[None][feat] Upgrade xgrammar and lock pillow

[yuanjingx87]

Signed-off-by: qgai

Summary by CodeRabbit

• Chores
  • Upgraded xgrammar dependency to version 0.1.32
  • Enhanced build system to support dependency patches

Description

Test Coverage

PR Checklist

Please review the following before submitting your PR:

• PR description clearly explains what and why. If using CodeRabbit's summary, please make sure it makes sense.

• PR Follows TRT-LLM CODING GUIDELINES to the best of your knowledge.

• Test cases are provided for new code paths (see test instructions)

• Any new dependencies have been scanned for license and vulnerabilities

• CODEOWNERS updated if ownership changes

• Documentation updated as needed

• Update tava architecture diagram if there is a significant design change in PR.

• The reviewers assigned automatically/manually are appropriate for the PR.

• Please check this after reviewing the above items as appropriate for this PR.

GitHub Bot Help

To see a list of available CI bot commands, please comment /bot help.

[yuanjingx87]

/bot run

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR upgrades the xgrammar dependency from v0.1.25 to v0.1.32, adds support for applying patch files during CMake dependency fetching, introduces a patch that converts internal flag declarations to constexpr, and updates version references across build configuration, dependency metadata, and documentation files.

Changes

Cohort / File(s)	Summary
CMake Build System 3rdparty/CMakeLists.txt	Added parsing of optional patch_file field from fetch_content.json and conditional PATCH_COMMAND generation in FetchContent_Declare() calls, enabling patch application during dependency fetching.
xgrammar Dependency Configuration 3rdparty/fetch_content.json, 3rdparty/patches/xgrammar_constexpr.patch	Upgraded xgrammar from v0.1.25 to v0.1.32 and introduced patch file that converts static const flag declarations to static constexpr in cpp/grammar_functor.cc.
Python Dependency Pins requirements.txt, security_scanning/pyproject.toml	Updated xgrammar version constraint from 0.1.25 to 0.1.32 across Python dependency specifications.
Documentation & Metadata ATTRIBUTIONS-Python.md, scripts/attribution/data/dependency_metadata.yml, scripts/attribution/data/files_to_dependency.yml	Synchronized xgrammar version references from 0.1.25 to 0.1.32 across attribution documentation and version metadata mappings.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions upgrading xgrammar and locking pillow, but the changeset only shows xgrammar upgrades; pillow changes are not visible in the diff.	Verify if pillow locking changes exist in the PR. If not present, revise title to '[None][feat] Upgrade xgrammar to 0.1.32' to accurately reflect the actual changes.
Description check	⚠️ Warning	The PR description is empty except for a template with unchecked sections and a sign-off line; no actual description, rationale, or test coverage information is provided.	Fill in the Description section explaining why xgrammar was upgraded and what the patch_file change accomplishes, and detail any relevant test coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ATTRIBUTIONS-Python.md`:
- Line 63474: Update the release notes sentence that currently reads "The
dependent xgrammar version is updated to 0.1.25" to reference xgrammar version
0.1.32 instead; locate the string in docs/source/release-notes.md (the line
containing that exact sentence) and change the version number to 0.1.32 so it
matches ATTRIBUTIONS-Python.md and other project references.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 003b5d71-d64e-43ba-8a25-9f99f4397c86

📥 Commits

Reviewing files that changed from the base of the PR and between 3fd5faf and 4f7a192.

⛔ Files ignored due to path filters (1)

• security_scanning/poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (8)

• 3rdparty/CMakeLists.txt
• 3rdparty/fetch_content.json
• 3rdparty/patches/xgrammar_constexpr.patch
• ATTRIBUTIONS-Python.md
• requirements.txt
• scripts/attribution/data/dependency_metadata.yml
• scripts/attribution/data/files_to_dependency.yml
• security_scanning/pyproject.toml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

What is the latest version of xgrammar on PyPI and what are the changes between version 0.1.25 and 0.1.32?

💡 Result:

Latest version of xgrammar on PyPI

As of Mar 27, 2026, the latest PyPI release is xgrammar 0.1.33. (pypi.org)

Changes from 0.1.25 → 0.1.32 (release-by-release)

v0.1.26

• Added batched methods for token-mask generation (batched fill-next-token mask; batched accept string/token)
• Refactors and fixes (pipeline refactor, repetition refactor, AddRule / URIToRule fixes), plus tokenizer support for openGPT-x (github.com)

v0.1.27

• Fixed JsonSchemaConverter handling for numbers like -0...
• Added/adjusted web build tests (github.com)

v0.1.28

• Fixed web emscripten bindings; several build/CI tweaks (e.g., riscv64 LTO disable, remove ninja dependency)
• Efficiency fixes (repetition structure), added BF16/FP16 CPU bitmask support, TagDispatch/SubGrammarAdder optimization fixes, docs/site improvements (github.com)

v0.1.29

• Added TraverseDraftTree for speculative-decoding bitmask generation
• AMD GPU triton kernel fix; tokenizer detection fix for Kimi-K2-Instruct; web package update for structural tag support (github.com)

v0.1.30

• Structural-tag/tag features (e.g., allow empty separator for tags_with_separator, multiple end tokens)
• any_text / TagDispatch: excluded strings support and termination behavior when excludes are specified
• Added crossing-grammar cache (first introduction here)
• Build/CI expansions (more wheels via cibuildwheel; Python 3.14/3.14t; nanobind free-threading opt-in); various bugfixes (UTF-8 char classes, DynamicBitset UB, etc.) (github.com)

v0.1.31

• Fixed apply_token_bitmask “auto”
• Reverted the earlier crossing-grammar cache change from v0.1.30 (github.com)

v0.1.32

• Added third-party Rust support integration
• Re-introduced/added crossing-grammar cache support (new implementation)
• Refactors for extensibility (structural_tag and json_schema_converter)
• Structural-tag/XML-related additions and fixes (MinimaxXmlFormat, DeepSeekXmlFormat, builtin structural tag formats for several models, quote-stripping behavior, empty-string support, deepseek_xml fixes)
• Parser/FSM refactors (kRepeat handling moved to FSM via kRepeatRef edges; removed AST fallback paths from Earley parser)
• Added optional timeout for _traverse_draft_tree (github.com)

Citations:

• 1: https://pypi.org/project/xgrammar/
• 2: https://github.com/mlc-ai/xgrammar/releases/tag/v0.1.26
• 3: https://github.com/mlc-ai/xgrammar/releases/tag/v0.1.27
• 4: https://github.com/mlc-ai/xgrammar/releases/tag/v0.1.28
• 5: https://github.com/mlc-ai/xgrammar/releases/tag/v0.1.29
• 6: https://github.com/mlc-ai/xgrammar/releases/tag/v0.1.30
• 7: https://github.com/mlc-ai/xgrammar/releases/tag/v0.1.31
• 8: https://github.com/mlc-ai/xgrammar/releases/tag/v0.1.32

---

🏁 Script executed:

#!/bin/bash
# Description: Verify all xgrammar version references are consistently updated to 0.1.32

echo "=== Searching for xgrammar version references ==="
rg -n "xgrammar.*0\.1\.(25|32)" --type-add 'config:*.{json,toml,txt,yml,yaml,md}' --type config

echo -e "\n=== Checking requirements files ==="
fd -e txt -e toml --exec rg -n "xgrammar" {}

echo -e "\n=== Checking for any remaining 0.1.25 references ==="
rg -n "0\.1\.25"

Repository: NVIDIA/TensorRT-LLM

Length of output: 6160

---

Update docs/source/release-notes.md line 86 to reflect xgrammar version 0.1.32.

The version reference in the release notes still mentions 0.1.25 ("The dependent xgrammar version is updated to 0.1.25") while all other references in the codebase have been correctly updated to 0.1.32.

All other xgrammar version references across the codebase (requirements.txt, pyproject.toml, dependency metadata, attribution files, and ATTRIBUTIONS-Python.md) are consistently updated to 0.1.32. The changelog for 0.1.32 includes significant feature additions (Rust support integration, structural-tag/XML enhancements, FSM refactors) and does not report breaking changes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ATTRIBUTIONS-Python.md` at line 63474, Update the release notes sentence that
currently reads "The dependent xgrammar version is updated to 0.1.25" to
reference xgrammar version 0.1.32 instead; locate the string in
docs/source/release-notes.md (the line containing that exact sentence) and
change the version number to 0.1.32 so it matches ATTRIBUTIONS-Python.md and
other project references.

[tensorrt-cicd]

PR_Github #42180 [ run ] triggered by Bot. Commit: 4f7a192 Link to invocation

[yuanjingx87]

/bot run --disable-fail-fast

[tensorrt-cicd]

PR_Github #42192 [ run ] triggered by Bot. Commit: 7d64ffb Link to invocation

[tensorrt-cicd]

PR_Github #42192 [ run ] completed with state FAILURE. Commit: 7d64ffb
/LLM/release-1.3.0rc5.post2/L0_MergeRequest_PR pipeline #5 completed with status: 'FAILURE'

CI Report

⚠️ Action Required:

• Please check the failed tests and fix your PR
• If you cannot view the failures, ask the CI triggerer to share details
• Once fixed, request an NVIDIA team member to trigger CI again

Link to invocation

[yuanjingx87]

/bot run --disable-fail-fast

[tensorrt-cicd]

PR_Github #42194 [ run ] triggered by Bot. Commit: 89a6154 Link to invocation

[schetlur-nv]

@thorjohnsen I thought we wanted to pin this to 0.6.4 because of some additional issues?

[yuanjingx87]

security_scanning is auto-generated and be cherry-picked, it is only for nspect scanning, this should not affect trtllm itself

[yuanjingx87]

The actual version to be locked is defined here https://github.com/yuanjingx87/TensorRT-LLM/blob/89a6154838305eee8a074761d5341b10208511df/requirements.txt#L57

[yuanjingx87]

/bot run --disable-fail-fast

[tensorrt-cicd]

PR_Github #42255 [ run ] triggered by Bot. Commit: c15eac0 Link to invocation

[tensorrt-cicd]

PR_Github #42194 [ run ] completed with state ABORTED. Commit: 89a6154
LLM/release-1.3.0rc5.post2/L0_MergeRequest_PR #6 (Blue Ocean) completed with status: ABORTED

Link to invocation

[yuanjingx87]

/bot run --disable-fail-fast

[tensorrt-cicd]

PR_Github #42262 [ run ] triggered by Bot. Commit: b465baa Link to invocation

[tensorrt-cicd]

PR_Github #42262 [ run ] completed with state SUCCESS. Commit: b465baa
/LLM/release-1.3.0rc5.post2/L0_MergeRequest_PR pipeline #9 completed with status: 'FAILURE'

CI Report

⚠️ Action Required:

• Please check the failed tests and fix your PR
• If you cannot view the failures, ask the CI triggerer to share details
• Once fixed, request an NVIDIA team member to trigger CI again

Link to invocation