LCORE-2012: Bump-up Torch to 2.10.0

[tisnik]

Description

LCORE-2012: Bump-up Torch to 2.10.0

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-2012

Summary by CodeRabbit

• Chores
  • Updated the PyTorch version to 2.10.0 in the development dependency set.

[coderabbitai]

Walkthrough

This change updates the pinned torch version in the llslibdev dependency group from 2.9.1 to 2.10.0 in pyproject.toml.

Changes

Development dependency update

Layer / File(s)	Summary
Torch version pin update pyproject.toml	The llslibdev dependency group updates torch from 2.9.1 to 2.10.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• lightspeed-core/lightspeed-stack#1980: It updates the same llslibdev torch pin in pyproject.toml, immediately preceding this version bump.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: updating PyTorch from 2.9.1 to 2.10.0, with the issue reference providing clear context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pyproject.toml`:
- Line 189: The Konflux build path is still overriding torch to the older 2.9.1
pin, so update the torch entry in .konflux/requirements.overrides.txt to 2.10.0
to match the pyproject.toml bump. Then regenerate the Konflux lock artifacts by
running make konflux-requirements so the .konflux/requirements.hashes.*.txt
files stay in sync with the override used by scripts/konflux_requirements.sh.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b10dcb3a-740f-4269-91c9-d3ea2f44f37e

📥 Commits

Reviewing files that changed from the base of the PR and between 8b34c51 and e608125.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml

📜 Review details

⏰ Context from checks skipped due to timeout. (19)

• GitHub Check: radon
• GitHub Check: integration_tests (3.12)
• GitHub Check: build-pr
• GitHub Check: integration_tests (3.13)
• GitHub Check: Pylinter
• GitHub Check: spectral
• GitHub Check: Pyright
• GitHub Check: mypy
• GitHub Check: unit_tests (3.13)
• GitHub Check: unit_tests (3.12)
• GitHub Check: E2E: library mode / ci / group 2
• GitHub Check: E2E: server mode / ci / group 3
• GitHub Check: E2E: library mode / ci / group 1
• GitHub Check: E2E: server mode / ci / group 2
• GitHub Check: E2E: server mode / ci / group 1
• GitHub Check: E2E: library mode / ci / group 3
• GitHub Check: E2E Tests for Lightspeed Evaluation job
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-0-6-on-pull-request
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request

[coderabbitai]

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== torch pins =="
rg -n --no-heading 'torch==[0-9]+\.[0-9]+\.[0-9]+' pyproject.toml .konflux/requirements.overrides.txt

echo
echo "== konflux compile command (should show override file usage) =="
sed -n '23,35p' scripts/konflux_requirements.sh

echo
echo "== downstream consumer using llslibdev =="
sed -n '21,27p' deploy/llama-stack/test.containerfile

Repository: lightspeed-core/lightspeed-stack

Length of output: 1168

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Search for lockfiles (uv.lock, requirements.lock, etc.) =="
fd -t f '\.lock$|uv\.lock|requirements\.lock' .

echo
echo "== Check if uv.lock exists and contains torch pins =="
if [ -f "uv.lock" ]; then
  rg -A 2 'name = "torch"' uv.lock | head -20
fi

echo
echo "== Search for all torch references in the repo =="
rg -n 'torch==' --type toml --type txt --type py --type sh | grep -v node_modules | head -20

echo
echo "== Verify override file content around torch pin =="
if [ -f ".konflux/requirements.overrides.txt" ]; then
  cat -n .konflux/requirements.overrides.txt | grep -A 2 -B 2 'torch'
fi

echo
echo "== Check if there are other requirement files that might affect this =="
fd -t f 'requirements.*\.txt|pyproject\.toml|setup\.py' . | head -20

Repository: lightspeed-core/lightspeed-stack

Length of output: 2066

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Full content of .konflux/requirements.overrides.txt =="
cat -n .konflux/requirements.overrides.txt

echo
echo "== Grep torch pins specifically in the repo files =="
rg 'torch' pyproject.toml .konflux/requirements.overrides.txt uv.lock 2>/dev/null | head -30

echo
echo "== Check if uv.lock was recently generated (check git status) =="
git log --oneline -n 5 -- uv.lock 2>/dev/null || echo "Cannot access git history"

echo
echo "== Check for any requirements files in deploy/llama-stack =="
find deploy/llama-stack -type f -name '*.txt' -o -name '*.lock' -o -name 'pyproject.toml' | xargs ls -la 2>/dev/null

Repository: lightspeed-core/lightspeed-stack

Length of output: 8807

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check how RAW_REQ_FILE from konflux_requirements.sh is used =="
rg -n 'RAW_REQ_FILE' scripts/konflux_requirements.sh

echo
echo "== Search for references to konflux_requirements.sh in the pipeline =="
find .tekton .konflux -type f -name '*.yaml' -o -name '*.yml' 2>/dev/null | xargs grep -l 'konflux_requirements.sh' 2>/dev/null || echo "No references found"

echo
echo "== Check if there are multiple lock files or if uv.lock is the single source =="
find . -name '*lock*' -o -name '*requirements*.txt' | grep -v '.git' | head -20

echo
echo "== Verify when uv.lock was last modified =="
git log --oneline -n 10 -- uv.lock 2>/dev/null || echo "Cannot access git log"

Repository: lightspeed-core/lightspeed-stack

Length of output: 959

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check Konflux-specific requirement files for torch pins =="
rg 'torch' .konflux/ || echo "No torch references in .konflux artifacts"

echo
echo "== Read the Konflux requirements files to understand the build flow =="
for file in .konflux/requirements-build.txt .konflux/requirements.hermetic.txt .konflux/requirements.hashes.wheel.txt; do
  if [ -f "$file" ]; then
    echo "=== $file ==="
    head -20 "$file"
  fi
done

echo
echo "== Check if Tekton/Konflux tasks reference torch or requirements compilation =="
find .tekton .konflux -type f \( -name '*.yaml' -o -name '*.yml' \) 2>/dev/null | xargs grep -i 'torch\|konflux_requirements\|uv pip compile' 2>/dev/null | head -20

echo
echo "== Check git status of torch in this PR (show full context) =="
git diff HEAD~1 HEAD -- pyproject.toml .konflux/requirements.overrides.txt 2>/dev/null | head -50

Repository: lightspeed-core/lightspeed-stack

Length of output: 6405

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check when .konflux/requirements.hashes.wheel.txt was last updated =="
git log --oneline -n 5 -- .konflux/requirements.hashes.wheel.txt 2>/dev/null || echo "No git history"

echo
echo "== Show the torch entry in .konflux/requirements.hashes.wheel.txt with context =="
grep -A 1 '^torch==' .konflux/requirements.hashes.wheel.txt

echo
echo "== Verify what test.containerfile actually does with the lockfile =="
cat -n deploy/llama-stack/test.containerfile

echo
echo "== Check if there are any instructions in the repo about syncing Konflux artifacts =="
grep -r 'requirements.hashes\|konflux.*requirements\|override.*torch' . --include='*.md' --include='*.sh' --include='Makefile' 2>/dev/null | head -10

Repository: lightspeed-core/lightspeed-stack

Length of output: 3407

---

🏁 Script executed:

#!/bin/bash
set -euo pipefkail

echo "== Get the full git log for this PR commit =="
git log -1 --stat e6081255 2>/dev/null | head -30

echo
echo "== Check if .konflux/ files were modified in this commit =="
git diff e6081255~1 e6081255 -- .konflux/ 2>/dev/null | head -100

Repository: lightspeed-core/lightspeed-stack

Length of output: 220

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Get the full git log for this PR commit =="
git log -1 --stat e6081255 2>/dev/null | head -30

echo
echo "== Check if .konflux/ files were modified in this commit =="
git diff e6081255~1 e6081255 -- .konflux/ 2>/dev/null | head -100

echo
echo "== Check if pyproject.toml was the ONLY file changed =="
git show e6081255 --name-only 2>/dev/null

Repository: lightspeed-core/lightspeed-stack

Length of output: 1871

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== List all files changed in commit e6081255 =="
git show --name-only --pretty=format: e6081255 2>/dev/null | grep -E '(pyproject|konflux|uv\.lock)' | sort

echo
echo "== Count total files changed =="
git show --name-only --pretty=format: e6081255 2>/dev/null | grep -v '^$' | wc -l

echo
echo "== Check if the conflict entry in uv.lock references this =="
rg -B 5 'conflict.*llslibdev' uv.lock

Repository: lightspeed-core/lightspeed-stack

Length of output: 1236

---

Update .konflux/requirements.overrides.txt to torch==2.10.0 to match the pyproject.toml bump.

The pyproject.toml now pins torch==2.10.0, but .konflux/requirements.overrides.txt still pins torch==2.9.1. During Konflux builds, scripts/konflux_requirements.sh applies --override .konflux/requirements.overrides.txt, which will resolve torch 2.9.1 instead of 2.10.0 for the llslibdev group. This leaves the CVE fix unapplied in the Konflux build path while local builds (via uv.lock with torch 2.10.0) receive it.

Regenerate the Konflux artifacts (.konflux/requirements.hashes.*.txt) by running make konflux-requirements to sync the override file.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pyproject.toml` at line 189, The Konflux build path is still overriding torch
to the older 2.9.1 pin, so update the torch entry in
.konflux/requirements.overrides.txt to 2.10.0 to match the pyproject.toml bump.
Then regenerate the Konflux lock artifacts by running make konflux-requirements
so the .konflux/requirements.hashes.*.txt files stay in sync with the override
used by scripts/konflux_requirements.sh.