Python: Bump onnxruntime from 1.22.1 to 1.24.3 in /python

[dependabot]

Bumps onnxruntime from 1.22.1 to 1.24.3.

Release notes

Sourced from onnxruntime's releases.

ONNX Runtime v1.24.3

This is a patch release for ONNX Runtime 1.24, containing bug fixes, security improvements, performance enhancements, and execution provider updates.

Security Fixes

• Core: Fixed GatherCopyData integer truncation leading to heap out-of-bounds read/write. (#27444)
• Core: Fixed RoiAlign heap out-of-bounds read via unchecked batch_indices. (#27543)
• Core: Prevent heap OOB from maliciously crafted Lora Adapters. (#27518)
• Core: Fixed out-of-bounds access for Resize operation. (#27419)

Bug Fixes

• Core: Fixed GatherND division by zero when batch dimensions mismatch. (#27090)
• Core: Fixed validation for external data paths for models loaded from bytes. (#27430)
• Core: Fixed SkipLayerNorm fusion incorrectly applied when gamma/beta are not 1D. (#27459)
• Core: Fixed double-free in TRT EP custom op domain Release functions. (#27471)
• Core: Fixed QMoE CPU Operator. (#27360)
• Core: Fixed MatmulNBits prepacking scales. (#27412)
• Python: Fixed refcount bug in map input conversion that caused shutdown segfault. (#27413)
• NuGet: Fixed DllImportResolver. (#27397)
• NuGet: Added OrtEnv.DisableDllImportResolver to prevent fatal error on resolver conflict. (#27535)

Performance Improvements

• Core: QMoE CPU performance update (up to 4x on 4-bit). (#27364)
• Core: Fixed O(n²) model load time for TreeEnsemble with categorical feature chains. (#27391)

Execution Provider Updates

• NvTensorRtRtx EP:
  • Avoid repetitive creation of fp4/fp8 native-custom-op domains. (#27192)
  • Added missing override specifiers to suppress warnings. (#27288)
  • DQ→MatMulNBits fusion transformer. (#27466)
• WebGPU:
  • Used embedded WASM module in Blob URL workers when wasmBinary is provided. (#27318)
  • Fixed usage of wasmBinary together with a blob URL for .mjs. (#27411)
  • Removed the unhelpful "Unknown CPU vendor" warning. (#27399)
  • Allows new memory info name for WebGPU. (#27475)
• MLAS:
  • Added DynamicQGemm function pointers and ukernel interface. (#27403)
  • Fixed error where bytes is not assigned for dynamic qgemm pack b size. (#27421)
• VitisAI EP: Removed s_kernel_registry_vitisaiep.reset() in deinitialize_vitisai_ep(). (#27295)
• Plugin EPs: Added "library_path" metadata entry to OrtEpDevice instances for plugin and provider bridge EPs. (#27522)

Build and Infrastructure

• Pipelines:
  • Build Windows ARM64X binaries as part of packaging pipeline. (#27316)
  • Moved JAR testing pipelines to canonical pipeline template. (#27480)
• Python: Enabled Python 3.14 CI and upgraded dependencies. (#27401)
• Build: Suppressed spurious Array Out of Bounds warnings produced by GCC 14.2 compiler on Linux builds. (#27454)
• Build: Fixed -Warray-bounds build error in MLAS on clang 17+. (#27499)
• Telemetry: Added/Updated telemetry events. (#27356)
• Config: Increased kMaxValueLength to 8192. (#27521)

... (truncated)

Commits

• 3a728b7 ORT 1.24.3 release cherry pick round 4 (#27558)
• dd6a854 ORT 1.24.3 release cherry pick round 3 (#27501)
• 15c006b ORT 1.24.3 release cherry pick round 2 (#27492)
• ee26608 ORT 1.24.3 release cherry pick round 1 (#27476)
• 058787c ORT 1.24.2 Release cherry pick round 4 (#27388)
• 6fc7ee3 ORT 1.24.2 release cherry pick round 3 (#27378)
• 9871182 ORT 1.24.2 release cherry-pick round 2 (#27343)
• f34d11d ORT 1.24.2 release cherry pick round 1 (#27330)
• 8ba51c7 update version to 1.24.2
• 470ae16 Patch pools to use older agent version on ARM64 (#27232)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Automated Code Review

Reviewers: 4 | Confidence: 90% | Result: All clear

Reviewed: Correctness, Security Reliability, Test Coverage, Design Approach

---

Automated review by dependabot[bot]'s agents

[moonbox3]

@copilot figure out why CI/CD checks are failing and fix them.

[Copilot]

@copilot figure out why CI/CD checks are failing and fix them.

The CI failures were caused by onnxruntime 1.24.3 dropping Python 3.10 support (it only ships wheels for cp311, cp312, cp313, cp314), but the project still requires Python >=3.10.

Fixed in commit 712798f by:

1. Adding Python version markers in pyproject.toml — onnxruntime==1.22.1 for Python 3.10 and onnxruntime==1.24.3 for Python ≥3.11
2. Regenerating uv.lock to include both versions with the correct resolution markers