build(deps): bump the pip group across 1 directory with 2 updates

[dependabot]

Updates the requirements on torch and gunicorn to permit the latest version.
Updates torch to 2.6.0

Release notes

Sourced from torch's releases.

PyTorch 2.6.0 Release

• Highlights
• Tracked Regressions
• Backwards Incompatible Change
• Deprecations
• New Features
• Improvements
• Bug fixes
• Performance
• Documentation
• Developers

Highlights

We are excited to announce the release of PyTorch® 2.6 (release notes)! This release features multiple improvements for PT2: torch.compile can now be used with Python 3.13; new performance-related knob torch.compiler.set_stance; several AOTInductor enhancements. Besides the PT2 improvements, another highlight is FP16 support on X86 CPUs.

NOTE: Starting with this release we are not going to publish on Conda, please see [Announcement] Deprecating PyTorch’s official Anaconda channel for the details.

For this release the experimental Linux binaries shipped with CUDA 12.6.3 (as well as Linux Aarch64, Linux ROCm 6.2.4, and Linux XPU binaries) are built with CXX11_ABI=1 and are using the Manylinux 2.28 build platform. If you build PyTorch extensions with custom C++ or CUDA extensions, please update these builds to use CXX_ABI=1 as well and report any issues you are seeing. For the next PyTorch 2.7 release we plan to switch all Linux builds to Manylinux 2.28 and CXX11_ABI=1, please see [RFC] PyTorch next wheel build platform: manylinux-2.28 for the details and discussion.

Also in this release as an important security improvement measure we have changed the default value for weights_only parameter of torch.load. This is a backward compatibility-breaking change, please see this forum post for more details.

This release is composed of 3892 commits from 520 contributors since PyTorch 2.5. We want to sincerely thank our dedicated community for your contributions. As always, we encourage you to try these out and report any issues as we improve PyTorch. More information about how to get started with the PyTorch 2-series can be found at our Getting Started page.

... (truncated)

Changelog

Sourced from torch's changelog.

Releasing PyTorch

• Release Compatibility Matrix
• Release Cadence
• General Overview
  • Frequently Asked Questions
• Cutting a release branch preparations
• Cutting release branches
  • pytorch/pytorch
  • PyTorch ecosystem libraries
  • Making release branch specific changes for PyTorch
  • Making release branch specific changes for ecosystem libraries
• Running Launch Execution team Core XFN sync
• Drafting RCs (https://github.com/pytorch/pytorch/blob/main/Release Candidates) for PyTorch and domain libraries
  • Release Candidate Storage
  • Release Candidate health validation
  • Cherry Picking Fixes
    • How to do Cherry Picking
  • Cherry Picking Reverts
• Preparing and Creating Final Release Candidate
• Promoting RCs to Stable
• Additional Steps to prepare for release day
  • Modify release matrix
  • Open Google Colab issue
• Patch Releases
  • Patch Release Criteria
  • Patch Release Process
    • Patch Release Process Description
    • Triage
    • Issue Tracker for Patch releases
    • Building a release schedule / cherry picking
    • Building Binaries / Promotion to Stable
• Hardware / Software Support in Binary Build Matrix
  • Python
  • Accelerator Software
    • Special support cases
  • Operating Systems
• Submitting Tutorials
• Special Topics
  • Updating submodules for a release
  • Triton dependency for the release

Release Compatibility Matrix

Following is the Release Compatibility Matrix for PyTorch releases:

... (truncated)

Commits

• 1eba9b3 change the test wheel to release wheel when release wheel available (#145884)
• 2236df1 [CUDA] Change slim-wheel libraries load order (#145662)
• 3207040 [CD] Fix slim-wheel cuda_nvrtc import problem (#145614)
• ca3c3a6 [Release-Only] Remove ptx from Linux CUDA 12.6 binary builds (#145616)
• 7be6b5d Fix IdentationError of code example (#145525)
• dcb8ad0 update get start xpu (#145286)
• 8d4b8a9 Prevent legacy_load when weights_only=True (correctly) (#145111)
• 9c34a20 Revert "Prevent _legacy_load with weights_only=True (#144993)"
• cd15d7b Prevent _legacy_load with weights_only=True (#144993)
• a2639bc [Release/2.6] Enable python-3.13t aarch64 builds (#144878)
• Additional commits viewable in compare view

Updates gunicorn to 23.0.0

Release notes

Sourced from gunicorn's releases.

23.0.0

Gunicorn 23.0.0 has been released. This version improve HTTP 1.1. support and which improve safety

You're invited to upgrade asap your own installation.

23.0.0 - 2024-08-10

• minor docs fixes (:pr:3217, :pr:3089, :pr:3167)
• worker_class parameter accepts a class (:pr:3079)
• fix deadlock if request terminated during chunked parsing (:pr:2688)
• permit receiving Transfer-Encodings: compress, deflate, gzip (:pr:3261)
• permit Transfer-Encoding headers specifying multiple encodings. note: no parameters, still (:pr:3261)
• sdist generation now explicitly excludes sphinx build folder (:pr:3257)
• decode bytes-typed status (as can be passed by gevent) as utf-8 instead of raising TypeError (:pr:2336)
• raise correct Exception when encounting invalid chunked requests (:pr:3258)
• the SCRIPT_NAME and PATH_INFO headers, when received from allowed forwarders, are no longer restricted for containing an underscore (:pr:3192)
• include IPv6 loopback address [::1] in default for :ref:forwarded-allow-ips and :ref:proxy-allow-ips (:pr:3192)

** NOTE **

• The SCRIPT_NAME change mitigates a regression that appeared first in the 22.0.0 release
• Review your :ref:forwarded-allow-ips setting if you are still not seeing the SCRIPT_NAME transmitted
• Review your :ref:forwarder-headers setting if you are missing headers after upgrading from a version prior to 22.0.0

** Breaking changes **

• refuse requests where the uri field is empty (:pr:3255)
• refuse requests with invalid CR/LR/NUL in heade field values (:pr:3253)
• remove temporary --tolerate-dangerous-framing switch from 22.0 (:pr:3260)
• If any of the breaking changes affect you, be aware that now refused requests can post a security problem, especially so in setups involving request pipe-lining and/or proxies.

Fix CVE-2024-1135

Commits

• 411986d fix doc
• 334392e Merge pull request #2559 from laggardkernel/bugfix/reexec-env
• e75c353 Merge pull request #3189 from pajod/patch-py36
• 9357b28 keep document user in access_log_format setting
• 79fdef0 bump to 23.0.0
• 3acd9fb Merge pull request #2620 from talkerbox/improve-access-log-format-docs
• 3f56d76 Merge pull request #3192 from pajod/patch-allowed-script-name
• 256d474 docs: revert duped directive
• ffa48b5 test: default change was intentional
• 52538ca docs: recommend SCRIPT_NAME=/subfolder
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[f2c-ci-robot]

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[f2c-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment