(diskcache) dependency related Vulnerability scan issue CVE-2025-69872 #2101
Description
Can we remove dependency of diskcache from pyproject.toml
We’re big fans of instructor and would love to adopt it widely across our projects.
Unfortunately, we’ve run into a small but critical blocker: our security scans flag the library because of its dependency on diskcache, which our security policy does not allow.
We don’t actually need or use diskcache as a cache backend—this is purely a dependency‑related security issue.
pyproject.toml contains diskcache as dependent packages however this should be needed if using diskcache as cache backend. (Actually in _import_diskcache() only imports diskcache when requested - so diskcache is an optional package but not dependent one for insturctor by default)
Background of the diskcache vulnerability list (Thanks for @benglewis who reported the issue for diskcache: grantjenks/python-diskcache#357):
GHSA-w8v5-vhqr-4h9v
https://nvd.nist.gov/vuln/detail/CVE-2025-69872
https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69872-DiskCache-Pickle-Deserialization.md
It would be incredibly helpful if this dependency could be made optional and removed in pyproject.yaml, so teams like ours can safely use instruktor without security conflicts. (Make instructor independent of diskcache when pip install instructor)