OPENNLP-1802: Update ONNX runtime to 1.24.3

[dependabot]

Bumps onnxruntime.version from 1.24.2 to 1.24.3.
Updates com.microsoft.onnxruntime:onnxruntime from 1.24.2 to 1.24.3

Release notes

Sourced from com.microsoft.onnxruntime:onnxruntime's releases.

ONNX Runtime v1.24.3

This is a patch release for ONNX Runtime 1.24, containing bug fixes, security improvements, performance enhancements, and execution provider updates.

Security Fixes

• Core: Fixed GatherCopyData integer truncation leading to heap out-of-bounds read/write. (#27444)
• Core: Fixed RoiAlign heap out-of-bounds read via unchecked batch_indices. (#27543)
• Core: Prevent heap OOB from maliciously crafted Lora Adapters. (#27518)
• Core: Fixed out-of-bounds access for Resize operation. (#27419)

Bug Fixes

• Core: Fixed GatherND division by zero when batch dimensions mismatch. (#27090)
• Core: Fixed validation for external data paths for models loaded from bytes. (#27430)
• Core: Fixed SkipLayerNorm fusion incorrectly applied when gamma/beta are not 1D. (#27459)
• Core: Fixed double-free in TRT EP custom op domain Release functions. (#27471)
• Core: Fixed QMoE CPU Operator. (#27360)
• Core: Fixed MatmulNBits prepacking scales. (#27412)
• Python: Fixed refcount bug in map input conversion that caused shutdown segfault. (#27413)
• NuGet: Fixed DllImportResolver. (#27397)
• NuGet: Added OrtEnv.DisableDllImportResolver to prevent fatal error on resolver conflict. (#27535)

Performance Improvements

• Core: QMoE CPU performance update (up to 4x on 4-bit). (#27364)
• Core: Fixed O(n²) model load time for TreeEnsemble with categorical feature chains. (#27391)

Execution Provider Updates

• NvTensorRtRtx EP:
  • Avoid repetitive creation of fp4/fp8 native-custom-op domains. (#27192)
  • Added missing override specifiers to suppress warnings. (#27288)
  • DQ→MatMulNBits fusion transformer. (#27466)
• WebGPU:
  • Used embedded WASM module in Blob URL workers when wasmBinary is provided. (#27318)
  • Fixed usage of wasmBinary together with a blob URL for .mjs. (#27411)
  • Removed the unhelpful "Unknown CPU vendor" warning. (#27399)
  • Allows new memory info name for WebGPU. (#27475)
• MLAS:
  • Added DynamicQGemm function pointers and ukernel interface. (#27403)
  • Fixed error where bytes is not assigned for dynamic qgemm pack b size. (#27421)
• VitisAI EP: Removed s_kernel_registry_vitisaiep.reset() in deinitialize_vitisai_ep(). (#27295)
• Plugin EPs: Added "library_path" metadata entry to OrtEpDevice instances for plugin and provider bridge EPs. (#27522)

Build and Infrastructure

• Pipelines:
  • Build Windows ARM64X binaries as part of packaging pipeline. (#27316)
  • Moved JAR testing pipelines to canonical pipeline template. (#27480)
• Python: Enabled Python 3.14 CI and upgraded dependencies. (#27401)
• Build: Suppressed spurious Array Out of Bounds warnings produced by GCC 14.2 compiler on Linux builds. (#27454)
• Build: Fixed -Warray-bounds build error in MLAS on clang 17+. (#27499)
• Telemetry: Added/Updated telemetry events. (#27356)
• Config: Increased kMaxValueLength to 8192. (#27521)

... (truncated)

Commits

• 3a728b7 ORT 1.24.3 release cherry pick round 4 (#27558)
• dd6a854 ORT 1.24.3 release cherry pick round 3 (#27501)
• 15c006b ORT 1.24.3 release cherry pick round 2 (#27492)
• ee26608 ORT 1.24.3 release cherry pick round 1 (#27476)
• See full diff in compare view

Updates com.microsoft.onnxruntime:onnxruntime_gpu from 1.24.2 to 1.24.3

Release notes

Sourced from com.microsoft.onnxruntime:onnxruntime_gpu's releases.

ONNX Runtime v1.24.3

This is a patch release for ONNX Runtime 1.24, containing bug fixes, security improvements, performance enhancements, and execution provider updates.

Security Fixes

• Core: Fixed GatherCopyData integer truncation leading to heap out-of-bounds read/write. (#27444)
• Core: Fixed RoiAlign heap out-of-bounds read via unchecked batch_indices. (#27543)
• Core: Prevent heap OOB from maliciously crafted Lora Adapters. (#27518)
• Core: Fixed out-of-bounds access for Resize operation. (#27419)

Bug Fixes

• Core: Fixed GatherND division by zero when batch dimensions mismatch. (#27090)
• Core: Fixed validation for external data paths for models loaded from bytes. (#27430)
• Core: Fixed SkipLayerNorm fusion incorrectly applied when gamma/beta are not 1D. (#27459)
• Core: Fixed double-free in TRT EP custom op domain Release functions. (#27471)
• Core: Fixed QMoE CPU Operator. (#27360)
• Core: Fixed MatmulNBits prepacking scales. (#27412)
• Python: Fixed refcount bug in map input conversion that caused shutdown segfault. (#27413)
• NuGet: Fixed DllImportResolver. (#27397)
• NuGet: Added OrtEnv.DisableDllImportResolver to prevent fatal error on resolver conflict. (#27535)

Performance Improvements

• Core: QMoE CPU performance update (up to 4x on 4-bit). (#27364)
• Core: Fixed O(n²) model load time for TreeEnsemble with categorical feature chains. (#27391)

Execution Provider Updates

• NvTensorRtRtx EP:
  • Avoid repetitive creation of fp4/fp8 native-custom-op domains. (#27192)
  • Added missing override specifiers to suppress warnings. (#27288)
  • DQ→MatMulNBits fusion transformer. (#27466)
• WebGPU:
  • Used embedded WASM module in Blob URL workers when wasmBinary is provided. (#27318)
  • Fixed usage of wasmBinary together with a blob URL for .mjs. (#27411)
  • Removed the unhelpful "Unknown CPU vendor" warning. (#27399)
  • Allows new memory info name for WebGPU. (#27475)
• MLAS:
  • Added DynamicQGemm function pointers and ukernel interface. (#27403)
  • Fixed error where bytes is not assigned for dynamic qgemm pack b size. (#27421)
• VitisAI EP: Removed s_kernel_registry_vitisaiep.reset() in deinitialize_vitisai_ep(). (#27295)
• Plugin EPs: Added "library_path" metadata entry to OrtEpDevice instances for plugin and provider bridge EPs. (#27522)

Build and Infrastructure

• Pipelines:
  • Build Windows ARM64X binaries as part of packaging pipeline. (#27316)
  • Moved JAR testing pipelines to canonical pipeline template. (#27480)
• Python: Enabled Python 3.14 CI and upgraded dependencies. (#27401)
• Build: Suppressed spurious Array Out of Bounds warnings produced by GCC 14.2 compiler on Linux builds. (#27454)
• Build: Fixed -Warray-bounds build error in MLAS on clang 17+. (#27499)
• Telemetry: Added/Updated telemetry events. (#27356)
• Config: Increased kMaxValueLength to 8192. (#27521)

... (truncated)

Commits

• 3a728b7 ORT 1.24.3 release cherry pick round 4 (#27558)
• dd6a854 ORT 1.24.3 release cherry pick round 3 (#27501)
• 15c006b ORT 1.24.3 release cherry pick round 2 (#27492)
• ee26608 ORT 1.24.3 release cherry pick round 1 (#27476)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)