Bump keras from 2.0.8 to 3.13.2

[dependabot]

Bumps keras from 2.0.8 to 3.13.2.

Release notes

Sourced from keras's releases.

v3.13.2

Security Fixes & Hardening

This release introduces critical security hardening for model loading and saving, alongside improvements to the JAX backend metadata handling.

• Disallow TFSMLayer deserialization in safe_mode (#22035)

  • Previously, TFSMLayer could load external TensorFlow SavedModels during deserialization without respecting Keras safe_mode. This could allow the execution of attacker-controlled graphs during model invocation.
  • TFSMLayer now enforces safe_mode by default. Deserialization via from_config() will raise a ValueError unless safe_mode=False is explicitly passed or keras.config.enable_unsafe_deserialization() is called.

• Fix Denial of Service (DoS) in KerasFileEditor (#21880)

  • Introduces validation for HDF5 dataset metadata to prevent "shape bomb" attacks.
  • Hardens the .keras file editor against malicious metadata that could cause dimension overflows or unbounded memory allocation (unbounded numpy allocation of multi-gigabyte tensors).

• Block External Links in HDF5 files (#22057)

  • Keras now explicitly disallows external links within HDF5 files during loading. This prevents potential security risks where a weight file could point to external system datasets.
  • Includes improved verification for H5 Groups and Datasets to ensure they are local and valid.

Backend-specific Improvements (JAX)

• Set mutable=True by default in nnx_metadata (#22074)
  • Updated the JAX backend logic to ensure that variables are treated as mutable by default in nnx_metadata.
  • This makes Keras 3.13.2 compatible with Flax 0.12.3 when the Keras NNX integration is enabled.

Saving & Serialization

• Improved H5IOStore Integrity (#22057)
  • Refactored H5IOStore and ShardedH5IOStore to remove unused, unverified methods.
  • Fixed key-ordering logic in sharded HDF5 stores to ensure consistent state loading across different environments.

---

Contributors

We would like to thank the following contributors for their security reports and code improvements: @​0xManan, @​HyperPS, @​hertschuh, and @​divyashreepathihalli.

Full Changelog: keras-team/keras@v3.13.1...v3.13.2

v3.13.1

Bug Fixes & Improvements

• General
  • Removed a persistent warning triggered during import keras when using NumPy 2.0 or higher. (#21949)
• Backends
  • JAX: Fixed an issue where CUDNN flash attention was broken when using JAX versions greater than 0.6.2. (#21970)
• Export & Serialization
  • Resolved a regression in the export pipeline that incorrectly forced batch sizes to be dynamic. The export process now correctly respects static batch sizes when defined. (#21944)

Full Changelog: keras-team/keras@v3.13.0...v3.13.1

... (truncated)

Commits

• e29d0ef Version bump and cherry picks for 3.13.2 (#22080)
• 8914427 Patch release commits for 3.13.1 (#22005)
• 986ff97 Update release version and comment orbax checkpoint (#21934)
• ca23fce Refactors AbsMaxQuantizer to accept axis in call (#21931)
• 1a9893f Adds Serialization Support for QuantizationConfig based quantized models (#21...
• 86bfab4 More OpenVINO Numpy Operations (#21925)
• f48f480 Add adaptive pooling (1D, 2D, 3D) support across JAX, NumPy, TensorFlow, and ...
• 0771c80 Fix ops.tile shape inference issue on TensorFlow backend (#21860)
• 024c96d Extended fix OOM Issue #21634 on Keras side (#21755)
• 71f4997 Introduces QuantizationConfig for fine-grained quantization control (#21896)
• Additional commits viewable in compare view