Skip to content

Update dependency keras to v3 [SECURITY] #628

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency keras to v3 [SECURITY] #628

wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Aug 13, 2025
edited
Loading

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package Change Age Confidence
keras ==2.8.0 -> ==3.11.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-3660

A arbitrary code injection vulnerability in TensorFlow's Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespective of the application.

CVE-2025-9906

Arbitrary Code Execution in Keras

Keras versions prior to 3.11.0 allow for arbitrary code execution when loading a crafted .keras model archive, even when safe_mode=True.

The issue arises because the archive’s config.json is parsed before layer deserialization. This can invoke keras.config.enable_unsafe_deserialization(), effectively disabling safe mode from within the loading process itself. An attacker can place this call first in the archive and then include a Lambda layer whose function is deserialized from a pickle, leading to the execution of attacker-controlled Python code as soon as a victim loads the model file.

Exploitation requires a user to open an untrusted model; no additional privileges are needed. The fix in version 3.11.0 enforces safe-mode semantics before reading any user-controlled configuration and prevents the toggling of unsafe deserialization via the config file.

Affected versions: < 3.11.0
Patched version: 3.11.0

It is recommended to upgrade to version 3.11.0 or later and to avoid opening untrusted model files.

Release Notes

keras-team/keras (keras)

v3.11.0: Keras 3.11.0

Compare Source

What's Changed

  • Add int4 quantization support.
  • Support Grain data loaders in fit()/evaluate()/predict().
  • Add keras.ops.kaiser function.
  • Add keras.ops.hanning function.
  • Add keras.ops.cbrt function.
  • Add keras.ops.deg2rad function.
  • Add keras.ops.layer_normalization function to leverage backend-specific performance optimizations.
  • Various bug fixes and performance optimizations.

Backend-specific changes

JAX backend
  • Support NNX library. It is now possible to use Keras layers and models as NNX modules.
  • Support shape -1 for slice op.
TensorFlow backend
  • Add support for multiple dynamic dimensions in Flatten layer.
OpenVINO backend
  • Add support for over 30 new backend ops.

New Contributors

Full Changelog: keras-team/keras@v3.10.0...v3.11.0

v3.10.0: Keras 3.10.0

Compare Source

New features

  • Add support for weight sharding for saving very large models with model.save(). It is controlled via the max_shard_size argument. Specifying this argument will split your Keras model weight file into chunks of this size at most. Use load_model() to reload the sharded files.
  • Add optimizer keras.optimizers.Muon
  • Add image preprocessing layer keras.layers.RandomElasticTransform
  • Add loss function keras.losses.CategoricalGeneralizedCrossEntropy (with functional version keras.losses.categorical_generalized_cross_entropy)
  • Add axis argument to SparseCategoricalCrossentropy
  • Add lora_alpha to all LoRA-enabled layers. If set, this parameter scales the low-rank adaptation delta during the forward pass.
  • Add activation function keras.activations.sparse_sigmoid
  • Add op keras.ops.image.elastic_transform
  • Add op keras.ops.angle
  • Add op keras.ops.bartlett
  • Add op keras.ops.blackman
  • Add op keras.ops.hamming
  • Add ops keras.ops.view_as_complex, keras.ops.view_as_real
PyTorch backend
  • Add cuDNN support for LSTM with the PyTorch backend
TensorFlow backend
  • Add tf.RaggedTensor support to Embedding layer
  • Add variable-level support for synchronization argument
OpenVINO backend
  • Add support for over 50 additional Keras ops in the OpenVINO inference backend!

New Contributors

Full Changelog: keras-team/keras@v3.9.0...v3.10.0

v3.9.2: Keras 3.9.2

Compare Source

What's Changed

  • Fix Remat error when called with a model.

Full Changelog: keras-team/keras@v3.9.1...v3.9.2

v3.9.1: Keras 3.9.1

Compare Source

What's Changed
  • Fix flash attention TPU error
  • Fix incorrect argument in JAX flash attention.

Full Changelog: keras-team/keras@v3.9.0...v3.9.1

v3.9.0: Keras 3.9.0

Compare Source

New features

  • Add new Keras rematerialization API: keras.RematScope and keras.remat. It can be used to turn on rematerizaliation for certain layers in fine-grained manner, e.g. only for layers larger than a certain size, or for a specific set of layers, or only for activations.
  • Increase op coverage for OpenVINO backend.
  • New operations:
    • keras.ops.rot90
    • keras.ops.rearrange (Einops-style)
    • keras.ops.signbit
    • keras.ops.polar
    • keras.ops.image.perspective_transform
    • keras.ops.image.gaussian_blur
  • New layers:
    • keras.layers.RMSNormalization
    • keras.layers.AugMix
    • keras.layers.CutMix
    • keras.layers.RandomInvert
    • keras.layers.RandomErasing
    • keras.layers.RandomGaussianBlur
    • keras.layers.RandomPerspective
  • Minor additions:
    • Add support for dtype argument to JaxLayer and FlaxLayer layers
    • Add boolean input support to BinaryAccuracy metric
    • Add antialias argument to keras.layers.Resizing layer.
  • Security fix: disallow object pickling in saved npz model files (numpy format). Thanks to Peng Zhou for reporting the vulnerability.

New Contributors

Full Changelog: keras-team/keras@v3.8.0...v3.9.0

v3.8.0: Keras 3.8.0

Compare Source

New: OpenVINO backend

OpenVINO is now available as an infererence-only Keras backend. You can start using it by setting the backend field to "openvino" in your keras.json config file.

OpenVINO is a deep learning inference-only framework tailored for CPU (x86, ARM), certain GPUs (OpenCL capable, integrated and discrete) and certain AI accelerators (Intel NPU).

Because OpenVINO does not support gradients, you cannot use it for training (e.g. model.fit()) -- only inference. You can train your models with the JAX/TensorFlow/PyTorch backends, and when trained, reload them with the OpenVINO backend for inference on a target device supported by OpenVINO.

New: ONNX model export

You can now export your Keras models to the ONNX format from the JAX, TensorFlow, and PyTorch backends.

Just pass format="onnx" in your model.export() call:

### Export the model as a ONNX artifact
model.export("path/to/location", format="onnx")

### Load the artifact in a different process/environment
ort_session = onnxruntime.InferenceSession("path/to/location")

### Run inference
ort_inputs = {
    k.name: v for k, v in zip(ort_session.get_inputs(), input_data)
}
predictions = ort_session.run(None, ort_inputs)

New: Scikit-Learn API compatibility interface

It's now possible to easily integrate Keras models into Sciki-Learn pipelines! The following wrapper classes are available:

  • keras.wrappers.SKLearnClassifier: implements the sklearn Classifier API
  • keras.wrappers.SKLearnRegressor: implements the sklearn Regressor API
  • keras.wrappers.SKLearnTransformer: implements the sklearn Transformer API

Other feature additions

  • Add new ops:
    • Add keras.ops.diagflat
    • Add keras.ops.unravel_index
  • Add new activations:
    • Add sparse_plus activation
    • Add sparsemax activation
  • Add new image augmentation and preprocessing layers:
    • Add keras.layers.RandAugment
    • Add keras.layers.Equalization
    • Add keras.layers.MixUp
    • Add keras.layers.RandomHue
    • Add keras.layers.RandomGrayscale
    • Add keras.layers.RandomSaturation
    • Add keras.layers.RandomColorJitter
    • Add keras.layers.RandomColorDegeneration
    • Add keras.layers.RandomSharpness
    • Add keras.layers.RandomShear
  • Add argument axis to tversky loss

JAX specific changes

  • Add support for JAX named scope

TensorFlow specific changes

  • Make keras.random.shuffle XLA compilable

PyTorch specific changes

  • Add support for model.export() and keras.export.ExportArchive with the PyTorch backend, supporting both the TF SavedModel format and the ONNX format.

New Contributors

Full Changelog: keras-team/keras@v3.7.0...v3.8.0

v3.7.0: Keras 3.7.0

Compare Source

API changes

  • Add flash_attention argument to keras.ops.dot_product_attention and to keras.layers.MultiHeadAttention.
  • Add keras.layers.STFTSpectrogram layer (to extract STFT spectrograms from inputs as a preprocessing step) as well as its initializer keras.initializers.STFTInitializer.
  • Add celu, glu, log_sigmoid, hard_tanh, hard_shrink, squareplus activations.
  • Add keras.losses.Circle loss.
  • Add image visualization utilities keras.visualization.draw_bounding_boxes, keras.visualization.draw_segmentation_masks, keras.visualization.plot_image_gallery, keras.visualization.plot_segmentation_mask_gallery.
  • Add double_checkpoint argument to BackupAndRestore to save a fallback checkpoint in case the first checkpoint gets corrupted.
  • Add bounding box preprocessing support to image augmentation layers CenterCrop, RandomFlip, RandomZoom, RandomTranslation, RandomCrop.
  • Add keras.ops.exp2, keras.ops.inner operations.

Performance improvements

  • JAX backend: add native Flash Attention support for GPU (via cuDNN) and TPU (via a Pallas kernel). Flash Attention is now used automatically when the hardware supports it.
  • PyTorch backend: add native Flash Attention support for GPU (via cuDNN). It is currently opt-in.
  • TensorFlow backend: enable more kernel fusion via bias_add.
  • PyTorch backend: add support for Intel XPU devices.

New Contributors

Full Changelog: keras-team/keras@v3.6.0...v3.7.0

v3.6.0: Keras 3.6.0

Compare Source

Highlights

  • New file editor utility: keras.saving.KerasFileEditor. Use it to inspect, diff, modify and resave Keras weights files. See basic workflow here.
  • New keras.utils.Config class for managing experiment config parameters.

BREAKING changes

  • When using keras.utils.get_file, with extract=True or untar=True, the return value will be the path of the extracted directory, rather than the path of the archive.

Other changes and additions

  • Logging is now asynchronous in fit(), evaluate(), predict(). This enables 100% compact stacking of train_step calls on accelerators (e.g. when running small models on TPU).
    • If you are using custom callbacks that rely on on_batch_end, this will disable async logging. You can force it back by adding self.async_safe = True to your callbacks. Note that the TensorBoard callback isn't considered async safe by default. Default callbacks like the progress bar are async safe.
  • Added keras.saving.KerasFileEditor utility to inspect, diff, modify and resave Keras weights file.
  • Added keras.utils.Config class. It behaves like a dictionary, with a few nice features:
    • All entries are accessible and settable as attributes, in addition to dict-style (e.g. config.foo = 2 or config["foo"] are both valid)
    • You can easily serialize it to JSON via config.to_json().
    • You can easily freeze it, preventing future changes, via config.freeze().
  • Added bitwise numpy ops:
    • bitwise_and
    • bitwise_invert
    • bitwise_left_shift
    • bitwise_not
    • bitwise_or
    • bitwise_right_shift
    • bitwise_xor
  • Added math op keras.ops.logdet.
  • Added numpy op keras.ops.trunc.
  • Added keras.ops.dot_product_attention.
  • Added keras.ops.histogram.
  • Allow infinite PyDataset instances to use multithreading.
  • Added argument verbose in keras.saving.ExportArchive.write_out() method for exporting TF SavedModel.
  • Added epsilon argument in keras.ops.normalize.
  • Added Model.get_state_tree() method for retrieving a nested dict mapping variable paths to variable values (either as numpy arrays or backend tensors (default)). This is useful for rolling out custom JAX training loops.
  • Added image augmentation/preprocessing layers keras.layers.AutoContrast, keras.layers.Solarization.
  • Added keras.layers.Pipeline class, to apply a sequence of layers to an input. This class is useful to build a preprocessing pipeline. Compared to a Sequential model, Pipeline features a few important differences:
    • It's not a Model, just a plain layer.
    • When the layers in the pipeline are compatible with tf.data, the pipeline will also remain tf.data compatible, independently of the backend you use.

New Contributors

Full Changelog: keras-team/keras@v3.5.0...v3.6.0

v3.5.0: Keras 3.5.0

Compare Source

What's Changed

  • Add integration with the Hugging Face Hub. You can now save models to Hugging Face Hub directly from keras.Model.save() and load .keras models directly from Hugging Face Hub with keras.saving.load_model().
  • Ensure compatibility with NumPy 2.0.
  • Add keras.optimizers.Lamb optimizer.
  • Improve keras.distribution API support for very large models.
  • Add keras.ops.associative_scan op.
  • Add keras.ops.searchsorted op.
  • Add keras.utils.PyDataset.on_epoch_begin() method.
  • Add data_format argument to keras.layers.ZeroPadding1D layer.
  • Bug fixes and performance improvements.

Full Changelog: keras-team/keras@v3.4.1...v3.5.0

v3.4.1: Keras 3.4.1

Compare Source

This is a minor bugfix release.

v3.4.0: Keras 3.4.0

Compare Source

Highlights

  • Add support for arbitrary, deeply nested input/output structures in Functional models (e.g. dicts of dicts of lists of inputs or outputs...)
  • Add support for optional Functional inputs.
  • Introduce keras.dtype_policies.DTypePolicyMap for easy configuration of dtype policies of nested sublayers of a subclassed layer/model.
  • New ops:
    • keras.ops.argpartition
    • keras.ops.scan
    • keras.ops.lstsq
    • keras.ops.switch
    • keras.ops.dtype
    • keras.ops.map
    • keras.ops.image.rgb_to_hsv
    • keras.ops.image.hsv_to_rgb

What's changed

  • Add support for float8 inference for Dense and EinsumDense layers.
  • Add custom name argument in all Keras Applications models.
  • Add axis argument in keras.losses.Dice.
  • Enable keras.utils.FeatureSpace to be used in a tf.data pipeline even when the backend isn't TensorFlow.
  • StringLookup layer can now take tf.SparseTensor as input.
  • Metric.variables is now recursive.
  • Add training argument to Model.compute_loss().
  • Add dtype argument to all losses.
  • keras.utils.split_dataset now supports nested structures in dataset.
  • Bugs fixes and performance improvements.

Full Changelog: keras-team/keras@v3.3.3...v3.4.0

v3.3.3: Keras 3.3.3

Compare Source

This is a minor bugfix release.

v3.3.2: Keras 3.3.2

Compare Source

This is a simple fix release that re-surfaces legacy Keras 2 APIs that aren't part of Keras package proper, but that are still featured in tf.keras. No other content has changed.

v3.3.1: Keras 3.3.1

Compare Source

This is a simple fix release that moves the legacy _tf_keras API directory to the root of the Keras pip package. This is done in order to preserve import paths like from tensorflow.keras import layers without making any changes to the TensorFlow API files.

No other content has changed.

v3.3.0: Keras 3.3.0

Compare Source

What's Changed

  • Introduce float8 training.
  • Add LoRA to ConvND layers.
  • Add keras.ops.ctc_decode for JAX and TensorFlow.
  • Add keras.ops.vectorize, keras.ops.select.
  • Add keras.ops.image.rgb_to_grayscale.
  • Add keras.losses.Tversky loss.
  • Add full bincount and digitize sparse support.
  • Models and layers now return owned metrics recursively.
  • Add pickling support for Keras models. Note that pickling is not recommended, prefer using Keras saving APIs.
  • Bug fixes and performance improvements.

In addition, the codebase structure has evolved:

  • All source files are now in keras/src/.
  • All API files are now in keras/api/.
  • The codebase structure stays unchanged when building the Keras pip package. This means you can pip install Keras directly from the GitHub sources.

New Contributors

Full Changelog: keras-team/keras@v3.2.1...v3.3.0

v3.2.1: Keras 3.2.1

Compare Source

What's Changed

This is a minor bugfix release.

Full Changelog: keras-team/keras@v3.2.0...v3.2.1

v3.2.0: Keras 3.2.0

Compare Source

What changed

  • Introduce QLoRA-like technique for LoRA fine-tuning of Dense and EinsumDense layers (thereby any LLM) in int8 precision.
  • Extend keras.ops.custom_gradient support to PyTorch.
  • Add keras.layers.JaxLayer and keras.layers.FlaxLayer to wrap JAX/Flax modules as Keras layers.
  • Allow save_model & load_model to accept a file-like object.
  • Add quantization support to the Embedding layer.
  • Make it possible to update metrics inside a custom compute_loss method with all backends.
  • Make it possible to access self.losses inside a custom compute_loss method with the JAX backend.
  • Add keras.losses.Dice loss.
  • Add keras.ops.correlate.
  • Make it possible to use cuDNN LSTM & GRU with a mask with the TensorFlow backend.
  • Better JAX support in model.export(): add support for aliases, finer control over jax2tf options, and dynamic batch shapes.
  • Bug fixes and performance improvements.

New Contributors

Full Changelog: keras-team/keras@v3.1.1...v3.2.0

v3.1.1: Keras 3.1.1

Compare Source

This is a minor bugfix release over 3.1.0.

What's Changed

New Contributors

Full Changelog: keras-team/keras@v3.1.0...v3.1.1

v3.1.0: Keras 3.1.0

Compare Source

New features

  • Add support for int8 inference. Just call model.quantize("int8") to do an in-place conversion of a bfloat16 or float32 model to an int8 model. Note that only Dense and EinsumDense layers will be converted (this covers LLMs and all Transformers in general). We may add more supported layers over time.
  • Add keras.config.set_backend(backend) utility to reload a different backend.
  • Add keras.layers.MelSpectrogram layer for turning raw audio data into Mel spectrogram representation.
  • Add keras.ops.custom_gradient decorator (only for JAX and TensorFlow).
  • Add keras.ops.image.crop_images.
  • Add pad_to_aspect_ratio argument to image_dataset_from_directory.
  • Add keras.random.binomial and keras.random.beta functions.
  • Enable keras.ops.einsum to run with int8 x int8 inputs and int32 output.
  • Add verbose argument in all dataset-creation utilities.

Notable fixes

  • Fix Functional model slicing
  • Fix for TF XLA compilation error for SpectralNormalization
  • Refactor axis logic across all backends and add support for multiple axes in expand_dims and squeeze

New Contributors

Full Changelog: keras-team/keras@v3.0.5...v3.1.0

v3.0.5: Keras 3.0.5

Compare Source

This release brings many bug fixes and performance improvements, new linear algebra ops, and sparse tensor support for the JAX backend.

Highlights

  • Add support for sparse tensors with the JAX backend.
  • Add support for saving/loading in bfloat16.
  • Add linear algebra ops in keras.ops.linalg.
  • Support nested structures in while_loop op.
  • Add erfinv op.
  • Add normalize op.
  • Add support for IterableDataset to TorchDataLoaderAdapter.

New Contributors

Full Changelog: keras-team/keras@v3.0.4...v3.0.5

v3.0.4: Keras 3.0.4

Compare Source

This is a minor release with improvements to the LoRA API required by the next release of KerasNLP.

Full Changelog: keras-team/keras@v3.0.3...v3.0.4

v3.0.3: Keras 3.0.3 release

Compare Source

This is a minor Keras release.

What's Changed

  • Add built-in LoRA (low-rank adaptation) API to all relevant layers (Dense, EinsumDense, Embedding).
  • Add SwapEMAWeights callback to make it easier to evaluate model metrics using EMA weights during training.
  • All DataAdapters now create a native iterator for each backend, improving performance.
  • Add built-in prefetching for JAX, improving performance.
  • The bfloat16 dtype is now allowed in the global set_dtype configuration utility.
  • Bug fixes and performance improvements.

New Contributors

Full Changelog: keras-team/keras@v3.0.2...v3.0.3

v3.0.2: Keras 3.0.2

Compare Source

Breaking changes

There are no known breaking changes in this release compared to 3.0.1.

API changes

  • Add keras.random.binomial and keras.random.beta RNG functions.
  • Add masking support to BatchNormalization.
  • Add keras.losses.CTC (loss function for sequence-to-sequence tasks) as well as the lower-level operation keras.ops.ctc_loss.
  • Add ops.random.alpha_dropout and layers.AlphaDropout.
  • Add gradient accumulation support for all backends, and enable optimizer EMA for JAX and torch

Full Changelog: keras-team/keras@v3.0.1...v3.0.2

v3.0.1: Keras 3.0.1

Compare Source

This is a minor release focused on bug fixes and performance improvements.

What's Changed

  • Bug fixes and performance improvements.
  • Add stop_evaluating and stop_predicting model attributes for callbacks, similar to stop_training.
  • Add keras.device() scope for managing device placement in a multi-backend way.
  • Support dict items in PyDataset.
  • Add hard_swish activation and op.
  • Fix cuDNN LSTM performance on TensorFlow backend.
  • Add a force_download arg to get_file to force cache invalidation.

Full Changelog: keras-team/keras@v3.0.0...v3.0.1

v3.0.0: Keras 3.0.0

Compare Source

Major updates

See the release announcement for a detailed list of major changes. Main highlights compared to Keras 2 are:

  • Keras can now be run on top of JAX, PyTorch, TensorFlow, and even NumPy (note that the NumPy backend is inference-only).
  • New low-level keras.ops API for building cross-framework components.
  • New large-scale model distribution keras.distribution based on JAX.
  • New stateless API for layers, models, optimizers, and metrics.

Breaking changes

See this thread for a complete list of breaking changes, as well as the Keras 3 migration guide.

v2.15.0: Keras Release 2.15.0

Compare Source

What's Changed

  • Typofixes for StringLookup documentation by @​cw118 in #​18333
  • Fix ModelCheckpoint trained-on batch counting when using steps_per_execution>1 by @​jasnyj in #​17632
  • Fix legacy optimizer handling in compile_from_config(). by @​nkovela1 in #​18492
  • Remove options arg from ModelCheckpoint callback for Keras V3 saving, streamline ModelCheckpoint saving flow. Parameterize associated tests. by @​nkovela1 in #​18545
  • Use TENSORFLOW_VERSION when available during pip_build script by @​sampathweb in #​18739

New Contributors

Full Changelog: keras-team/keras@v2.14.0...v2.15.0

v2.14.0: Keras Release 2.14.0

Compare Source

What's Changed

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/pypi-keras-vulnerability branch from a9fc985 to 0a25245 Compare September 19, 2025 21:14
@renovate renovate bot changed the title Update dependency keras to v2.13.1 [SECURITY] Update dependency keras to v3 [SECURITY] Sep 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant