Bump Microsoft.ML.OnnxRuntime from 1.26.0 to 1.27.0

[dependabot]

Updated Microsoft.ML.OnnxRuntime from 1.26.0 to 1.27.0.

Release notes

Sourced from Microsoft.ML.OnnxRuntime's releases.

1.27.0

n.b. This release is targeting ONNX 1.21. ONNX 1.22 will be supported in ORT 1.28.
n.b. This changelog was generated via LLM. Only the contributor list has been verified. As always, only trust the commit history.

Announcements & Breaking Changes

• CUDA 12 package files are now explicitly named as such.
• CUDA 12 packages are deprecated, please move to CUDA 13 ASAP.

---

Security Fixes

• Fixed out-of-bounds read in SoftmaxCrossEntropyLoss via label bounds validation (#​28004)
• Hardened OneHot input validation and output-size computation (#​28014)
• Added SafeInt overflow protection in Expand and capped constant-folding output sizes (#​28055)
• Bounded total output allocation size in Tile kernel (#​28070)
• Added mask/input shape consistency checks in MaxpoolWithMask::Compute (#​28223)
• Fixed BitShift UB for shift amounts greater than or equal to bit width (#​28272)
• Validated sequence bounds in GQA (seqlens_k vs cos_cache) (#​28277)
• Validated conv bias shape in WordConvEmbedding to prevent OOB reads (#​28279)
• Fixed int32 overflow in CUDA Cast and UnaryElementWise kernels for very large tensors (#​28386)
• Fixed out-of-bounds read in CropBase scale handling (#​28399)
• Fixed rank-underflow bug in Inverse kernel trailing-dimension indexing (#​28400)
• Added sparse tensor external file path validation and additional external-path hardening (#​28408, #​28709, #​28725)
• Switched remaining torch.load() calls to weights_only=True (#​28421)
• Added CPU cache-indirection beam-index validation (#​28486)
• Added additional overflow/bounds checks and test coverage in runtime buffers (#​28713, #​28747)

---

New Features

Execution Provider Plugin API

• Added zero-copy I/O for plugin EPs with HOST_ACCESSIBLE memory (#​28037)
• Added OrtEp::OnSessionInitializationEnd() callback (#​28319)
• Added plugin EP session-options getters (#​28377)
• Added CUDA Plugin EP provider options for streams and external allocators (#​28603)

Core APIs & Runtime

• Added support for ONNX overloaded functions (IR v10+) (#​28275)
• Added FLOAT8E8M0 datatype support in ONNX Runtime (#​28381)
• Added CPU Cast support for FLOAT8E8M0 (#​28435)
• Added kOrtEpDevice_EpMetadataKey_OSDriverVersion example and docs (#​28282)

Quantization & Training Tooling

• Added calibration cache support to quantize_static (#​28221)
• Added ActivationRestrictedAsymmetric quantization option (#​28237)
  ... (truncated)

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 22, 2026, 3:33 AM ET / 07:33 UTC.

Summary
This PR updates the direct Microsoft.ML.OnnxRuntime PackageReference in src/OpenClaw.Shared/OpenClaw.Shared.csproj from 1.26.0 to 1.27.0.

Reproducibility: not applicable. this is a dependency maintenance PR rather than a bug report. Source inspection and the PR diff give a high-confidence version-delta check.

Review metrics: 2 noteworthy metrics.

• Diff size: 1 file changed, +1/-1. The branch is tightly scoped to one direct NuGet package version change.
• Build and Test workflow: 7 succeeded, 2 skipped. The repo-required CI surface reported success for tests and Windows builds, with release-only jobs skipped.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• For extra runtime confidence before release, run a Windows VAD/native-load smoke if maintainers require proof beyond CI.

Risk before merge

• [P1] This updates a direct production native runtime used by VAD; CI passed, but this review did not run a local Windows VAD/native-load smoke.

Maintainer options:

1. Merge On Green Dependency Validation (recommended)
   Accept the native runtime bump once the existing Build and Test checks remain green and maintainers are comfortable with CI as the validation signal.
2. Request A Runtime Smoke
   If maintainers want stronger proof, run a Windows VAD model-load or speech pipeline smoke before merging the package update.

Next step before merge

• No ClawSweeper repair is needed; the remaining action is maintainer dependency-review judgment on whether CI is enough for this native runtime bump.

Security
Cleared: The diff only bumps an existing direct NuGet dependency to an upstream stable release and does not change package sources, scripts, workflows, lockfiles, permissions, or secrets handling.

Review details

Best possible solution:

Land the dependency bump after the required Build and Test checks remain green, with an optional Windows VAD native-load smoke if maintainers want runtime confidence beyond CI.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a dependency maintenance PR rather than a bug report. Source inspection and the PR diff give a high-confidence version-delta check.

Is this the best way to solve the issue?

Yes; the narrow package reference bump is the maintainable surface for this dependency update. The remaining question is validation depth for a native runtime dependency, not code structure.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 6283fb174ead.

Label changes

Label changes:

• add P2: This is a normal-priority production dependency update with upstream security fixes and limited code diff blast radius.
• add merge-risk: 🚨 availability: Microsoft.ML.OnnxRuntime supplies native runtime behavior for VAD, so a bad package/native-load regression could affect voice availability even when the diff is small.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot PR, so the external contributor real-behavior proof gate does not apply; CI/build evidence is the relevant signal.

Label justifications:

• P2: This is a normal-priority production dependency update with upstream security fixes and limited code diff blast radius.
• merge-risk: 🚨 availability: Microsoft.ML.OnnxRuntime supplies native runtime behavior for VAD, so a bad package/native-load regression could affect voice availability even when the diff is small.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot PR, so the external contributor real-behavior proof gate does not apply; CI/build evidence is the relevant signal.

Evidence reviewed

What I checked:

• Current main still uses 1.26.0: At current main SHA 6283fb1, OpenClaw.Shared.csproj still references Microsoft.ML.OnnxRuntime version 1.26.0, so the requested bump is not implemented on main. (src/OpenClaw.Shared/OpenClaw.Shared.csproj:23, 6283fb174ead)
• PR diff is a one-line package bump: The PR patch changes only the Microsoft.ML.OnnxRuntime PackageReference from 1.26.0 to 1.27.0 in one project file. (src/OpenClaw.Shared/OpenClaw.Shared.csproj:23, 3f199f62ee0d)
• Runtime dependency is actively used: VoiceActivityDetector imports Microsoft.ML.OnnxRuntime and constructs an InferenceSession, so this is a production runtime dependency rather than an unused package. (src/OpenClaw.Shared/Audio/VoiceActivityDetector.cs:2, 6283fb174ead)
• GitHub status checks are green: GitHub reports the PR as mergeable, with Build and Test jobs including repo-hygiene, tests, e2e tests, and win-x64/win-arm64 builds completed successfully. (3f199f62ee0d)
• Upstream release exists: The upstream microsoft/onnxruntime v1.27.0 release is published, non-draft, and non-prerelease as of 2026-06-19T21:11:07Z.
• Feature history points to the audio/STT work: git log -S'Microsoft.ML.OnnxRuntime' shows the OnnxRuntime reference came from the audio/STT feature history and was later bumped by a prior Dependabot PR. (src/OpenClaw.Shared/OpenClaw.Shared.csproj:23, b0ba9affa25d)

Likely related people:

• RBrid: Authored the merged audio/STT feature PR that added VoiceActivityDetector and the initial OnnxRuntime dependency in OpenClaw.Shared. (role: feature owner; confidence: high; commits: b0ba9affa25d; files: src/OpenClaw.Shared/Audio/VoiceActivityDetector.cs, src/OpenClaw.Shared/OpenClaw.Shared.csproj)
• shanselman: Merged the audio/STT feature work and appears in recent blame/history around the shared project dependency block. (role: recent area contributor and merger; confidence: medium; commits: b637369fbc56; files: src/OpenClaw.Shared/OpenClaw.Shared.csproj, src/OpenClaw.Shared/Audio/VoiceActivityDetector.cs)
• steipete: Merged the previous Dependabot bump of Microsoft.ML.OnnxRuntime from 1.25.1 to 1.26.0, which is directly adjacent dependency-maintenance history. (role: prior dependency bump merger; confidence: medium; commits: 3034ed21f2b2; files: src/OpenClaw.Shared/OpenClaw.Shared.csproj)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.