Skip to content

Commit d9506f7

Browse files
kajalj22claude
andauthored
fix(security): bump mlflow and urllib3 for CVE remediation (#2560)
Signed-off-by: Kajal Jain <kajalj@nvidia.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 166ca33 commit d9506f7

2 files changed

Lines changed: 6 additions & 6 deletions

File tree

pyproject.toml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ dependencies = [
5151
"torchvision==0.26.0",
5252
"transformers==5.3.0",
5353
"num2words>=0.5.14", # for SmolVLM
54-
"mlflow>=3.11.1",
54+
"mlflow>=3.12.0",
5555
"nvidia-nvshmem-cu13; sys_platform == 'linux' and (platform_machine == 'x86_64' or platform_machine == 'aarch64')", # for deep_ep build
5656
"swanlab",
5757
"pyzmq",
@@ -327,7 +327,7 @@ override-dependencies = [
327327
# Override sglang's xgrammar==0.1.32 to address CVE GHSA-7rgv-gqhr-fxg3
328328
"xgrammar==0.1.33",
329329
# Override dependencies to address CVEs
330-
"mlflow>=3.11.1",
330+
"mlflow>=3.12.0",
331331
# Override outlines for Python 3.13 support
332332
"outlines>=0.2.0",
333333
# Upgrade pytest to 9.0.3
@@ -343,7 +343,7 @@ override-dependencies = [
343343
constraint-dependencies = [
344344
"brotli>=1.2.0", # Address CVE GHSA-2qfp-q593-8484
345345
"starlette>=0.49.1", # Address CVE GHSA-7f5h-v6xp-fcq8
346-
"urllib3>=2.6.3", # Address CVE GHSA-38jv-5279-wg99
346+
"urllib3>=2.7.0", # Address CVE GHSA-38jv-5279-wg99
347347
"aiohttp>=3.13.3", # Address CVE GHSA-mqqc-3gqh-h2x8
348348
"pyasn1>=0.6.3", # Address CVE GHSA-jr27-m4p2-rc6r
349349
"wheel>=0.46.2", # Address CVE GHSA-8rrh-rw8j-w5fx

uv.lock

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)