Skip to content

fix(security): upgrade transformers 4.x → 5.8.1 (CVE remediation)#1372

Merged
kajalj22 merged 4 commits into
mainfrom
kajalj/transformers-5x
May 20, 2026
Merged

fix(security): upgrade transformers 4.x → 5.8.1 (CVE remediation)#1372
kajalj22 merged 4 commits into
mainfrom
kajalj/transformers-5x

Conversation

@kajalj22
Copy link
Copy Markdown
Contributor

@kajalj22 kajalj22 commented May 19, 2026
edited
Loading

Summary

  • transformers >=4.57.6 → >=5.8.1 (stirrup_agent/requirements.txt)
  • torch ==2.5.1 → ==2.12.0, torchvision ==0.20.1 → ==0.27.0 (wmt_translation/requirements.txt)
  • Migrate TRANSFORMERS_CACHEHF_HOME in nemo_gym/__init__.py (removed in transformers 5.0)
  • Remove setuptools<81 upper bound (was torch 2.5.1-specific)

Note: torch 2.12+ defaults to CUDA 13.0 wheels on PyPI.

🤖 Generated with Claude Code

@kajalj22 @claude
fix(security): upgrade transformers 4.x → 5.8.1 for CVE remediation
4d4f38c 
- Bump transformers>=5.8.1 in stirrup_agent/requirements.txt
- Migrate TRANSFORMERS_CACHE → HF_HOME in nemo_gym/__init__.py
  (TRANSFORMERS_CACHE was removed in transformers 5.0)

The transformers API surface used in this repo (AutoTokenizer,
apply_chat_template, encode) is stable across this major version
boundary. The stirrup_agent tokenizer loading already has try/except
fallbacks for version-specific kwargs like fix_mistral_regex.

Co-Authored-By: Claude Opus 4.6 <[email protected]>
Signed-off-by: Kajal Jain <[email protected]>
@kajalj22 kajalj22 marked this pull request as draft May 19, 2026 22:52
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 19, 2026

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

kajalj22 and others added 2 commits May 19, 2026 17:58
@kajalj22 @claude
fix(security): upgrade torch 2.5.1 → 2.12.0 in wmt_translation (CVE)
eea73d0 
- torch==2.12.0, torchvision==0.27.0
- Remove setuptools <81 upper bound (was torch 2.5.1-specific)
- Note: torch 2.12+ defaults to CUDA 13.0 wheels; CUDA 12.x
  environments need a cu12-specific wheel index

Co-Authored-By: Claude Opus 4.6 <[email protected]>
Signed-off-by: Kajal Jain <[email protected]>
@kajalj22
Merge remote-tracking branch 'origin/main' into kajalj/transformers-5x
ef2e6d8
@kajalj22 kajalj22 marked this pull request as ready for review May 19, 2026 23:25
@kajalj22 kajalj22 requested review from ananthsub and bxyu-nvidia May 19, 2026 23:27
@kajalj22 kajalj22 enabled auto-merge (squash) May 20, 2026 20:36
@kajalj22 kajalj22 merged commit 97af59a into main May 20, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kh4L Kh4L Kh4L approved these changes

@thomasdhc thomasdhc thomasdhc approved these changes

@bxyu-nvidia bxyu-nvidia Awaiting requested review from bxyu-nvidia

@ananthsub ananthsub Awaiting requested review from ananthsub

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kajalj22 @Kh4L @thomasdhc