgrading to Airflow 2.9.0 is available in airflow-mssql-migration repo on Github <https://github.com/apache/airflow-mssql-migration>_. Note that the migration script is provided without support and warranty.

This does not affect the existing provider packages (operators and hooks), DAGs can still access and process data from MsSQL.

Dataset URIs are now validated on input (#37005) """"""""""""""""""""""""""""""""""""""""""""""""

Datasets must use a URI that conform to rules laid down in AIP-60, and the value will be automatically normalized when the DAG file is parsed. See documentation on Datasets <https://airflow.apache.org/docs/apache-airflow/stable/authoring-and-scheduling/datasets.html>_ for a more detailed description on the rules.

You may need to change your Dataset identifiers if they look like a URI, but are used in a less mainstream way, such as relying on the URI's auth section, or

... (truncated)

Commits

• 50f22ff fixup! fixup! Update RELEASE_NOTES.rst
• 3a9391c Update hatchling to latest version (1.22.5) (#38780)
• 35684a8 Rename pre-commit scripts, drop pre_commit_ prefix (#38667)
• b38575a fixup! Update RELEASE_NOTES.rst
• a3eb5f7 Load providers configuration when gunicorn workers start (#38795)
• 920921e Update RELEASE_NOTES.rst
• cbe61bc Fix decryption of trigger kwargs when downgrading. (#38743)
• 1fdfaf3 Edited timetable docs (#38505)
• 0518eba Fix grid header rendering (#38720)
• 0961e42 Reorder OpenAPI Spec tags alphabetically (#38717)
• Additional commits viewable in compare view

Updates gunicorn from 20.1.0 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135

1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
2. Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table> 

... (truncated)

Commits

• f63d59e bump to 22.0
• 4ac81e0 Merge pull request #3175 from e-kwsm/typo
• 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
• 0243ec3 fix(deps): exclude eventlet 0.36.0
• 628a0bc chore: fix typos
• 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
• deae2fc CI: back off the agressive timeout
• f470382 docs: promise 3.12 compat
• 5e30bfa add changelog to project.urls (updated for PEP621)
• 481c3f9 remove setup.cfg - overridden by pyproject.toml
• Additional commits viewable in compare view

Updates gunicorn from 20.0.4 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135

1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
2. Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table> 

... (truncated)

Commits

• f63d59e bump to 22.0
• 4ac81e0 Merge pull request #3175 from e-kwsm/typo
• 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
• 0243ec3 fix(deps): exclude eventlet 0.36.0
• 628a0bc chore: fix typos
• 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
• deae2fc CI: back off the agressive timeout
• f470382 docs: promise 3.12 compat
• 5e30bfa add changelog to project.urls (updated for PEP621)
• 481c3f9 remove setup.cfg - overridden by pyproject.toml
• Additional commits viewable in compare view

Updates apache-airflow from 2.8.0 to 2.9.0

Release notes

Sourced from apache-airflow's releases.

Apache Airflow 2.9.0

Significant Changes

Following Listener API methods are considered stable and can be used for production system (were experimental feature in older Airflow versions) (#36376):

Lifecycle events:

• on_starting
• before_stopping

DagRun State Change Events:

• on_dag_run_running
• on_dag_run_success
• on_dag_run_failed

TaskInstance State Change Events:

• on_task_instance_running
• on_task_instance_success
• on_task_instance_failed

Support for Microsoft SQL-Server for Airflow Meta Database has been removed (#36514)

After discussion <https://lists.apache.org/thread/r06j306hldg03g2my1pd4nyjxg78b3h4>__ and a voting process <https://lists.apache.org/thread/pgcgmhf6560k8jbsmz8nlyoxosvltph2>__, the Airflow's PMC and Committers have reached a resolution to no longer maintain MsSQL as a supported Database Backend.

As of Airflow 2.9.0 support of MsSQL has been removed for Airflow Database Backend.

A migration script which can help migrating the database before upgrading to Airflow 2.9.0 is available in airflow-mssql-migration repo on Github <https://github.com/apache/airflow-mssql-migration>_. Note that the migration script is provided without support and warranty.

This does not affect the existing provider packages (operators and hooks), DAGs can still access and process data from MsSQL.

Dataset URIs are now validated on input (#37005)

Datasets must use a URI that conform to rules laid down in AIP-60, and the value will be automatically normalized when the DAG file is parsed. See documentation on Datasets <https://airflow.apache.org/docs/apache-airflow/stable/authoring-and-scheduling/datasets.html>_ for a more detailed description on the rules.

You may need to change your Dataset identifiers if they look like a URI, but are used in a less mainstream way, such as relying on the URI's auth section, or have a case-sensitive protocol name.

The method get_permitted_menu_items in BaseAuthManager has been renamed filter_permitted_menu_items (#37627)

Add REST API actions to Audit Log events (#37734)

... (truncated)

Changelog

Sourced from apache-airflow's changelog.

Airflow 2.9.0 (2024-04-08)

Significant Changes ^^^^^^^^^^^^^^^^^^^

Following Listener API methods are considered stable and can be used for production system (were experimental feature in older Airflow versions) (#36376): """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" Lifecycle events:

• on_starting
• before_stopping

DagRun State Change Events:

• on_dag_run_running
• on_dag_run_success
• on_dag_run_failed

TaskInstance State Change Events:

• on_task_instance_running
• on_task_instance_success
• on_task_instance_failed

Support for Microsoft SQL-Server for Airflow Meta Database has been removed (#36514) """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

After discussion <https://lists.apache.org/thread/r06j306hldg03g2my1pd4nyjxg78b3h4>__ and a voting process <https://lists.apache.org/thread/pgcgmhf6560k8jbsmz8nlyoxosvltph2>__, the Airflow's PMC and Committers have reached a resolution to no longer maintain MsSQL as a supported Database Backend.

As of Airflow 2.9.0 support of MsSQL has been removed for Airflow Database Backend.

A migration script which can help migrating the database before upgrading to Airflow 2.9.0 is available in airflow-mssql-migration repo on Github <https://github.com/apache/airflow-mssql-migration>_. Note that the migration script is provided without support and warranty.

This does not affect the existing provider packages (operators and hooks), DAGs can still access and process data from MsSQL.

Dataset URIs are now validated on input (#37005) """"""""""""""""""""""""""""""""""""""""""""""""

Datasets must use a URI that conform to rules laid down in AIP-60, and the value will be automatically normalized when the DAG file is parsed. See documentation on Datasets <https://airflow.apache.org/docs/apache-airflow/stable/authoring-and-scheduling/datasets.html>_ for a more detailed description on the rules.

You may need to change your Dataset identifiers if they look like a URI, but are used in a less mainstream way, such as relying on the URI's auth section, or

... (truncated)

Commits

• 50f22ff fixup! fixup! Update RELEASE_NOTES.rst
• 3a9391c Update hatchling to latest version (1.22.5) (#38780)
• 35684a8 Rename pre-commit scripts, drop pre_commit_ prefix (#38667)
• b38575a fixup! Update RELEASE_NOTES.rst
• a3eb5f7 Load providers configuration when gunicorn workers start (#38795)
• 920921e Update RELEASE_NOTES.rst
• cbe61bc Fix decryption of trigger kwargs when downgrading. (#38743)
• 1fdfaf3 Edited timetable docs (#38505)
• 0518eba Fix grid header rendering (#38720)
• 0961e42 Reorder OpenAPI Spec tags alphabetically (#38717)
• Additional commits viewable in compare view

Updates gunicorn from 20.1.0 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135

1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
2. Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table> 

... (truncated)

Commits

• f63d59e bump to 22.0
• 4ac81e0 Merge pull request #3175 from e-kwsm/typo
• 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
• 0243ec3 fix(deps): exclude eventlet 0.36.0
• 628a0bc chore: fix typos
• 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
• deae2fc CI: back off the agressive timeout
• f470382 docs: promise 3.12 compat
• 5e30bfa add changelog to project.urls (updated for PEP621)
• 481c3f9 remove setup.cfg - overridden by pyproject.toml
• Additional commits viewable in compare view

Updates apache-airflow from 2.8.0 to 2.9.0

Release notes

Sourced from apache-airflow's releases.

Apache Airflow 2.9.0

Significant Changes

Following Listener API methods are considered stable and can be used for production system (were experimental feature in older Airflow versions) (#36376):

Lifecycle events:

• on_starting
• before_stopping

DagRun State Change Events:

• on_dag_run_running
• on_dag_run_success
• on_dag_run_failed

TaskInstance State Change Events:

• on_task_instance_running
• on_task_instance_success
• on_task_instance_failed

Support for Microsoft SQL-Server for Airflow Meta Database has been removed (#36514)

After discussion <https://lists.apache.org/thread/r06j306hldg03g2my1pd4nyjxg78b3h4>__ and a voting process <https://lists.apache.org/thread/pgcgmhf6560k8jbsmz8nlyoxosvltph2>__, the Airflow's PMC and Committers have reached a resolution to no longer maintain MsSQL as a supported Database Backend.

As of Airflow 2.9.0 support of MsSQL has been removed for Airflow Database Backend.

A migration script which can help migrating the database before upgrading to Airflow 2.9.0 is available in airflow-mssql-migration repo on Github <https://github.com/apache/airflow-mssql-migration>_. Note that the migration script is provided without support and warranty.

This does not affect the existing provider packages (operators and hooks), DAGs can still access and process data from MsSQL.

Dataset URIs are now validated on input (#37005)

Datasets must use a URI that conform to rules laid down in AIP-60, and the value will be automatically normalized when the DAG file is parsed. See documentation on Datasets <https://airflow.apache.org/docs/apache-airflow/stable/authoring-and-scheduling/datasets.html>_ for a more detailed description on the rules.

You may need to change your Dataset identifiers if they look like a URI, but are used in a less mainstream way, such as relying on the URI's auth section, or have a case-sensitive protocol name.

The method get_permitted_menu_items in BaseAuthManager has been renamed filter_permitted_menu_items (#37627)

Add REST API actions to Audit Log events (#37734)

... (truncated)

Changelog

Sourced from apache-airflow's changelog.

Airflow 2.9.0 (2024-04-08)

Significant Changes ^^^^^^^^^^^^^^^^^^^

Following Listener API methods are considered stable and can be used for production system (were experimental feature in older Airflow versions) (#36376): """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" Lifecycle events:

• on_starting
• before_stopping

DagRun State Change Events:

• on_dag_run_running
• on_dag_run_success
• on_dag_run_failed

TaskInstance State Change Events:

• on_task_instance_running
• on_task_instance_success
• on_task_instance_failed

Support for Microsoft SQL-Server for Airflow Meta Database has been removed (#36514) """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

After discussion <https://lists.apache.org/thread/r06j306hldg03g2my1pd4nyjxg78b3h4>__ and a voting process <https://lists.apache.org/thread/pgcgmhf6560k8jbsmz8nlyoxosvltph2>__, the Airflow's PMC and Committers have reached a resolution to no longer maintain MsSQL as a supported Database Backend.

As of Airflow 2.9.0 support of MsSQL has been removed for Airflow Database Backend.

A migration script which can help migrating the database before upgrading to Airflow 2.9.0 is available in airflow-mssql-migration repo on Github <https://github.com/apache/airflow-mssql-migration>_. Note that the migration script is provided without support and warranty.

This does not affect the existing provider packages (operators and hooks), DAGs can still access and process data from MsSQL.

Dataset URIs are now validated on input (#37005) """"""""""""""""""""""""""""""""""""""""""""""""

Datasets must use a URI that conform to rules laid down in AIP-60, and the value will be automatically normalized when the DAG file is parsed. See documentation on Datasets <https://airflow.apache.org/docs/apache-airflow/stable/authoring-and-scheduling/datasets.html>_ for a more detailed description on the rules.

You may need to change your Dataset identifiers if they look like a URI, but are used in a less mainstream way, such as relying on the URI's auth section, or

... (truncated)

Commits

• 50f22ff fixup! fixup! Update RELEASE_NOTES.rst
• 3a9391c Update hatchling to latest version (1.22.5) (#38780)
• 35684a8 Rename pre-commit scripts, drop pre_commit_ prefix (#38667)
• b38575a fixup! Update RELEASE_NOTES.rst
• a3eb5f7 Load providers configuration when gunicorn workers start (#38795)
• 920921e Update RELEASE_NOTES.rst
• cbe61bc Fix decryption of trigger kwargs when downgrading. (#38743)
• 1fdfaf3 Edited timetable docs (#38505)
• 0518eba Fix grid header rendering (#38720)
• 0961e42 Reorder OpenAPI Spec tags alphabetically (#38717)
• Additional commits viewable in compare view

Updates gunicorn from 20.1.0 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135

1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
2. Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table> 

... (truncated)

Commits

• f63d59e bump to 22.0
• 4ac81e0 Merge pull request #3175 from e-kwsm/typo
• 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
• 0243ec3 fix(deps): exclude eventlet 0.36.0
• 628a0bc chore: fix typos
• 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
• deae2fc CI: back off the agressive timeout
• f470382 docs: promise 3.12 compat
• 5e30bfa add changelog to project.urls (updated for PEP621)
• 481c3f9 remove setup.cfg - overridden by pyproject.toml
• Additional commits viewable in compare view

Updates transformers from 4.36.0 to 4.38.0

Release notes

Sourced from transformers's releases.

v4.38: Gemma, Depth Anything, Stable LM; Static Cache, HF Quantizer, AQLM

New model additions

💎 Gemma 💎

Gemma is a new opensource Language Model series from Google AI that comes with a 2B and 7B variant. The release comes with the pre-trained and instruction fine-tuned versions and you can use them via AutoModelForCausalLM, GemmaForCausalLM or pipeline interface!

Read more about it in the Gemma release blogpost: https://hf.co/blog/gemma

from transformers import AutoTokenizer, AutoModelForCausalLM
tokenizer = AutoTokenizer.from_pretrained("google/gemma-2b")
model = AutoModelForCausalLM.from_pretrained("google/gemma-2b", device_map="auto", torch_dtype=torch.float16)
input_text = "Write me a poem about Machine Learning."
input_ids = tokenizer(input_text, return_tensors="pt").to("cuda")
outputs = model.generate(**input_ids)

You can use the model with Flash Attention, SDPA, Static cache and quantization API for further optimizations !

• Flash Attention 2

from transformers import AutoTokenizer, AutoModelForCausalLM
tokenizer = AutoTokenizer.from_pretrained("google/gemma-2b")
model = AutoModelForCausalLM.from_pretrained(
"google/gemma-2b", device_map="auto", torch_dtype=torch.float16, attn_implementation="flash_attention_2"
)
input_text = "Write me a poem about Machine Learning."
input_ids = tokenizer(input_text, return_tensors="pt").to("cuda")
outputs = model.generate(**input_ids)

• bitsandbytes-4bit

from transformers import AutoTokenizer, AutoModelForCausalLM
tokenizer = AutoTokenizer.from_pretrained("google/gemma-2b")
model = AutoModelForCausalLM.from_pretrained(
"google/gemma-2b", device_map="auto", load_in_4bit=True
)
</tr></table>

... (truncated)

Commits

• 08ab54a [ gemma] Adds support for Gemma 💎 (#29167)
• 2de9314 [Maskformer] safely get backbone config (#29166)
• 476957b 🚨 Llama: update rope scaling to match static cache changes (#29143)
• 7a4bec6 Release: 4.38.0
• ee3af60 Add support for fine-tuning CLIP-like models using contrastive-image-text exa...
• 0996a10 Revert low cpu mem tie weights (#29135)
• 15cfe38 [Core tokenization] add_dummy_prefix_space option to help with latest is...
• efdd436 FIX [PEFT / Trainer ] Handle better peft + quantized compiled models (#29...
• 5e95dca [cuda kernels] only compile them when initializing (#29133)
• a7755d2 Generate: unset GenerationConfig parameters do not raise warning (#29119)
• Additional commits viewable in compare view

Updates gunicorn from 20.1.0 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135

1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
2. Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table> 

... (truncated)

Commits

• f63d59e bump to 22.0
• 4ac81e0 Merge pull request #3175 from e-kwsm/typo
• 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
• 0243ec3 fix(deps): exclude eventlet 0.36.0
• 628a0bc chore: fix typos
• 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
• deae2fc CI: back off the agressive timeout
• f470382 docs: promise 3.12 compat
• 5e30bfa add changelog to project.urls (updated for PEP621)
• 481c3f9 remove setup.cfg - overridden by pyproject.toml
• Additional commits viewable in compare view

Updates transformers from 4.36.0 to 4.38.0

Release notes

Sourced from transformers's releases.

v4.38: Gemma, Depth Anything, Stable LM; Static Cache, HF Quantizer, AQLM

New model additions

💎 Gemma 💎

Gemma is a new opensource Language Model series from Google AI that comes with a 2B and 7B variant. The release comes with the pre-trained and instruction fine-tuned versions and you can use them via AutoModelForCausalLM, GemmaForCausalLM or pipeline interface!

Read more about it in the Gemma release blogpost: https://hf.co/blog/gemma

from transformers import AutoTokenizer, AutoModelForCausalLM
tokenizer = AutoTokenizer.from_pretrained("google/gemma-2b")
model = AutoModelForCausalLM.from_pretrained("google/gemma-2b", device_map="auto", torch_dtype=torch.float16)
input_text = "Write me a poem about Machine Learning."
input_ids = tokenizer(input_text, return_tensors="pt").to("cuda")
outputs = model.generate(**input_ids)

You can use the model with Flash Attention, SDPA, Static cache and quantization API for further optimizations !

• Flash Attention 2

from transformers import AutoTokenizer, AutoModelForCausalLM
tokenizer = AutoTokenizer.from_pretrained("google/gemma-2b")
model = AutoModelForCausalLM.from_pretrained(
"google/gemma-2b", device_map="auto", torch_dtype=torch.float16, attn_implementation="flash_attention_2"
)
input_text = "Write me a poem about Machine Learning."
input_ids = tokenizer(input_text, return_tensors="pt").to("cuda")
outputs = model.generate(**input_ids)

• bitsandbytes-4bit

from transformers import AutoTokenizer, AutoModelForCausalLM
tokenizer = AutoTokenizer.from_pretrained("google/gemma-2b")
model = AutoModelForCausalLM.from_pretrained(
"google/gemma-2b", device_map="auto", load_in_4bit=True
)
</tr></table>

... (truncated)

Commits

• 08ab54a [ gemma] Adds support for Gemma 💎 (#29167)
• 2de9314 [Maskformer] safely get backbone config (#29166)
• 476957b 🚨 Llama: update rope scaling to match static cache changes (#29143)
• 7a4bec6 Release: 4.38.0
• ee3af60 Add support for fine-tuning CLIP-like models using contrastive-image-text exa...
• 0996a10 Revert low cpu mem tie weights (#29135)
...

Description has been truncated