[depthfirst-5911] Upgrade multiple packages in uv.lock #3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
build(deps): Upgrade torch to 2.8.0 and starlette to 0.47.2
Upgrade
This pull request upgrades the transitive dependencies
torchto version2.8.0andstarletteto0.47.2. These upgrades are necessary to address the security vulnerabilities detailed below.Changes
torchto2.8.0:pyproject.tomlhas been modified. Thepytorch-cuda-128index was removed as it does not hosttorch==2.8.0, and the configuration for Linux now defaults to the standard PyPI index, which providestorchwith CUDA support.pytorch-cuda-121has been added for CUDA 12.1 environments.starletteto0.47.2:starlette, explicit version constraints have been added forfastapi>=0.120.0andgradio>=5.49.1inpyproject.toml.uv.lock:Warnings
Vulnerabilities Fixed
GHSA-2c2j-9gv5-cj73 / CVE-2025-54121: Starlette has possible denial-of-service vector when parsing large files in multipart forms
starlettecan block the main thread while the file is being written to disk. This behavior can be exploited to cause a denial of service.GHSA-3749-ghw9-m3mg / CVE-2025-2953: PyTorch susceptible to local Denial of Service
torch.mkldnn_max_pool2dfunction in PyTorch can be manipulated to cause a denial of service. An attack must be initiated locally.Floating point exceptionintorch.mkldnn_max_pool2dpytorch/pytorch#149274GHSA-887c-mr87-cxwp / CVE-2025-3730: PyTorch Improper Resource Shutdown or Release vulnerability
torch.nn.functional.ctc_lossfunction in PyTorch can lead to a denial of service. An attack must be initiated locally.Floating point exceptionintorch.nn.functional.ctc_losspytorch/pytorch#150835