Skip to content

Commit 5085f14

Browse files
authored
chore: update versions to address CVEs (#2201)
Signed-off-by: Kajal Jain <kajalj@nvidia.com>
1 parent 293bcf7 commit 5085f14

2 files changed

Lines changed: 904 additions & 551 deletions

File tree

pyproject.toml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,7 @@ dependencies = [
4141
"matplotlib",
4242
"plotly",
4343
"sympy>=1.14.0",
44-
"pillow>=11.3.0",
44+
"pillow>=12.1.1",
4545
"torchvision==0.25.0",
4646
"transformers==5.3.0",
4747
"num2words>=0.5.14", # for SmolVLM
@@ -148,7 +148,7 @@ dev = [
148148
"pyrefly==0.24.2",
149149
]
150150
test = [
151-
"pytest>=7.0.0",
151+
"pytest>=8.4.2",
152152
"pytest-timeout",
153153
"pytest-cov",
154154
"pytest-asyncio",
@@ -263,6 +263,8 @@ override-dependencies = [
263263
# vLLM 0.17.0 code is compatible with transformers v5 but the PyPI metadata still declares <5.
264264
# Override until vllm officially relaxes the constraint (https://github.com/vllm-project/vllm/issues/30466).
265265
"transformers==5.3.0",
266+
#Override till we can upgrade sglang version to address CVE GHSA-7rgv-gqhr-fxg3
267+
"xgrammar==0.1.33",
266268
]
267269
# CVE fixes
268270
constraint-dependencies = [
@@ -274,6 +276,10 @@ constraint-dependencies = [
274276
"wheel>=0.46.2", # Address CVE GHSA-8rrh-rw8j-w5fx
275277
"protobuf>=6.33.5", # Address CVE GHSA-7gcm-g887-7qv7
276278
"python-multipart>=0.0.22", # Address CVE GHSA-wp53-j4wj-2cfg
279+
"pygments>=2.20.0", # Address CVE GHSA-5239-wwwm-4pmq
280+
"cbor2>=5.9.0", # Address CVE GHSA-3c37-wwvx-h642
281+
"onnx>=1.21.0rc4", # Address CVE GHSA-hqmj-h5c6-369m
282+
"cryptography>=46.0.6", # Address CVE GHSA-6w46-j5rx-g56g
277283
]
278284

279285
conflicts = [

0 commit comments

Comments
 (0)