ci: Address cve and update packages (#1066)

thomasdhc · web-flow · commit 0bdf38cacee8 · 2025-09-18T10:38:29.000-04:00
* Address cve and update packages

Signed-off-by: Dong Hyuk Chang &lt;donghyukc@nvidia.com&gt;

* Attempt transformers pin to 4.55

Signed-off-by: Dong Hyuk Chang &lt;donghyukc@nvidia.com&gt;

* Move security dep to appropriate group

Signed-off-by: Dong Hyuk Chang &lt;donghyukc@nvidia.com&gt;

* Update vllm and transformers

Signed-off-by: Dong Hyuk Chang &lt;donghyukc@nvidia.com&gt;

* Downgrade transformers

Signed-off-by: Dong Hyuk Chang &lt;donghyukc@nvidia.com&gt;

* Break up CPU testing into multiple tests based on folder

Signed-off-by: Dong Hyuk Chang &lt;donghyukc@nvidia.com&gt;

* Fix typo

Signed-off-by: Dong Hyuk Chang &lt;donghyukc@nvidia.com&gt;

* Update pytest folder path

Signed-off-by: Dong Hyuk Chang &lt;donghyukc@nvidia.com&gt;

* Move security vuln to constraints

Signed-off-by: Dong Hyuk Chang &lt;donghyukc@nvidia.com&gt;

---------

Signed-off-by: Dong Hyuk Chang &lt;donghyukc@nvidia.com&gt;
diff --git a/.github/workflows/cicd-main.yml b/.github/workflows/cicd-main.yml
@@ -124,9 +124,10 @@ jobs:
       matrix:
         os: [ubuntu-latest]
         python-version: ["3.10", "3.12"]
+        folder: ["backends", "core", "models", "pipelines", "stages", "tasks", "utils"]
     needs: [pre-flight, cicd-wait-in-queue]
     runs-on: ${{ matrix.os }}
-    name: L0_Unit_Test_CPU_python-${{ matrix.python-version }}
+    name: Unit_Test_${{ matrix.folder}}_CPU_python-${{ matrix.python-version }}
     environment: nemo-ci
     if: |
       (
@@ -149,18 +150,18 @@ jobs:
         uses: astral-sh/setup-uv@v6
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Run tests (CPU)
+      - name: Run tests ${{ matrix.folder }} (CPU)
         run: |
           uv sync --link-mode copy --locked --extra audio_cpu --extra text_cpu --extra video_cpu --group test
-          uv run coverage run --branch --source=nemo_curator -m pytest -v tests -m "not gpu"
+          uv run coverage run --branch --source=nemo_curator -m pytest -v tests/${{ matrix.folder }} -m "not gpu"
 
       - name: Generate report
         id: check
         shell: bash
         run: |
           uv run coverage xml
           uv run coverage report
-          coverage_report=coverage-unit-test-${{ github.run_id }}-$(uuidgen)
+          coverage_report=coverage-unit-test-${{ matrix.folder }}-${{ github.run_id }}-$(uuidgen)
           echo "$coverage_report"
           echo "coverage_report=$coverage_report" >> "$GITHUB_OUTPUT"
       - name: Upload artifacts
diff --git a/pyproject.toml b/pyproject.toml
@@ -52,7 +52,7 @@ dependencies = [
     "pyarrow",
     "ray[default,data]>=2.49",
     "torch",
-    "transformers==4.53.1",
+    "transformers==4.55.2",
 ]
 
 [project.optional-dependencies]
@@ -136,7 +136,7 @@ internvideo2 = [
     "torchaudio>=2.4.1",
     "torchvision>=0.19.1",
     "tqdm>=4.66.5",
-    "transformers==4.53.1",
+    "transformers==4.55.2",
     "wandb>=0.18.3",
 ]
 
@@ -158,7 +158,7 @@ video_cuda12 = [
     "PyNvVideoCodec==2.0.2; (platform_machine == 'x86_64' and platform_system != 'Darwin')",
     "torch<=2.8.0",
     "torchaudio",
-    "vllm==0.9.2; (platform_machine == 'x86_64' and platform_system != 'Darwin')",
+    "vllm==0.10.2; (platform_machine == 'x86_64' and platform_system != 'Darwin')",
 ]
 
 # All dependencies
@@ -181,12 +181,16 @@ test = [
     "pytest-loguru",
     "scikit-learn",
 ]
-dev = ["internvideo2-multi-modality; (platform_machine == 'x86_64' and sys_platform != 'darwin')"]
 
 [tool.uv]
 package = true
 default-groups = ["test"]
+index-strategy = "unsafe-best-match"
 no-build-isolation-package = ["flash-attn"]
+constraint-dependencies = [
+    "protobuf>=4.25.8", # Address CVE GHSA-8qvm-5x2c-j2w7
+    "xgrammar>=0.1.21", # Address CVE GHSA-5cmr-4px5-23pc
+]
 override-dependencies = [
     "apex; sys_platform == 'never'"
 ]
@@ -207,7 +211,6 @@ url = "https://download.pytorch.org/whl/cu128"
 explicit = true
 
 [tool.uv.sources]
-internvideo2-multi-modality = { git = "git+https://github.com/suiyoubi/InternVideo.git", subdirectory="InternVideo2/multi_modality", rev = "curator" }
 torch = [
     { index = "pytorch", marker = "platform_machine == 'x86_64' and sys_platform != 'darwin'" },
     { index = "pypi", marker = "platform_machine != 'x86_64' or sys_platform == 'darwin'" },
diff --git a/uv.lock b/uv.lock
