Bump the pytorch group across 1 directory with 11 updates

[dependabot]

Bumps the pytorch group with 11 updates in the /pytorch directory:

Package	From	To
accelerate	0.32.1	0.33.0
peft	0.11.1	0.12.0
protobuf	5.27.2	5.27.3
transformers	4.42.4	4.43.4
jupyterhub	5.0.0	5.1.0
torch	2.1.0.post2+cxx11.abi	2.4.0
torchvision	0.16.0.post2+cxx11.abi	0.19.0
torchaudio	2.1.0.post2+cxx11.abi	2.4.0
intel-extension-for-pytorch	2.1.30+xpu	2.3.100+cpu
oneccl-bind-pt	2.1.300+xpu	2.3.0+cpu
setuptools	71.1.0	72.1.0

Updates accelerate from 0.32.1 to 0.33.0

Release notes

Sourced from accelerate's releases.

v0.27.0: PyTorch 2.2.0 Support, PyTorch-Native Pipeline Parallism, DeepSpeed XPU support, and Bug Fixes

PyTorch 2.2.0 Support

With the latest release of PyTorch 2.2.0, we've guaranteed that there are no breaking changes regarding it

PyTorch-Native Pipeline Parallel Inference

With this release we are excited to announce support for pipeline-parallel inference by integrating PyTorch's PiPPy framework (so no need to use Megatron or DeepSpeed)! This supports automatic model-weight splitting to each device using a similar API to device_map="auto". This is still under heavy development, however the inference side is stable enough that we are ready for a release. Read more about it in our docs and check out the example zoo.

Requires pippy of version 0.2.0 or later (pip install torchpippy -U)

Example usage (combined with accelerate launch or torchrun):

from accelerate import PartialState, prepare_pippy
model = AutoModelForSequenceClassification.from_pretrained("gpt2")
model = prepare_pippy(model, split_points="auto", example_args=(input,))
input = input.to("cuda:0")
with torch.no_grad():
    output = model(input)
# The outputs are only on the final process by default
# You can pass in `gather_outputs=True` to prepare_pippy to
# make them available on all processes
if PartialState().is_last_process:
    output = torch.stack(tuple(output[0]))
    print(output.shape)

DeepSpeed

This release provides support for utilizing DeepSpeed on XPU devices thanks to @​faaany

What's Changed

• Convert model.hf_device_map back to Dict by @​SunMarc in huggingface/accelerate#2326
• Fix model memory issue by @​muellerzr in huggingface/accelerate#2327
• Fixed typos in readme files of docs folder. by @​rishit5 in huggingface/accelerate#2329
• Disable P2P in just the 4000 series by @​muellerzr in huggingface/accelerate#2332
• Avoid duplicating memory for tied weights in dispatch_model, and in forward with offloading by @​fxmarty in huggingface/accelerate#2330
• Show DeepSpeed option when multi-XPU is selected in accelerate config by @​faaany in huggingface/accelerate#2346
• FIX: add oneCCL environment variable for non-MPI launcher (accelerate launch) by @​faaany in huggingface/accelerate#2339
• device agnostic test_accelerator/test_multigpu by @​wangshuai09 in huggingface/accelerate#2343
• Fix mpi4py/failing deepspeed test issues by @​muellerzr in huggingface/accelerate#2353
• Fix block_size picking in megatron_lm_gpt_pretraining example. by @​nilq in huggingface/accelerate#2342
• Fix dispatch_model with tied weights test on T4 by @​fxmarty in huggingface/accelerate#2354
• bugfix to allow usage of TE or MSAMP in FP8RecipeKwargs by @​sudhakarsingh27 in huggingface/accelerate#2355
• Pin DeepSpeed until patch by @​muellerzr in huggingface/accelerate#2366
• Remove init_hook_kwargs by @​fxmarty in huggingface/accelerate#2365
• device agnostic optimizer testing by @​statelesshz in huggingface/accelerate#2363
• add_hook_to_module and remove_hook_from_module compatibility with fx.GraphModule by @​fxmarty in huggingface/accelerate#2369
• Adding requires_grad to kwargs when registering empty parameters. by @​BlackSamorez in huggingface/accelerate#2376

... (truncated)

Commits

• 28a3b98 Release: v0.33.0
• 415eddf feat(ci): add pip caching in CI (#2952)
• 2308576 Properly handle Params4bit in set_module_tensor_to_device (#2934)
• a5a3e57 Add torch.float8_e4m3fn format dtype_byte_size (#2945)
• 0af1d8b delete CCL env var setting (#2927)
• d16d737 Improve test reliability for Accelerator.free_memory() (#2935)
• 7a5c231 Consider pynvml available when installed through the nvidia-ml-py distributio...
• 4f02bb7 Fix import test (#2931)
• 709fd1e Hotfix PyTorch Version Installation in CI Workflow for Minimum Version Matrix...
• f4f1260 Correct loading of models with shared tensors when using accelerator.load_sta...
• Additional commits viewable in compare view

Updates peft from 0.11.1 to 0.12.0

Release notes

Sourced from peft's releases.

v0.12.0: New methods OLoRA, X-LoRA, FourierFT, HRA, and much more

Highlights

New methods

OLoRA

@​tokenizer-decode added support for a new LoRA initialization strategy called OLoRA (#1828). With this initialization option, the LoRA weights are initialized to be orthonormal, which promises to improve training convergence. Similar to PiSSA, this can also be applied to models quantized with bitsandbytes. Check out the accompanying OLoRA examples.

X-LoRA

@​EricLBuehler added the X-LoRA method to PEFT (#1491). This is a mixture of experts approach that combines the strength of multiple pre-trained LoRA adapters. Documentation has yet to be added but check out the X-LoRA tests for how to use it.

FourierFT

@​Phoveran, @​zqgao22, @​Chaos96, and @​DSAILatHKUST added discrete Fourier transform fine-tuning to PEFT (#1838). This method promises to match LoRA in terms of performance while reducing the number of parameters even further. Check out the included FourierFT notebook.

HRA

@​DaShenZi721 added support for Householder Reflection Adaptation (#1864). This method bridges the gap between low rank adapters like LoRA on the one hand and orthogonal fine-tuning techniques such as OFT and BOFT on the other. As such, it is interesting for both LLMs and image generation models. Check out the HRA example on how to perform DreamBooth fine-tuning.

Enhancements

• IA³ now supports merging of multiple adapters via the add_weighted_adapter method thanks to @​alexrs (#1701).
• Call peft_model.get_layer_status() and peft_model.get_model_status() to get an overview of the layer/model status of the PEFT model. This can be especially helpful when dealing with multiple adapters or for debugging purposes. More information can be found in the docs (#1743).
• DoRA now supports FSDP training, including with bitsandbytes quantization, aka QDoRA ()#1806).
• VeRA has been extended by @​dkopi to support targeting layers with different weight shapes (#1817).
• @​kallewoof added the possibility for ephemeral GPU offloading. For now, this is only implemented for loading DoRA models, which can be sped up considerably for big models at the cost of a bit of extra VRAM (#1857).
• Experimental: It is now possible to tell PEFT to use your custom LoRA layers through dynamic dispatching. Use this, for instance, to add LoRA layers for thus far unsupported layer types without the need to first create a PR on PEFT (but contributions are still welcome!) (#1875).

Examples

• @​shirinyamani added a script and a notebook to demonstrate DoRA fine-tuning.
• @​rahulbshrestha contributed a notebook that shows how to fine-tune a DNA language model with LoRA.

Changes

Casting of the adapter dtype

Important: If the base model is loaded in float16 (fp16) or bfloat16 (bf16), PEFT now autocasts adapter weights to float32 (fp32) instead of using the dtype of the base model (#1706). This requires more memory than previously but stabilizes training, so it's the more sensible default. To prevent this, pass autocast_adapter_dtype=False when calling get_peft_model, PeftModel.from_pretrained, or PeftModel.load_adapter.

Adapter device placement

The logic of device placement when loading multiple adapters on the same model has been changed (#1742). Previously, PEFT would move all adapters to the device of the base model. Now, only the newly loaded/created adapter is moved to the base model's device. This allows users to have more fine-grained control over the adapter devices, e.g. allowing them to offload unused adapters to CPU more easily.

PiSSA

... (truncated)

Commits

• e6cd24c Release v0.12.0 (#1946)
• 05f57e9 PiSSA, OLoRA: Delete initial adapter after conversion instead of the active a...
• 2ce83e0 FIX Decrease memory overhead of merging (#1944)
• ebcd079 [WIP] ENH Add support for Qwen2 (#1906)
• ba75bb1 FIX: More VeRA tests, fix tests, more checks (#1900)
• 6472061 FIX Prefix tuning Grouped-Query Attention (#1901)
• e02b938 FIX PiSSA & OLoRA with rank/alpha pattern, rslora (#1930)
• 5268495 FEAT Add HRA: Householder Reflection Adaptation (#1864)
• 2aaf9ce ENH Sync LoRA tp_layer methods with vanilla LoRA (#1919)
• a019f86 FIX sft script print_trainable_parameters attr lookup (#1928)
• Additional commits viewable in compare view

Updates protobuf from 5.27.2 to 5.27.3

Commits

• 7cc670c Updating version.json and repo version numbers to: 27.3
• 67d7298 Merge pull request #17617 from protocolbuffers/cp-utf8-ascii
• e20cb7a Remove /utf-8 flag added in #14197
• c9839cb Merge pull request #17473 from protocolbuffers/cp-revert-hack
• 8a579c1 Downgrade CMake to 3.29 to workaround Abseil issue.
• ba3e7d7 Revert workaround for std::mutex issues on github windows runners.
• 861be78 Merge pull request #17331 from protocolbuffers/cp-cp
• c1ec82f Merge pull request #17232 from simonberger/bugfix/php-ext-persistent-global-c...
• aec8a76 Upgrade macos-11 tests to macos-12
• 4e3b4f0 Use explicit names of our large runners
• Additional commits viewable in compare view

Updates transformers from 4.42.4 to 4.43.4

Release notes

Sourced from transformers's releases.

v4.43.4 Patch Release

Patch Release v4.43.4

There was a mick mack, now deepseep issues are properly pushed with:

• Resize embeds with DeepSpeed huggingface/transformers#32214

🤗 Enjoy holidays

v4.43.3 Patch deepspeed

Patch release v4.43.3: We still saw some bugs so @​zucchini-nlp added: - Resize embeds with DeepSpeed #32214

• don't log base model architecture in wandb if log model is false #32143

Other fixes:

• [whisper] fix short-form output type #32178, by @​sanchit-gandhi which fixes the short audio temperature fallback!
• [BigBird Pegasus] set _supports_param_buffer_assignment to False #32222 by @​kashif, mostly related to the new super fast init, some models have to get this set to False. If you see a weird behavior look for that 😉

v4.43.2: Patch release

• Fix float8_e4m3fn in modeling_utils (#32193)
• Fix resize embedding with Deepspeed (#32192)
• let's not warn when someone is running a forward (#32176)
• RoPE: relaxed rope validation (#32182)

v4.43.1: Patch release

• fix (#32162)

Commits

• 868d36d Patch release v4.43.4
• 5cea2e7 Resize embeds with DeepSpeed (#32214)
• 47c29cc Patch release v4.43.3
• 54bc29c don't log base model architecture in wandb if log model is false (#32143)
• cc75146 [BigBird Pegasus] set _supports_param_buffer_assignment to False (#32222)
• cd06184 [whisper] fix short-form output type (#32178)
• 38d94bf Patch release
• b4a0442 Fix float8_e4m3fn in modeling_utils (#32193)
• 4672b4d Fix resize embedding with Deepspeed (#32192)
• a2b6a00 let's not warn when someone is running a forward (#32176)
• Additional commits viewable in compare view

Updates jupyterhub from 5.0.0 to 5.1.0

Commits

• cdc2151 Bump to 5.1.0
• b4a06ea add 4.1.6 changelog
• 5fcaaac Merge pull request #4848 from minrk/prep-510
• 4ea8fcb regen rest-api
• ca7df63 Merge commit from fork
• 759a4f0 update 5.1 changelog
• 2a89495 Merge pull request #4856 from jfrost-mo/secure_context_for_login
• 671c8ab Merge pull request #4860 from krassowski/pass-kwargs-to-server-initialize
• 49aaf50 Pass kwargs down to initialize() call of the server
• 0c20f3e Show insecure login warning when not in a secure context
• Additional commits viewable in compare view

Updates torch from 2.1.0.post2+cxx11.abi to 2.4.0

Release notes

Sourced from torch's releases.

PyTorch 2.4: Python 3.12, AOTInductor freezing, libuv backend for TCPStore

PyTorch 2.4 Release Notes

• Highlights
• Tracked Regressions
• Backward incompatible changes
• Deprecations
• New features
• Improvements
• Bug Fixes
• Performance
• Documentation
• Developers
• Security

Highlights

We are excited to announce the release of PyTorch® 2.4! PyTorch 2.4 adds support for the latest version of Python (3.12) for torch.compile. AOTInductor freezing gives developers running AOTInductor more performance based optimizations by allowing the serialization of MKLDNN weights. As well, a new default TCPStore server backend utilizing libuv has been introduced which should significantly reduce initialization times for users running large-scale jobs. Finally, a new Python Custom Operator API makes it easier than before to integrate custom kernels into PyTorch, especially for torch.compile.

This release is composed of 3661 commits and 475 contributors since PyTorch 2.3. We want to sincerely thank our dedicated community for your contributions. As always, we encourage you to try these out and report any issues as we improve 2.4. More information about how to get started with the PyTorch 2-series can be found at our Getting Started page.

... (truncated)

Commits

• See full diff in compare view

Updates torchvision from 0.16.0.post2+cxx11.abi to 0.19.0

Release notes

Sourced from torchvision's releases.

Torchvision 0.19 release

Highlights

Encoding / Decoding images

Torchvision is extending its encoding/decoding capabilities. For this version, we added a GIF decoder which is available as torchvision.io.decode_gif(raw_tensor), torchvision.io.decode_image(raw_tensor), and torchvision.io.read_image(path_to_image).

We also added support for jpeg GPU encoding in torchvision.io.encode_jpeg(). This is 10X faster than the existing CPU jpeg encoder.

Read more on the docs!

Stay tuned for more improvements coming in the next versions. We plan to improve jpeg GPU decoding, and add more image decoders (webp in particular).

Resizing according to the longest edge of an image

It is now possible to resize images by setting torchvision.transforms.v2.Resize(max_size=N): this will resize the longest edge of the image exactly to max_size, making sure the image dimension don't exceed this value. Read more on the docs!

Detailed changes

Bug Fixes

[datasets] SBDataset: Only download noval file when image_set='train_noval' (#8475) [datasets] Update the download url in class EMNIST (#8350) [io] Fix compilation error when there is no libjpeg (#8342) [reference scripts] Fix use of cutmix_alpha in classification training references (#8448) [utils] Allow K=1 in draw_keypoints (#8439)

New Features

[io] Add decoder for GIF images (decode_gif(), decode_image(),read_image()) (#8406, #8419) [transforms] Add GaussianNoise transform (#8381)

Improvements

[transforms] Allow v2 Resize to resize longer edge exactly to max_size (#8459) [transforms] Add min_area parameter to SanitizeBoundingBox (#7735) [transforms] Make adjust_hue() work with numpy 2.0 (#8463) [transforms] Enable one-hot-encoded labels in MixUp and CutMix (#8427) [transforms] Create kernel on-device for transforms.functional.gaussian_blur (#8426) [io] Adding GPU acceleration to encode_jpeg (10X faster than CPU encoder) (#8391) [io] read_video: accept BytesIO objects on pyav backend (#8442) [io] Add compatibility with FFMPEG 7.0 (#8408) [datasets] Add extra to install gdown (#8430) [datasets] Support encoded RLE format in for COCO segmentations (#8387) [datasets] Added binary cat vs dog classification target type to Oxford pet dataset (#8388) [datasets] Return labels for FER2013 if possible (#8452) [ops] Force use of torch.compile on deterministic roi_align implementation (#8436) [utils] add float support to utils.draw_bounding_boxes() (#8328)

... (truncated)

Commits

• See full diff in compare view

Updates torchaudio from 2.1.0.post2+cxx11.abi to 2.4.0

Release notes

Sourced from torchaudio's releases.

TorchAudio 2.4.0 Release

This release is compatible with PyTorch 2.4. There are no new features added.

This release contains 2 fixes:

• Fix view size error when backpropagating through lfilter pytorch/audio#3794
• [BC-Breaking] Fix model downloading in bento pytorch/audio#3803

TorchAudio 2.3.1 Release

This release is compatible with PyTorch 2.3.1 patch release. There are no new features added.

TorchAudio 2.3.0 Release

This release is compatible with PyTorch 2.3.0 patch release. There are no new features added.

This release contains minor documentation and code quality improvements (#3734, #3748, #3757, #3759)

TorchAudio 2.2.2 Release

This release is compatible with PyTorch 2.2.2 patch release. There are no new features added.

TorchAudio 2.2.1 Release

This release is compatible with PyTorch 2.2.1 patch release. There are no new features added.

TorchAudio 2.2.0 Release

New Features

• Add path-like object support to StreamReader/Writer pytorch/audio#3608
• Introduce trio top-level module, dedicated for core I/O operations (pytorch/audio#3676, pytorch/audio#3680, pytorch/audio#3681, pytorch/audio#3682) Please refer to https://pytorch.org/audio/2.2.0/torio.html for the details.

Bug Fixes

• pytorch/audio#3685 Make F.vad return empty tensor for zero valued tensor input

Recipe Updates

• pytorch/audio#3631 Fix inconsistent naming

TorchAudio 2.1.2 Release

This is a patch release, which is compatible with PyTorch 2.1.2. There are no new features added.

v2.1.1

This is a minor release, which is compatible with PyTorch 2.1.1 and includes bug fixes, improvements and documentation updates.

Bug Fixes

• Cherry-pick 2.1.1: Fix WavLM bundles (#3665)
• Cherry-pick 2.1.1: Add back compression level in i/o dispatcher backend by (#3666)

Commits

• See full diff in compare view

Updates intel-extension-for-pytorch from 2.1.30+xpu to 2.3.100+cpu

Updates oneccl-bind-pt from 2.1.300+xpu to 2.3.0+cpu

Updates setuptools from 71.1.0 to 72.1.0

Changelog

Sourced from setuptools's changelog.

v72.1.0

Features

• Restore the tests command and deprecate access to the module. (#4519) (#4520)

v72.0.0

Deprecations and Removals

• The test command has been removed. Users relying on 'setup.py test' will need to migrate to another test runner or pin setuptools before this version. (#931)

Commits

• 441799f Bump version: 72.0.0 → 72.1.0
• 59aff44 Merge pull request #4522 from pypa/feature/graceful-drop-tests
• c437aaa Restore the tests command and deprecate access to the module.
• a6726b9 Add celery and requests to the packages that test integration. Ref #4520
• 5e1b3c4 Bump version: 71.1.0 → 72.0.0
• 4c0b9f3 Merge pull request #4458 from pypa/debt/remove-test-command
• be8e3a0 Merge pull request #4507 from pypa/docs/4483-install-core-extra
• 99d2c72 Add documentation clarifying how to reliably install setuptools with its depe...
• 63c89f9 👹 Feed the hobgoblins (delint).
• c405ac1 Merge branch 'main' into debt/remove-test-command
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 4 package(s) with unknown licenses.

See the Details below.

License Issues

pytorch/xpu-requirements.txt

Package	Version	License	Issue Type
intel_extension_for_pytorch	2.3.100+cpu	Null	Unknown License
oneccl_bind_pt	2.3.0+cpu	Null	Unknown License
torch	2.4.0	Null	Unknown License

pytorch/requirements.txt

Package	Version	License	Issue Type
torch	2.4.0	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
pip/accelerate	0.33.0	🟢 6.2	Details Check Score Reason Code-Review 🟢 9 Found 29/30 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Packaging 🟢 10 packaging workflow detected SAST 🟢 3 SAST tool is not run on all commits -- score normalized to 3
pip/peft	0.12.0	Unknown	Unknown
pip/protobuf	5.27.3	🟢 7	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 21 out of 21 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review ⚠️ 2 found 23 unreviewed changesets out of 30 -- score normalized to 2 Contributors 🟢 10 13 different organizations found -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Maintained 🟢 10 30 commit(s) out of 30 and 5 issue activity out of 30 found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 no published package detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 1 SAST tool is not run on all commits -- score normalized to 1 Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ 0 0 out of 5 artifacts are signed or have provenance Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 7 3 existing vulnerabilities detected
pip/transformers	4.43.4	🟢 4.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Packaging 🟢 10 packaging workflow detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 467 existing vulnerabilities detected
pip/jupyterhub	5.1.0	🟢 5.4	Details Check Score Reason Code-Review 🟢 4 Found 6/15 approved changesets -- score normalized to 4 Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected
pip/torch	2.4.0	🟢 6.4	Details Check Score Reason Binary-Artifacts 🟢 9 binaries present in source code Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests ⚠️ -1 no pull request found CII-Best-Practices ⚠️ 0 no badge detected Code-Review 🟢 10 all last 30 commits are reviewed through Prow Contributors 🟢 10 35 different organizations found -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool ⚠️ 0 no update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 30 commit(s) out of 30 and 15 issue activity out of 30 found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 no published package detected Pinned-Dependencies ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST ⚠️ 0 no SAST tool detected Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ 0 0 out of 5 artifacts are signed -- score normalized to 0 Token-Permissions ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 10 no vulnerabilities detected Webhooks ⚠️ -1 check is not supported for this request: SCORECARD_V6 is not set, not running the Webhook check
pip/torchaudio	2.4.0	🟢 5.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 7 7 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/torchvision	0.19.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 4 Found 13/30 approved changesets -- score normalized to 4 Maintained 🟢 10 30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 9 binaries present in source code Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/torchvision	0.19.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 4 Found 13/30 approved changesets -- score normalized to 4 Maintained 🟢 10 30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 9 binaries present in source code Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/intel_extension_for_pytorch	2.3.100+cpu	Unknown	Unknown
pip/oneccl_bind_pt	2.3.0+cpu	Unknown	Unknown
pip/setuptools	72.1.0	🟢 5.8	Details Check Score Reason Code-Review ⚠️ 2 Found 5/20 approved changesets -- score normalized to 2 Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts ⚠️ 0 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing 🟢 10 project is fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/torch	2.4.0	🟢 6.4	Details Check Score Reason Binary-Artifacts 🟢 9 binaries present in source code Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests ⚠️ -1 no pull request found CII-Best-Practices ⚠️ 0 no badge detected Code-Review 🟢 10 all last 30 commits are reviewed through Prow Contributors 🟢 10 35 different organizations found -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool ⚠️ 0 no update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 30 commit(s) out of 30 and 15 issue activity out of 30 found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 no published package detected Pinned-Dependencies ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST ⚠️ 0 no SAST tool detected Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ 0 0 out of 5 artifacts are signed -- score normalized to 0 Token-Permissions ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 10 no vulnerabilities detected Webhooks ⚠️ -1 check is not supported for this request: SCORECARD_V6 is not set, not running the Webhook check
pip/torchaudio	2.4.0	🟢 5.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 7 7 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/torchvision	0.19.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 4 Found 13/30 approved changesets -- score normalized to 4 Maintained 🟢 10 30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 9 binaries present in source code Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Manifest Files

pytorch/hf-genai-requirements.txt

• accelerate@0.33.0
• peft@0.12.0
• protobuf@5.27.3
• transformers@4.43.4
• accelerate@0.32.1
• peft@0.11.1
• protobuf@5.27.2
• transformers@4.42.4

pytorch/jupyter-requirements.txt

• jupyterhub@5.1.0
• jupyterhub@5.0.0

pytorch/requirements.txt

• torch@2.4.0
• torchaudio@2.4.0
• torchvision@0.19.0
• torch@2.3.1
• torchaudio@2.3.1
• torchvision@0.18.1

pytorch/torchserve-requirements.txt

• torchvision@0.19.0
• torchvision@0.18.1

pytorch/xpu-requirements.txt

• torch@2.1.0.post2+cxx11.abi
• intel_extension_for_pytorch@2.3.100+cpu
• oneccl_bind_pt@2.3.0+cpu
• setuptools@72.1.0
• torch@2.4.0
• torchaudio@2.4.0
• torchvision@0.19.0
• intel_extension_for_pytorch@2.1.30+xpu
• oneccl_bind_pt@2.1.300+xpu
• setuptools@71.1.0
• torchaudio@2.1.0.post2+cxx11.abi
• torchvision@0.16.0.post2+cxx11.abi

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.