From 5698ac08fa00e93bb551164c30e50b638c3e1e1c Mon Sep 17 00:00:00 2001 From: Ben Lewis Date: Sun, 23 Nov 2025 21:56:45 +0200 Subject: [PATCH 1/4] Fix vulnerability in `cryptography` Signed-off-by: Ben Lewis --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 34e636b7..053c1eb6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -27,7 +27,7 @@ dependencies = [ "typer>=0.12.3", "rich>=13.7.1", "jinja2>=3.1.4", - "cryptography < 43.0.0", + "cryptography >= 44.0.1", "networkx >= 3.3", "omegaconf>=2.3.0", "leptonai>=0.25.0", From 655cf309fec0eb7bf6a2fe8533a4aea2f2576590 Mon Sep 17 00:00:00 2001 From: Ben Lewis Date: Mon, 8 Dec 2025 00:03:23 +0200 Subject: [PATCH 2/4] Drop version restriction This way users of the package can choose their own `cryptography` version. This should be safe since users that aren't installing `skypilot` can just install more recent versions and users of `skypilot` can add their own restriction to `cryptography`, but AFAIK, the built-in restriction to `pyopenssl` on `skypilot` should prevent any issues (I actually believe that that restriction itself is no longer relevant, [see here](https://github.com/skypilot-org/skypilot/pull/8070) ) Signed-off-by: Ben Lewis --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 053c1eb6..058b4fe4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -27,7 +27,7 @@ dependencies = [ "typer>=0.12.3", "rich>=13.7.1", "jinja2>=3.1.4", - "cryptography >= 44.0.1", + "cryptography", "networkx >= 3.3", "omegaconf>=2.3.0", "leptonai>=0.25.0", From 6f414aec1f40d7e0e337ae4dc8f7680344c92d57 Mon Sep 17 00:00:00 2001 From: Ben Lewis Date: Mon, 8 Dec 2025 13:07:46 +0200 Subject: [PATCH 3/4] Switch to `torchx` from GitHub (i.e. `main` branch) directly This is necessary to use `urllib >= 2.6.0` to avoid vulnerabilities: CVE-2025-66471 and CVE-2025-66418 Signed-off-by: Ben Lewis --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index db4786c1..690acbf8 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -23,7 +23,7 @@ dependencies = [ "catalogue>=2.0.10", "fabric>=3.2.2", "fiddle>=0.3.0", - "torchx>=0.7.0", + "torchx @ https://github.com/meta-pytorch/torchx", "typer>=0.12.3", "rich>=13.7.1", "jinja2>=3.1.4", From e10b5150dfea7666a8504a151cbeaf34e53855b8 Mon Sep 17 00:00:00 2001 From: Ben Lewis Date: Mon, 8 Dec 2025 14:07:33 +0200 Subject: [PATCH 4/4] Fix missing `git+` prefix for `torchx` install Signed-off-by: Ben Lewis --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 690acbf8..38e131e6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -23,7 +23,7 @@ dependencies = [ "catalogue>=2.0.10", "fabric>=3.2.2", "fiddle>=0.3.0", - "torchx @ https://github.com/meta-pytorch/torchx", + "torchx @ git+https://github.com/meta-pytorch/torchx", "typer>=0.12.3", "rich>=13.7.1", "jinja2>=3.1.4",