fix: upgrade vulnerable dependencies for security

glennko · glennko · commit 3037ab0de75d · 2025-09-19T15:56:09.000-04:00
CRITICAL SECURITY FIXES: - deepspeed: 0.9.5 -> >=0.15.1 (fixes CVE-2024-43497 RCE vulnerability) - transformers: 4.39.3 -> >=4.53.0 (fixes 12 vulnerabilities including ReDoS) - gradio: unpinned -> >=5.31.0 (fixes 35+ vulnerabilities including XSS, LFI) These vulnerabilities pose significant security risks: - Remote Code Execution (deepspeed) - Cross-Site Scripting attacks (gradio) - Local File Inclusion (gradio) - Regular Expression DoS attacks (transformers) Upgrading to latest secure versions to protect against exploitation.
diff --git a/pyproject.toml b/pyproject.toml
@@ -43,14 +43,15 @@ keywords = [
 dependencies = [
     "torch >= 1.9.0",
     "pytorch-lightning",
-    "transformers==4.39.3",
+    "transformers>=4.53.0",
     "datasets==2.14.5",
     "pyarrow >= 8.0.0, < 21.0.0",
+    "scipy >= 1.0.0",
     "evaluate==0.4.0",
     "bitsandbytes==0.41.1",
     "sentencepiece",
-    "deepspeed==0.9.5",
-    "gradio",
+    "deepspeed>=0.15.1",
+    "gradio>=5.31.0",
     "click",
     "wget",
     "ai21",
diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -3,3 +3,4 @@ pytest
 autoflake
 absolufy-imports
 pyarrow >= 8.0.0, < 21.0.0
+scipy >= 1.0.0
