[depthfirst-5913] Upgrade multiple packages in uv.lock

[depthfirst-dev]

Overview

• Repair Link

Security Updates: PyTorch 2.8.0 and Starlette 0.47.2

Upgrade

This PR upgrades two critical dependencies to address security vulnerabilities:

• PyTorch: Updated from multiple versions (2.6.0+cu124, 2.7.1) to 2.8.0 across all CUDA configurations
• Starlette: Updated from 0.47.1 to 0.47.2

The upgrade involved modifying pyproject.toml to add a version constraint torch>=2.8.0 and standardizing all Linux CUDA builds to use the CUDA 12.8 index. The uv.lock file was regenerated to reflect these changes and update all transitive dependencies.

Changes

• pyproject.toml: Added version constraint torch>=2.8.0 to ensure minimum version compliance for security fixes
• CUDA configuration: Changed the cu124 extra marker from the pytorch-cuda-124 index to the pytorch-cuda-128 index to align with the new PyTorch 2.8.0 CUDA support strategy (CUDA 12.8 is now the default for Linux builds)
• Dependency updates: The lock file shows upgrades to multiple transitive dependencies (e.g., accelerate, aiohttp, attrs) to maintain compatibility with PyTorch 2.8.0

Warnings

PyTorch 2.8.0 Breaking Changes

• Stricter aliasing/mutation checks: Code using cond and other HigherOrderOperators may need to add .clone() to outputs to avoid errors
• Symbolic shapes API changes: Functions definitely_true and definitely_false have been removed and replaced with guard_or_true and guard_or_false
• CUDA compute capability support: PyTorch 2.8.0 drops support for older GPUs (Maxwell and most Pascal architectures older than sm_61). Only compute capabilities 6.1 to 9.0 are supported
• Docker image changes: Official Docker images now use pip instead of conda, which may affect containerized deployments

CUDA Configuration Change

The cu124 extra now points to the CUDA 12.8 index instead of CUDA 12.4. This should not affect functionality but reviewers should verify that environments expecting CUDA 12.4 specifically are compatible with CUDA 12.8 builds.

Vulnerabilities Fixed

CVE-2025-54121 - Starlette DoS via Large Multipart Forms

Summary: Starlette had a denial-of-service vulnerability when parsing multipart forms with large files (greater than the default max spool size). The library would block the main event thread when rolling files over to disk, preventing new connections from being accepted.

Details: The UploadFile.write() method did not properly check if writing additional bytes would cause a rollover from memory to disk. This caused synchronous I/O on the event loop thread during the rollover operation. While the impact is low on systems with modern HDDs/SSDs, it could affect high-concurrency applications processing large file uploads.

Fixed in: Starlette 0.47.2
References: GitHub Advisory | Fix PR #2962

CVE-2025-2953 - PyTorch Local Denial of Service

Summary: PyTorch 2.6.0+cu124 was vulnerable to a local denial of service attack through the torch.mkldnn_max_pool2d function.

Details: A problematic vulnerability was found in the torch.mkldnn_max_pool2d function that could be exploited locally to cause denial of service. The exploit has been publicly disclosed.

Fixed in: PyTorch 2.7.1-rc1 and later (resolved in 2.8.0)
References: GitHub Issue #149274

CVE-2025-3730 - PyTorch Improper Resource Shutdown

Summary: PyTorch 2.6.0 and 2.7.1 contained an improper resource shutdown vulnerability in the torch.nn.functional.ctc_loss function.

Details: The vulnerability was found in the function torch.nn.functional.ctc_loss in the file aten/src/ATen/native/LossCTC.cpp. The manipulation of this function leads to denial of service through improper resource release. The exploit has been publicly disclosed.

Fixed in: PyTorch 2.8.0
Patch commits: 01f226bf | 46fc5d8e
References: GitHub Issue #150835 | GitHub PR #150981