LCORE-1240: Konflux requirements

[tisnik]

Description

LCORE-1240: Konflux requirements

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-1240

Summary by CodeRabbit

• Chores
  • Updated llama-stack to version 0.4.3
  • Updated llama-stack-client to version 0.4.3
  • Updated sentence-transformers to version 5.2.2

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updates three package versions in a requirements hash file: llama-stack and llama-stack-client from 0.4.2 to 0.4.3, and sentence-transformers from 5.2.1 to 5.2.2, with corresponding SHA256 hash updates.

Changes

Cohort / File(s)	Summary
Dependency version and hash updates requirements.hashes.source.txt	Bumped llama-stack and llama-stack-client to 0.4.3 with updated hashes; bumped sentence-transformers to 5.2.2 with updated hashes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• LCORE-1108: Updated Konflux references #1064: Modifies the same requirements.hashes.source.txt file to update llama-stack and sentence-transformers versions with corresponding hash updates.
• LCORE-1026: Updated Konflux requirements #880: Updates version pins and SHA256 hashes for llama-stack and llama-stack-client in the requirements file.
• LCORE-1216: Updated Konflux references #1060: Modifies the hashed requirements file with updates to llama-stack and llama-stack-client package versions.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title references a Jira ticket (LCORE-1240) and mentions 'Konflux requirements', but the actual changes are version bumps for three packages (llama-stack, llama-stack-client, sentence-transformers) with hash updates.	Revise the title to accurately describe the package version bumps, such as 'Bump llama-stack, llama-stack-client, and sentence-transformers versions' or ensure the Konflux requirements changes are reflected in the actual file modifications.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@requirements.hashes.source.txt`:
- Around line 705-707: The pinned dependency sentence-transformers==5.2.2 is
invalid (not on PyPI); change the requirement line that currently reads
"sentence-transformers==5.2.2 \ --hash=sha256:..." to a valid published release
(e.g., "sentence-transformers==5.2.0") and update or remove the associated
--hash entries to match the chosen version, or remove the entire pinned entry
until 5.2.2 is published; if you switch to 5.2.0, ensure any CI or lockfile
hashes are regenerated to reflect the new version and note that when/if moving
to 5.2.2 you may need to add httpx as an explicit dependency because of the
library's internal HTTP client change.
- Around line 199-201: The requirements file pins a non-existent release
"llama-stack==0.4.3" which will fail installs; verify whether you intended
"llama-stack==0.4.2" (latest on PyPI) or a different package (e.g.,
"llama-stack-client==0.4.3"), then update the version pin in
requirements.hashes.source.txt to the correct package/version and regenerate the
corresponding --hash entries for that exact wheel/sdist (remove the invalid
0.4.3 entry if not intended). Ensure the unique token "llama-stack==0.4.3" in
the diff is replaced with the verified version and matching hashes so installers
can succeed.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Read the requirements.hashes.source.txt file around the mentioned lines
head -210 requirements.hashes.source.txt | tail -25

Repository: lightspeed-core/lightspeed-stack

Length of output: 1678

---

🌐 Web query:

llama-stack 0.4.3 release notes changelog

💡 Result:

I couldn’t find any llama-stack 0.4.3 release notes/changelog—there doesn’t appear to be a 0.4.3 release published.

What I can confirm from official channels:

• PyPI (llama-stack) latest published version is 0.4.2, uploaded Jan 16, 2026. [1]
• The GitHub Releases page for meta-llama/llama-stack currently shows releases up through v0.3.4 (Dec 3, 2025), not 0.4.x. [2]

If you meant a different package/repo (e.g., llama-stack-client-*), tell me which one and I’ll pull the exact 0.4.3 notes (if it exists).

Sources: [1] [2]

---

🌐 Web query:

llama-stack-client 0.4.3 PyPI release notes

💡 Result:

llama-stack-client 0.4.3 was released on PyPI on Jan 26, 2026, but PyPI does not include any per-version release notes/changelog text for this release (it’s just the package description + files). [1]

On GitHub, the corresponding tag v0.4.3 exists and its tag message is simply “Release version 0.4.3”—no additional release notes are shown there either. [2]

Sources: [1] [2]

---

🌐 Web query:

llama-stack 0.4.3 security advisory vulnerability

💡 Result:

I couldn’t find any security advisory specifically for llama-stack version 0.4.3, and I also don’t see a published llama-stack 0.4.3 release/tag in the project’s GitHub releases (they show up to v0.3.4) or in third‑party package trackers that list newer 0.4.x versions (e.g., 0.4.1). [4], [3]

What is publicly documented for llama-stack are these advisories/vulnerabilities:

• CVE-2025-55178 / GHSA-x75h-m6jj-6cj2 — “could potentially allow for remote code execution”; affected: < 0.2.20; patched: 0.2.20. [1]
• CVE-2024-50050 (Snyk entry) — deserialization of untrusted data via pickle; upgrade to 0.0.41 or higher. [2]

If you meant a different package (for example llama-stack-client-*) or meant 0.4.0/0.4.1 instead of 0.4.3, tell me the exact artifact name (PyPI/npm/Maven) and I’ll narrow it down.

Sources: [1] [2] [3] [4]

---

Resolve version conflict: llama-stack==0.4.3 does not exist on PyPI.

llama-stack latest published version is 0.4.2 (Jan 16, 2026); 0.4.3 has not been released. GitHub releases only show v0.3.4 as the latest. This dependency specification will fail during installation. Verify the intended version and update accordingly.

llama-stack-client==0.4.3 exists (released Jan 26, 2026) but has no available release notes or changelog for impact assessment.

🤖 Prompt for AI Agents

In `@requirements.hashes.source.txt` around lines 199 - 201, The requirements file
pins a non-existent release "llama-stack==0.4.3" which will fail installs;
verify whether you intended "llama-stack==0.4.2" (latest on PyPI) or a different
package (e.g., "llama-stack-client==0.4.3"), then update the version pin in
requirements.hashes.source.txt to the correct package/version and regenerate the
corresponding --hash entries for that exact wheel/sdist (remove the invalid
0.4.3 entry if not intended). Ensure the unique token "llama-stack==0.4.3" in
the diff is replaced with the verified version and matching hashes so installers
can succeed.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

sentence-transformers 5.2.2 release notes breaking changes

💡 Result:

Sentence-Transformers v5.2.2 (Jan 27, 2026) — breaking-change relevant notes

• Dependency change: internal HTTP usage was changed from requests → httpx, and httpx is optional (not automatically imported/installed). As a result, you can no longer rely on requests being present indirectly via sentence-transformers (or it being used by it). If you use the library’s internal download helper(s) (e.g., the legacy http_get utility), you may now need to add httpx explicitly in your environment. Also, importing sentence-transformers should no longer crash if requests isn’t installed. [1][2]

Sources: GitHub release notes [1] and the merged PR (#3618) details [2].

---

🌐 Web query:

sentence-transformers 5.2.2 security advisory vulnerability

💡 Result:

• There is no sentence-transformers 5.2.2 release on PyPI (as of Jan 27, 2026). The PyPI release history shows 5.2.0 uploaded Dec 11, 2025. [1]
• The known published security advisory affecting sentence-transformers is an arbitrary code execution / unsafe deserialization risk when loading PyTorch model files via torch.load() without weights_only=True. It affects versions < 3.1.0 and is fixed by upgrading to >= 3.1.0. [2][3]
• Therefore, 5.2.0 is not in the affected range for that advisory (it’s well above 3.1.0). [1][2][3]

Sources: [1] PyPI release history, [2] Snyk advisory SNYK-PYTHON-SENTENCETRANSFORMERS-8161344, [3] Safety DB (PVE-2024-73169)

---

🏁 Script executed:

# Check context around the sentence-transformers line in the requirements file
rg -B5 -A5 'sentence-transformers==5.2.2' requirements.hashes.source.txt | head -30

Repository: lightspeed-core/lightspeed-stack

Length of output: 817

---

🏁 Script executed:

# Check if there are other versions of sentence-transformers in the file to understand the migration
rg 'sentence-transformers==' requirements.hashes.source.txt

Repository: lightspeed-core/lightspeed-stack

Length of output: 106

---

Remove or update sentence-transformers==5.2.2 — version does not exist on PyPI yet.

Version 5.2.2 has not been released to PyPI (as of Jan 27, 2026). The latest published version is 5.2.0 (Dec 11, 2025). This pin will fail during installation with "No matching distribution found." Either use the current 5.2.0 release or wait for 5.2.2 to be published. Note: 5.2.2 will introduce a breaking change—the internal HTTP client changes from requests to httpx (optional dependency), so existing code relying on the library's download helpers may need to explicitly install httpx.

🤖 Prompt for AI Agents

In `@requirements.hashes.source.txt` around lines 705 - 707, The pinned dependency
sentence-transformers==5.2.2 is invalid (not on PyPI); change the requirement
line that currently reads "sentence-transformers==5.2.2 \ --hash=sha256:..." to
a valid published release (e.g., "sentence-transformers==5.2.0") and update or
remove the associated --hash entries to match the chosen version, or remove the
entire pinned entry until 5.2.2 is published; if you switch to 5.2.0, ensure any
CI or lockfile hashes are regenerated to reflect the new version and note that
when/if moving to 5.2.2 you may need to add httpx as an explicit dependency
because of the library's internal HTTP client change.