Overview

• Repair Link

build(deps): Upgrade torch to 2.8.0 and starlette to 0.47.2

Upgrade

This pull request upgrades the transitive dependencies torch to version 2.8.0 and starlette to 0.47.2. These upgrades are necessary to address the security vulnerabilities detailed below.

Changes

• Upgraded torch to 2.8.0:
  • The PyTorch source configuration in pyproject.toml has been modified. The pytorch-cuda-128 index was removed as it does not host torch==2.8.0, and the configuration for Linux now defaults to the standard PyPI index, which provides torch with CUDA support.
  • A new index for pytorch-cuda-121 has been added for CUDA 12.1 environments.
• Upgraded starlette to 0.47.2:
  • To force the upgrade of the transitive dependency starlette, explicit version constraints have been added for fastapi>=0.120.0 and gradio>=5.49.1 in pyproject.toml.
• Updated uv.lock:
  • The lockfile has been regenerated to reflect the new dependency tree and versions.

Warnings

• PyTorch 2.8: This is a minor version upgrade. While no test failures were encountered, PyTorch 2.8 introduces new features, performance improvements, and some deprecations. Reviewers should be aware of the changes, which are detailed in the official PyTorch 2.8 release notes.

Vulnerabilities Fixed

• GHSA-2c2j-9gv5-cj73 / CVE-2025-54121: Starlette has possible denial-of-service vector when parsing large files in multipart forms

  • Details: When parsing a multi-part form with large files, starlette can block the main thread while the file is being written to disk. This behavior can be exploited to cause a denial of service.
  • References:
    • GHSA-2c2j-9gv5-cj73
    • Kludex/starlette@9f7ec2e

• GHSA-3749-ghw9-m3mg / CVE-2025-2953: PyTorch susceptible to local Denial of Service

  • Details: A vulnerability in the torch.mkldnn_max_pool2d function in PyTorch can be manipulated to cause a denial of service. An attack must be initiated locally.
  • References:
    • Floating point exception in torch.mkldnn_max_pool2d pytorch/pytorch#149274
    • https://nvd.nist.gov/vuln/detail/CVE-2025-2953

• GHSA-887c-mr87-cxwp / CVE-2025-3730: PyTorch Improper Resource Shutdown or Release vulnerability

  • Details: An improper resource shutdown vulnerability in the torch.nn.functional.ctc_loss function in PyTorch can lead to a denial of service. An attack must be initiated locally.
  • References:
    • Floating point exception in torch.nn.functional.ctc_loss pytorch/pytorch#150835
    • Add check for ctc_loss targets param pytorch/pytorch#150981
    • https://nvd.nist.gov/vuln/detail/CVE-2025-3730