Skip to content

LCORE-2012: Bump-up Torch to 2.10.0 #1982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
tisnik wants to merge 1 commit into from
+36 −26
Closed

LCORE-2012: Bump-up Torch to 2.10.0 #1982

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ llslibdev = [
# API tool_runtime: remote::model-context-protocol
"mcp>=1.23.0",
# API post_training: inline::huggingface
"torch==2.9.1",
"torch==2.10.0",

@coderabbitai coderabbitai Bot Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== torch pins =="
rg -n --no-heading 'torch==[0-9]+\.[0-9]+\.[0-9]+' pyproject.toml .konflux/requirements.overrides.txt

echo
echo "== konflux compile command (should show override file usage) =="
sed -n '23,35p' scripts/konflux_requirements.sh

echo
echo "== downstream consumer using llslibdev =="
sed -n '21,27p' deploy/llama-stack/test.containerfile

Repository: lightspeed-core/lightspeed-stack

Length of output: 1168

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Search for lockfiles (uv.lock, requirements.lock, etc.) =="
fd -t f '\.lock$|uv\.lock|requirements\.lock' .

echo
echo "== Check if uv.lock exists and contains torch pins =="
if [ -f "uv.lock" ]; then
  rg -A 2 'name = "torch"' uv.lock | head -20
fi

echo
echo "== Search for all torch references in the repo =="
rg -n 'torch==' --type toml --type txt --type py --type sh | grep -v node_modules | head -20

echo
echo "== Verify override file content around torch pin =="
if [ -f ".konflux/requirements.overrides.txt" ]; then
  cat -n .konflux/requirements.overrides.txt | grep -A 2 -B 2 'torch'
fi

echo
echo "== Check if there are other requirement files that might affect this =="
fd -t f 'requirements.*\.txt|pyproject\.toml|setup\.py' . | head -20

Repository: lightspeed-core/lightspeed-stack

Length of output: 2066

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Full content of .konflux/requirements.overrides.txt =="
cat -n .konflux/requirements.overrides.txt

echo
echo "== Grep torch pins specifically in the repo files =="
rg 'torch' pyproject.toml .konflux/requirements.overrides.txt uv.lock 2>/dev/null | head -30

echo
echo "== Check if uv.lock was recently generated (check git status) =="
git log --oneline -n 5 -- uv.lock 2>/dev/null || echo "Cannot access git history"

echo
echo "== Check for any requirements files in deploy/llama-stack =="
find deploy/llama-stack -type f -name '*.txt' -o -name '*.lock' -o -name 'pyproject.toml' | xargs ls -la 2>/dev/null

Repository: lightspeed-core/lightspeed-stack

Length of output: 8807

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check how RAW_REQ_FILE from konflux_requirements.sh is used =="
rg -n 'RAW_REQ_FILE' scripts/konflux_requirements.sh

echo
echo "== Search for references to konflux_requirements.sh in the pipeline =="
find .tekton .konflux -type f -name '*.yaml' -o -name '*.yml' 2>/dev/null | xargs grep -l 'konflux_requirements.sh' 2>/dev/null || echo "No references found"

echo
echo "== Check if there are multiple lock files or if uv.lock is the single source =="
find . -name '*lock*' -o -name '*requirements*.txt' | grep -v '.git' | head -20

echo
echo "== Verify when uv.lock was last modified =="
git log --oneline -n 10 -- uv.lock 2>/dev/null || echo "Cannot access git log"

Repository: lightspeed-core/lightspeed-stack

Length of output: 959

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check Konflux-specific requirement files for torch pins =="
rg 'torch' .konflux/ || echo "No torch references in .konflux artifacts"

echo
echo "== Read the Konflux requirements files to understand the build flow =="
for file in .konflux/requirements-build.txt .konflux/requirements.hermetic.txt .konflux/requirements.hashes.wheel.txt; do
  if [ -f "$file" ]; then
    echo "=== $file ==="
    head -20 "$file"
  fi
done

echo
echo "== Check if Tekton/Konflux tasks reference torch or requirements compilation =="
find .tekton .konflux -type f \( -name '*.yaml' -o -name '*.yml' \) 2>/dev/null | xargs grep -i 'torch\|konflux_requirements\|uv pip compile' 2>/dev/null | head -20

echo
echo "== Check git status of torch in this PR (show full context) =="
git diff HEAD~1 HEAD -- pyproject.toml .konflux/requirements.overrides.txt 2>/dev/null | head -50

Repository: lightspeed-core/lightspeed-stack

Length of output: 6405

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check when .konflux/requirements.hashes.wheel.txt was last updated =="
git log --oneline -n 5 -- .konflux/requirements.hashes.wheel.txt 2>/dev/null || echo "No git history"

echo
echo "== Show the torch entry in .konflux/requirements.hashes.wheel.txt with context =="
grep -A 1 '^torch==' .konflux/requirements.hashes.wheel.txt

echo
echo "== Verify what test.containerfile actually does with the lockfile =="
cat -n deploy/llama-stack/test.containerfile

echo
echo "== Check if there are any instructions in the repo about syncing Konflux artifacts =="
grep -r 'requirements.hashes\|konflux.*requirements\|override.*torch' . --include='*.md' --include='*.sh' --include='Makefile' 2>/dev/null | head -10

Repository: lightspeed-core/lightspeed-stack

Length of output: 3407

🏁 Script executed:

#!/bin/bash
set -euo pipefkail

echo "== Get the full git log for this PR commit =="
git log -1 --stat e6081255 2>/dev/null | head -30

echo
echo "== Check if .konflux/ files were modified in this commit =="
git diff e6081255~1 e6081255 -- .konflux/ 2>/dev/null | head -100

Repository: lightspeed-core/lightspeed-stack

Length of output: 220

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Get the full git log for this PR commit =="
git log -1 --stat e6081255 2>/dev/null | head -30

echo
echo "== Check if .konflux/ files were modified in this commit =="
git diff e6081255~1 e6081255 -- .konflux/ 2>/dev/null | head -100

echo
echo "== Check if pyproject.toml was the ONLY file changed =="
git show e6081255 --name-only 2>/dev/null

Repository: lightspeed-core/lightspeed-stack

Length of output: 1871

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== List all files changed in commit e6081255 =="
git show --name-only --pretty=format: e6081255 2>/dev/null | grep -E '(pyproject|konflux|uv\.lock)' | sort

echo
echo "== Count total files changed =="
git show --name-only --pretty=format: e6081255 2>/dev/null | grep -v '^$' | wc -l

echo
echo "== Check if the conflict entry in uv.lock references this =="
rg -B 5 'conflict.*llslibdev' uv.lock

Repository: lightspeed-core/lightspeed-stack

Length of output: 1236

Update .konflux/requirements.overrides.txt to torch==2.10.0 to match the pyproject.toml bump.

The pyproject.toml now pins torch==2.10.0, but .konflux/requirements.overrides.txt still pins torch==2.9.1. During Konflux builds, scripts/konflux_requirements.sh applies --override .konflux/requirements.overrides.txt, which will resolve torch 2.9.1 instead of 2.10.0 for the llslibdev group. This leaves the CVE fix unapplied in the Konflux build path while local builds (via uv.lock with torch 2.10.0) receive it.

Regenerate the Konflux artifacts (.konflux/requirements.hashes.*.txt) by running make konflux-requirements to sync the override file.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pyproject.toml` at line 189, The Konflux build path is still overriding torch
to the older 2.9.1 pin, so update the torch entry in
.konflux/requirements.overrides.txt to 2.10.0 to match the pyproject.toml bump.
Then regenerate the Konflux lock artifacts by running make konflux-requirements
so the .konflux/requirements.hashes.*.txt files stay in sync with the override
used by scripts/konflux_requirements.sh.

"trl>=0.18.2",
"peft>=0.15.2",
# API inference: remote::vertexai
Expand Down
60 changes: 35 additions & 25 deletions uv.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading