Fixes: #366 Updated library dependency #369
Conversation
📝 WalkthroughWalkthroughThe pull request updates the PyTorch dependency in Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@requirements.txt`:
- Line 1: The requirements entry pins a vulnerable PyTorch version
"torch==2.6.0"; change this pin to a safe release by replacing "torch==2.6.0"
with "torch==2.5.1" for now (or with "torch==2.6.1" once the upstream
security/patch release is available), and ensure any CI or dependency-lock files
are updated to match the chosen pin to avoid deploying the insecure 2.6.0 build.
📜 Review details
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
requirements.txt
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
requirements.txt
Outdated
| @@ -1,4 +1,4 @@ | |||
| torch==2.5.1 | |||
| torch==2.6.0 | |||
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
PyTorch 2.6.0 release stable version March 2025
💡 Result:
PyTorch 2.6.0 stable was released on January 29–30, 2025 (official release blog: Jan 29, 2025; release listing shows Jan 30, 2025). [1][2]
Note: a critical vulnerability affecting PyTorch 2.6.0 (CVE-2025-2998) was published March 31, 2025. [3]
Sources:
- PyTorch 2.6 Release Blog (Jan 29, 2025). [1]
- PyTorch Versions wiki — 2.6.0 release date (Jan 30, 2025). [2]
- CVE-2025-2998 / vulnerability notice (Mar 31, 2025). [3]
🌐 Web query:
PyTorch 2.6.0 compatibility transformers 4.46.1
💡 Result:
Short answer: Yes — Transformers 4.46.1 is compatible with PyTorch 2.6.0.
Sources:
- transformers 4.46.1 package info (PyPI) — shows transformers is built to work with torch (and is a general-purpose release). [1]
- PyTorch 2.6 release announcement. [2]
- Hugging Face installation notes (transformers tested against PyTorch historically and supports recent 2.x runtimes). [3]
If you want to install:
- pip install "transformers[torch]" (use a Python version supported by the wheel, e.g. Python 3.8+). [1][3]
References:
[1] PyPI — transformers 4.46.1.
[2] PyTorch 2.6 release blog.
[3] Hugging Face Transformers installation docs.
🌐 Web query:
PyTorch 2.6.0 security vulnerabilities CVE
💡 Result:
Here are known CVEs that specifically reference PyTorch 2.6.0 (local memory-corruption / DoS issues reported in 2025). Summary — CVE ID, short description, affected function:
- CVE-2025-2998 — memory corruption in torch.nn.utils.rnn.pad_packed_sequence (local; disclosed). (ubuntu.com)
- CVE-2025-2999 — memory corruption (CWE-119) affecting PyTorch 2.6.0 (local; medium). (cve.armis.com)
- CVE-2025-3000 — memory corruption in torch.jit.script (PyTorch 2.6.0; PoC published). (securityvulnerability.io)
- CVE-2025-3001 — memory corruption in torch.lstm_cell (PyTorch 2.6.0; PoC published). (securityvulnerability.io)
- CVE-2025-3121 — memory corruption in torch.jit.jit_module_from_flatbuffer (PyTorch 2.6.0). (nvd.nist.gov)
- CVE-2025-3136 — memory corruption in torch.cuda.memory.caching_allocator_delete (c10/cuda/CUDACachingAllocator.cpp). (nvd.nist.gov)
- CVE-2025-2953 — reported denial-of-service via torch.mkldnn_max_pool2d (record marked “Disputed/Modified” by NVD). (nvd.nist.gov)
- CVE-2025-2149 — issue in quantized Sigmoid (nnq_Sigmoid) improper initialization (affects 2.6.0+cu124). (nvd.nist.gov)
Recommendation: avoid running untrusted code/models with PyTorch 2.6.0, restrict local access, and upgrade to a patched PyTorch release (check the official PyTorch security advisories and NVD/CVE entries for exact fixed versions and patches). For detailed vendor advisories and issue links, see the NVD/Ubuntu/CNA pages cited above. (nvd.nist.gov)
Citations:
- 1: https://ubuntu.com/security/CVE-2025-2998?utm_source=openai
- 2: https://cve.armis.com/cve-2025-2999?utm_source=openai
- 3: https://securityvulnerability.io/vulnerability/CVE-2025-3000?utm_source=openai
- 4: https://securityvulnerability.io/vulnerability/CVE-2025-3001?utm_source=openai
- 5: https://nvd.nist.gov/vuln/detail/CVE-2025-3121?utm_source=openai
- 6: https://nvd.nist.gov/vuln/detail/CVE-2025-3136?utm_source=openai
- 7: https://nvd.nist.gov/vuln/detail/CVE-2025-2953?utm_source=openai
- 8: https://nvd.nist.gov/vuln/detail/cve-2025-2149?utm_source=openai
- 9: https://nvd.nist.gov/vuln/detail/cve-2025-2149?utm_source=openai
🌐 Web query:
PyTorch 2.5.1 vs 2.6.0 stability issues
💡 Result:
Short answer: PyTorch 2.6.0 introduced several regressions, build/incompatibility problems, torch.compile/accuracy regressions and at least a few security/bug fixes tracked as CVEs; the PyTorch team scheduled a 2.6.1 patch to address critical items. If you need maximum stability today, either pin to a known-good 2.5.x release (2.5.1) for your workload or thoroughly test 2.6.0 in your exact environment (CUDA/toolchain/CPU/ARM) before upgrading. [1][2][3][4][5]
Key examples (select items reported publicly)
- Official 2.6 release notes and changes (new features plus ABI/build differences that affected some users). [1]
- PyTorch team planning thread for a 2.6.1 patch listing critical open regressions (e.g., CUDA init in subprocess, Raspberry Pi ONNX export crash). [2]
- GitHub issues reporting build/incompatibility problems with torchvision/extensions and ABI mismatches when building 2.6.0. [3]
- Published security/bug reports (several CVEs and memory/corruption issues reported against 2.6.0 builds). [4]
- Community reports of torch.compile inconsistencies and other runtime/regression behavior changes after 2.6.0. [5]
If you want, tell me:
- which OS, Python, and CUDA (or CPU/ARM/ROCm) you use and whether you rely on torch.compile or custom C++/torchvision extensions — I’ll check known issues that matter for your stack and recommend a concrete version or mitigation.
Do not upgrade to PyTorch 2.6.0 — multiple critical security vulnerabilities and stability regressions documented.
PyTorch 2.6.0 (released Jan 29-30, 2025) contains at least 8 publicly disclosed CVEs affecting memory corruption and denial-of-service vectors (CVE-2025-2998, CVE-2025-2999, CVE-2025-3000, CVE-2025-3001, CVE-2025-3121, CVE-2025-3136, CVE-2025-2953, CVE-2025-2149). Additionally, the official PyTorch team has documented regressions, build incompatibilities, and torch.compile issues with 2.6.0 and is planning a 2.6.1 patch to address critical items.
The PR's claim that 2.6.0 is "more stable" than 2.5.1 is inaccurate. For maximum stability, the official guidance recommends pinning to 2.5.1 or waiting for 2.6.1 with critical fixes applied.
Keep torch==2.5.1 or explicitly upgrade to 2.6.1 once released and security advisories are resolved.
🤖 Prompt for AI Agents
In `@requirements.txt` at line 1, The requirements entry pins a vulnerable PyTorch
version "torch==2.6.0"; change this pin to a safe release by replacing
"torch==2.6.0" with "torch==2.5.1" for now (or with "torch==2.6.1" once the
upstream security/patch release is available), and ensure any CI or
dependency-lock files are updated to match the chosen pin to avoid deploying the
insecure 2.6.0 build.
|
I wasn’t aware of the reported CVEs and stability regressions in PyTorch 2.6.0, I upgraded the torch version to 2.9.1. |
prashantverma9302
changed the title
1 participant
Updated the Torch version from 2.5.1 to 2.6.0 i.e. a more stable version.
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.