[Snyk] Upgrade onnxruntime-node from 1.14.0 to 1.23.2

[sestinj]

Snyk has created this PR to upgrade onnxruntime-node from 1.14.0 to 1.23.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 55 versions ahead of your current version.

• The recommended version was released 3 months ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Uncaught Exception SNYK-JS-FASTXMLPARSER-15155603	452	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELHELPERS-9397697	452	Proof of Concept
	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	452	Proof of Concept
	Prototype Pollution SNYK-JS-JSYAML-13961110	452	No Known Exploit

Release notes

Package name: onnxruntime-node

• 1.23.2 - 2025-11-04
  

  ORT 1.23.2 cherrypick 1 (#26368)

  Adds the following commits to the release-1.23.2 branch for ORT 1.23.2:

  - [TensorRT] Fix DDS output bug during engine update
  - PR: #26272
  - commit id: 00e85dd
  - Fix shape inference failure with in-memory external data
  - PR: #26263
  - commit id: d955476
  - [CUDA] replace 90a-virtual by 90-virtual for forward compatible
  - PR: #26230
  - commit id: b58911f
  - [QNN-EP] Fix logic flow bug
  - PR: #26148
  - commit id: b282379
  - Internal Dupe of #25255 - [MLAS] Optimize MlasConv using thread
  partition opt
  - PR: #26103
  - commit id: 7362518
  - Update qMoE spec to support block quantization
  - PR: #25641
  - commit id: 7a8ffa8
  - [VitisAI] add new api to VitisAI to save graph as a string
  - PR: #25602
  - commit id: 3361d72
  - [[Build] Lock torch, onnxscript and onnx-ir versions to latest]
  - PR: #26315
  - commit id: ea69c4d

  ---------

  Co-authored-by: Hariharan Seshadri <shariharan91@gmail.com>
  Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@ users.noreply.github.com>
  Co-authored-by: Edward Chen <18449977+edgchen1@users.noreply.github.com>
  Co-authored-by: Yateng Hong <toothache9010@gmail.com>
  Co-authored-by: Changming Sun <chasun@microsoft.com>
  Co-authored-by: Dmitri Smirnov <dmitrism@microsoft.com>
  Co-authored-by: Tianlei Wu <tlwu@microsoft.com>
  Co-authored-by: quic-calvnguy <quic_calvnguy@quicinc.com>
  Co-authored-by: quic_calvnguy <quic_calvnguy@quic_inc.com>
  Co-authored-by: yifei410 <31260809+yifei410@users.noreply.github.com>
  Co-authored-by: yifei <y.zhou@xilinx.com>

• 1.23.0 - 2025-09-26
  

  Announcements

  • This release introduces Execution Provider (EP) Plugin API, which is a new infrastructure for building plugin-based EPs. (#24887 , #25137, #25124, #25147, #25127, #25159, #25191, #2524)

  • This release introduces the ability to dynamically download and install execution providers. This feature is exclusively available in the WinML build and requires Windows 11 version 25H2 or later. To leverage this new capability, C/C++/C# users should use the builds distributed through the Windows App SDK, and Python users should install the onnxruntime-winml package(will be published soon). We encourage users who can upgrade to the latest Windows 11 to utilize the WinML build to take advantage of this enhancement.

  Upcoming Changes

  • The next release will stop providing x86_64 binaries for macOS and iOS operating systems.
  • The next release will increase the minimum supported macOS version from 13.4 to 14.0.
  • The next release will stop providing python 3.10 wheels.

  Execution & Core Optimizations

  Shutdown logic on Windows is simplified

  Now on Windows some global object will be not destroyed if we detect that the process is being shutting down(#24891) . It will not cause memory leak as when a process ends all the memory will be returned to the operating system. This change can reduce the chance of having crashes on process exit.

  AutoEP/Device Management

  Now ONNX Runtime has the ability to automatically discovery computing devices and select the best EPs to download and register. The EP downloading feature currently only works on Windows 11 version 25H2 or later.

  Execution Provider (EP) Updates

  ROCM EP was removed from the source tree. Users are recommended to use Migraphx or Vitis AI EPs from AMD.
  A new EP, Nvidia TensorRT RTX, was added.

  Web

  EMDSK is upgraded from 4.0.4 to 4.0.8

  WebGPU EP

  Added WGSL template support.

  QNN EP

  SDK Update: Added support for QNN SDK 2.37.

  KleidiAI

  Enhanced performance for SGEMM, IGEMM, and Dynamic Quantized MatMul operations, especially for Conv2D operators on hardware that supports SME2 (Scalable Matrix Extension v2).

  Known Problems

  • There was a change in build.py that was related to KleidiAI that may cause build failures when doing cross-compiling (#26175) .

  Contributions

  Contributors to ONNX Runtime include members across teams at Microsoft, along with our community members:

  @ 1duo, @ Akupadhye, @ amarin16, @ AndreyOrb, @ ankan-ban, @ ankitm3k, @ anujj, @ aparmp-quic, @ arnej27959, @ bachelor-dou, @ benjamin-hodgson, @ Bonoy0328, @ chenweng-quic, @ chuteng-quic, @ clementperon, @ co63oc, @ daijh, @ damdoo01-arm, @ danyue333, @ fanchenkong1, @ gedoensmax, @ genarks, @ gnedanur, @ Honry, @ huaychou, @ ianfhunter, @ ishwar-raut1, @ jing-bao, @ joeyearsley, @ johnpaultaken, @ jordanozang, @ JulienMaille, @ keshavv27, @ kevinch-nv, @ khoover, @ krahenbuhl, @ kuanyul-quic, @ mauriciocm9, @ mc-nv, @ minfhong-quic, @ mingyueliuh, @ MQ-mengqing, @ NingW101, @ notken12, @ omarhass47, @ peishenyan, @ pkubaj, @ qc-tbhardwa, @ qti-jkilpatrick, @ qti-yuduo, @ quic-ankus, @ quic-ashigarg, @ quic-ashwshan, @ quic-calvnguy, @ quic-hungjuiw, @ quic-tirupath, @ qwu16, @ ranjitshs, @ saurabhkale17, @ schuermans-slx, @ sfatimar, @ stefantalpalaru, @ sunnyshu-intel, @ TedThemistokleous, @ thevishalagarwal, @ toothache, @ umangb-09, @ vatlark, @ VishalX, @ wcy123, @ xhcao, @ xuke537, @ zhaoxul-qti

• 1.23.0-dev.20250906-ecb26fb775 - 2025-09-06
• 1.23.0-dev.20250829-4754a1d64e - 2025-08-29
• 1.23.0-dev.20250821-75f848097e - 2025-08-21
• 1.23.0-dev.20250810-5d77b73c4e - 2025-08-11
• 1.23.0-dev.20250809-bf74e5568b - 2025-08-10
• 1.23.0-dev.20250807-33debbeea1 - 2025-08-07
• 1.23.0-dev.20250802-562760a567 - 2025-08-03
• 1.23.0-dev.20250802-4004a15ba7 - 2025-08-02
• 1.23.0-dev.20250731-e753643480 - 2025-07-31
• 1.23.0-dev.20250703-7fc6235861 - 2025-07-03
• 1.23.0-dev.20250612-70f14d7670 - 2025-06-12
• 1.23.0-dev.20250602-03b22ffc42 - 2025-06-03
• 1.23.0-dev.20250522-ad7b0e368d - 2025-05-24
• 1.23.0-dev.20250515-00bd398d54 - 2025-05-16
• 1.23.0-dev.20250509-3dc91e6c31 - 2025-05-10
• 1.22.0 - 2025-05-09
  

  Announcements

  • This release introduces new API's for Model Editor, Auto EP infrastructure, and AOT Compile
  • OnnxRuntime GPU packages require CUDA 12.x , packages built for CUDA 11.x are no longer published.
  • The min supported Windows version is now 10.0.19041.

  GenAI & Advanced Model Features

  • Constrained Decoding: Introduced new capabilities for constrained decoding, offering more control over generative AI model outputs.

  Execution & Core Optimizations

  Core

  • Auto EP Selection Infrastructure: Added foundational infrastructure to enable automatic selection of Execution Providers via selection policies, aiming to simplify configuration and optimize performance. (Pull Request #24430)
  • Compile API: Introduced new APIs to support explicit compilation of ONNX models.
    • See: OrtCompileApi Struct Reference (Assuming a similar link structure for future documentation)
    • See: EP Context Design (Assuming a similar link structure for future documentation)
  • Model Editor API api's for creating or editing ONNX models
    • See: OrtModelEditorApi

  Execution Provider (EP) Updates

  CPU EP/MLAS

  • KleidiAI Integration: Integrated KleidiAI into ONNX Runtime/MLAS for enhanced performance on Arm architectures.
  • MatMulNBits Support: Added support for MatMulNBits, enabling matrix multiplication with weights quantized to 8 bits.
  • GroupQueryAttention optimizations and enhancements

  OpenVINO EP

  • Added support up to OpenVINO 2025.1
  • Introduced Intel compiler level optimizations for QDQ models.
  • Added support to select Intel devices based on LUID
  • Load_config feature improvement to support AUTO, HETERO and MULTI plugin.
  • misc bugfixes/optimizations
  • For detailed updates, refer to Pull Request #24394: ONNXRuntime OpenVINO - Release 1.22

  QNN EP

  • SDK Update: Added support for QNN SDK 2.33.2.
  • operator updates/support to Sum, Softmax, Upsample, Expand, ScatterND, Einsum
  • QNN EP can be built as shared or static library.
  • enable QnnGpu backend
  • For detailed updates refer to recent QNN tagged PR's

  TensorRT EP

  • TensorRT Version: Added support for TensorRT 10.9.
    • Note for onnx-tensorrt open-source parser users: Please check here for specific requirements (Referencing 1.21 link as a placeholder, this should be updated for 1.22).
  • New Features:
    • EP option to enable TRT Preview Feature
    • Support to load TensorRT V3 plugin
  • Bug Fixes:
    • Resolved an issue related to multithreading scenarios.
    • Fixed incorrect GPU usage that affected both TensorRT EP and CUDA EP.

  NV TensorRT RTX EP

  • New Execution Provider: Introduced a new Execution Provider specifically for Nvidia RTX GPUs, leveraging TensorRT for optimized performance.

  CUDA EP

  • MatMulNBits Enhancement: Added support for 8-bit weight-only quantization in MatMulNBits.
  • Bug Fixes:
    • Fixed incorrect GPU usage (also mentioned under TensorRT EP).

  VitisAI EP

  • Miscellaneous bug fixes and improvements.

  Infrastructure & Build Improvements

  Build System & Packages

  • QNN Nuget Package: The QNN Nuget package is now built as ARM64x.

  Dependencies / Version Updates

  • CUDA Version Update: This release includes an update to the CUDA version. Users should consult the documentation for specific version requirements. CUDA 11 based GPU packages no longer published.

  Web

  • WebGPU Expansion:
    • Added WebGPU support to the node.js package (Windows and macOS).
    • Enabled WebGPU when building from source for macOS, Linux, and Windows.

  Mobile

  • No major updates of note this release.

  Contributions

  Contributors to ONNX Runtime include members across teams at Microsoft, along with our community members:

  Yulong Wang, Jian Chen, Changming Sun, Satya Kumar Jandhyala, Hector Li, Prathik Rao, Adrian Lizarraga, Jiajia Qin, Scott McKay, Jie Chen, Tianlei Wu, Edward Chen, Wanming Lin, xhcao, vraspar, Dmitri Smirnov, Jing Fang, Yifan Li, Caroline Zhu, Jianhui Dai, Chi Lo, Guenther Schmuelling, Ryan Hill, Sushanth Rajasankar, Yi-Hong Lyu, Ankit Maheshkar, Artur Wojcik, Baiju Meswani, David Fan, Enrico Galli, Hans, Jambay Kinley, John Paul, Peishen Yan, Yateng Hong, amarin16, chuteng-quic, kunal-vaishnavi, quic-hungjuiw, Alessio Soldano, Andreas Hussing, Ashish Garg, Ashwath Shankarnarayan, Chengdong Liang, Clément Péron, Erick Muñoz, Fanchen Kong, George Wu, Haik Silm, Jagadish Krishnamoorthy, Justin Chu, Karim Vadsariya, Kevin Chen, Mark Schofield, Masaya, Kato, Michael Tyler, Nenad Banfic, Ningxin Hu, Praveen G, Preetha Veeramalai, Ranjit Ranjan, Seungtaek Kim, Ti-Tai Wang, Xiaofei Han, Yueqing Zhang, co63oc, derdeljan-msft, genmingz@AMD, jiangzhaoming, jing-bao, kuanyul-quic, liqun Fu, minfhong-quic, mingyue, quic-tirupath, quic-zhaoxul, saurabh, selenayang888, sfatimar, sheetalarkadam, virajwad, zz002, Ștefan Talpalaru

• 1.22.0-rev - 2025-06-02
• 1.22.0-dev.20250418-c19a49615b - 2025-04-18
• 1.22.0-dev.20250415-c18e06d5e3 - 2025-04-15
• 1.21.1 - 2025-04-21
  

  What's new?

  • Extend CMAKE_CUDA_FLAGS with all Blackwell compute capacity #23928 - @ yf711
  • [ARM CPU] Fix fp16 const initialization on no-fp16 platform #23978 - @ fajin-corp
  • [TensorRT EP] Call cudaSetDevice at compute function for handling multithreading scenario #24010 - @ chilo-ms
  • Fix attention bias broadcast #24017 - @ tianleiwu
  • Deleted the constant SKIP_CUDA_TEST_WITH_DML #24113 - @ CodingSeaotter
  • [QNN EP] ARM64EC python package remove --vcpkg in build #24174 - @ jywu-msft
  • [wasm] remove --vcpkg in wasm build #24179 - @ fs-eire
• 1.21.0 - 2025-03-08
  

  Announcements

  • No large announcements of note this release! We've made a lot of small refinements to streamline your ONNX Runtime experience.

  GenAI & Advanced Model Features

  Enhanced Decoding & Pipeline Support

  • Added "chat mode" support for CPU, GPU, and WebGPU.
  • Provided support for decoder model pipelines.
  • Added support for Java API for MultiLoRA.

  API & Compatibility Updates

  • Chat mode introduced breaking changes in the API (see migration guide).

  Bug Fixes for Model Output

  • Fixed Phi series garbage output issues with long prompts.
  • Resolved gibberish issues with top_k on CPU.

  Execution & Core Optimizations

  Core Refinements

  • Reduced default logger usage for improved efficiency(#23030).
  • Fixed a visibility issue in theadpool (#23098).

  Execution Provider (EP) Updates

  General

  • Removed TVM EP from the source tree(#22827).
  • Marked NNAPI EP for deprecation (following Google's deprecation of NNAPI).
  • Fixed a DLL delay loading issue that impacts WebGPU EP and DirectML EP's usability on Windows (#23111, #23227)

  TensorRT EP Improvements

  • Added support for TensorRT 10.8.
    • onnx-tensorrt open-source parser user: please check here for requirement.
  • Assigned DDS ops (NMS, RoiAlign, NonZero) to TensorRT by default.
  • Introduced option trt_op_types_to_exclude to exclude specific ops from TensorRT assignment.

  CUDA EP Improvements

  • Added a python API preload_dlls to coexist with PyTorch.
  • Miscellaneous enhancements for Flux model inference.

  QNN EP Improvements

  • Introduced QNN shared memory support.
  • Improved performance for AI Hub models.
  • Added support for QAIRT/QNN SDK 2.31.
  • Added Python 3.13 package.
  • Miscellaneous bug fixes and enhancements.
  • QNN EP is now built as a shared library/DLL by default. To retain previous build behavior, use build option --use_qnn static_lib.

  DirectML EP Support & Upgrades

  • Updated DirectML version from 1.15.2 to 1.15.4(#22635).

  OpenVINO EP Improvements

  • Introduced OpenVINO EP Weights Sharing feature.
  • Added support for various contrib Ops in OVEP:
    • SkipLayerNormalization, MatMulNBits, FusedGemm, FusedConv, EmbedLayerNormalization, BiasGelu, Attention, DynamicQuantizeMatMul, FusedMatMul, QuickGelu, SkipSimplifiedLayerNormalization
  • Miscellaneous bug fixes and improvements.

  VitisAI EP Improvements

  • Miscellaneous bug fixes and improvements.

  Mobile Platform Enhancements

  CoreML Updates

  • Added support for caching generated CoreML models.

  Extensions & Tokenizer Improvements

  Expanded Tokenizer Support

  • Now supports more tokenizer models, including ChatGLM, Baichuan2, Phi-4, etc.
  • Added full Phi-4 pre/post-processing support for text, vision, and audio.
  • Introduced RegEx pattern loading from tokenizer.json.

  Image Codec Enhancements

  • ImageCodec now links to native APIs if available; otherwise, falls back to built-in libraries.

  Unified Tokenizer API

  • Introduced a new tokenizer op schema to unify the tokenizer codebase.
  • Added support for loading tokenizer data from a memory blob in the C API.

  Infrastructure & Build Improvements

  Runtime Requirements

  All the prebuilt Windows packages now require VC++ Runtime version >= 14.40(instead of 14.38). If your VC++ runtime version is lower than that, you may see a crash when ONNX Runtime was initializing. See https://github.com/microsoft/STL/wiki/Changelog#vs-2022-1710 for more details.

  Updated minimum iOS and Android SDK requirements to align with React Native 0.76:

  • iOS >= 15.1
  • Android API >= 24 (Android 7)

  All macOS packages now require macOS version >= 13.3.

  CMake File Changes

  CMake Version: Increased the minimum required CMake version from 3.26 to 3.28. Added support for CMake 4.0.
  Python Version: Increased the minimum required Python version from 3.8 to 3.10 for building ONNX Runtime from source.
  Improved VCPKG support

  Added the following cmake options for WebGPU EP

  • onnxruntime_USE_EXTERNAL_DAWN
  • onnxruntime_CUSTOM_DAWN_SRC_PATH
  • onnxruntime_BUILD_DAWN_MONOLITHIC_LIBRARY
  • onnxruntime_ENABLE_PIX_FOR_WEBGPU_EP
  • onnxruntime_ENABLE_DAWN_BACKEND_VULKAN
  • onnxruntime_ENABLE_DAWN_BACKEND_D3D12

  Added cmake option onnxruntime_BUILD_QNN_EP_STATIC_LIB for building with QNN EP as a static library.
  Removed cmake option onnxruntime_USE_PREINSTALLED_EIGEN.

  Fixed a build issue with Visual Studio 2022 17.3 (#23911)

  Modernized Build Tools

  • Now using VCPKG for most package builds.
  • Upgraded Gradle from 7.x to 8.x.
  • Updated JDK from 11 to 17.
  • Enabled onnxruntime_USE_CUDA_NHWC_OPS by default for CUDA builds.
  • Added support for WASM64 (build from source; no package published).

  Dependency Cleanup

  • Removed Google’s nsync from dependencies.

  Others

  Updated Node.js installation script to support network proxy usage (#23231)

  Web

  • No updates of note.

  Contributors

  Contributors to ONNX Runtime include members across teams at Microsoft, along with our community members:

  Changming Sun, Yulong Wang, Tianlei Wu, Jian Chen, Wanming Lin, Adrian Lizarraga, Hector Li, Jiajia Qin, Yifan Li, Edward Chen, Prathik Rao, Jing Fang, shiyi, Vincent Wang, Yi Zhang, Dmitri Smirnov, Satya Kumar Jandhyala, Caroline Zhu, Chi Lo, Justin Chu, Scott McKay, Enrico Galli, Kyle, Ted Themistokleous, dtang317, wejoncy, Bin Miao, Jambay Kinley, Sushanth Rajasankar, Yueqing Zhang, amancini-N, ivberg, kunal-vaishnavi, liqun Fu, Corentin Maravat, Peishen Yan, Preetha Veeramalai, Ranjit Ranjan, Xavier Dupré, amarin16, jzm-intel, kailums, xhcao, A-Satti, Aleksei Nikiforov, Ankit Maheshkar, Javier Martinez, Jianhui Dai, Jie Chen, Jon Campbell, Karim Vadsariya, Michael Tyler, PARK DongHa, Patrice Vignola, Pranav Sharma, Sam Webster, Sophie Schoenmeyer, Ti-Tai Wang, Xu Xing, Yi-Hong Lyu, genmingz@AMD, junchao-zhao, sheetalarkadam, sushraja-msft, Akshay Sonawane, Alexis Tsogias, Ashrit Shetty, Bilyana Indzheva, Chen Feiyue, Christian Larson, David Fan, David Hotham, Dmitry Deshevoy, Frank Dong, Gavin Kinsey, George Wu, Grégoire, Guenther Schmuelling, Indy Zhu, Jean-Michaël Celerier, Jeff Daily, Joshua Lochner, Kee, Malik Shahzad Muzaffar, Matthieu Darbois, Michael Cho, Michael Sharp, Misha Chornyi, Po-Wei (Vincent), Sevag H, Takeshi Watanabe, Wu, Junze, Xiang Zhang, Xiaoyu, Xinpeng Dou, Xinya Zhang, Yang Gu, Yateng Hong, mindest, mingyue, raoanag, saurabh, shaoboyan091, sstamenk, tianf-fff, wonchung-microsoft, xieofxie, zz002

• 1.21.0-dev.20250306-e0b66cad28 - 2025-03-06
• 1.21.0-dev.20250228-beb1a9242e - 2025-03-03
• 1.21.0-dev.20241112-cdc8db9984 - 2024-11-18
• 1.20.1 - 2024-11-22
  

  What's new?

  Python Quantization Tool

  • Prevent int32 quantized bias from clipping by adjusting the weight's scale (#22020) - @ adrianlizarraga
  • Update QDQ Pad, Slice, Softmax (#22676) - @ adrianlizarraga
  • Introduce get_qdq_config() helper to get QDQ configurations (#22677) - @ adrianlizarraga
  • Add reduce_range option to get_qdq_config() (#22782) - @ adrianlizarraga
  • Flaky test due to Pad reflect bug (#22798) - @ adrianlizarraga

  CPU EP

  • Refactor SkipLayerNorm implementation to address issues (#22719, #22862) - @ amarin16, @ liqunfu

  QNN EP

  • Add QNN SDK v2.28.2 support (#22724, #22844) - @ HectorSVC, @ adrianlizarraga

  TensorRT EP

  • Exclude DDS ops from running on TRT (#22875) - @ chilo-ms

  Packaging

  • Rework the native library usage so that a pre-built ORT native package can be easily used (#22345) - @ skottmckay
  • Fix Maven Sha256 Checksum Issue (#22600) - @ idiskyle

  Contributions

  Big thank you to the release manager View all

  ---

  Summary by cubic

  Upgraded onnxruntime-node from 1.14.0 to 1.23.2 to resolve Snyk-reported vulnerabilities and pick up performance and stability improvements in ONNX Runtime. Dependency-only change (core/package.json and package-lock.json); no app code changes.

  ^{Written for commit 76844a0. Summary will update on new commits.}

[github-actions]

⚠️ PR Title Format

Your PR title doesn't follow the conventional commit format, but this won't block your PR from being merged. We recommend using this format for better project organization.

Expected Format:

<type>[optional scope]: <description>

Examples:

• feat: add changelog generation support
• fix: resolve login redirect issue
• docs: update README with new instructions
• chore: update dependencies

Valid Types:

feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert

This helps with:

• 📝 Automatic changelog generation
• 🚀 Automated semantic versioning
• 📊 Better project history tracking

This is a non-blocking warning - your PR can still be merged without fixing this.

[github-actions]

✅ Review Complete

Code Review Summary

⚠️ Continue API authentication failed. Please check your CONTINUE_API_KEY.

---

[cubic-dev-ai]

No issues found across 1 file

[RomneyDa]

this moves the onnxruntime node binary and messes stuff up. I believe this only effects deprecated features at this point.