Skip to content

Bump minimum torch version from 2.3 to 2.8 to address GHSA-887c-mr87-cxwp#2252

Open
JacopoPan wants to merge 1 commit into
DLR-RM:masterfrom
JacopoPan:fix/pip-torch-cve-2025-3730
Open

Bump minimum torch version from 2.3 to 2.8 to address GHSA-887c-mr87-cxwp#2252
JacopoPan wants to merge 1 commit into
DLR-RM:masterfrom
JacopoPan:fix/pip-torch-cve-2025-3730

Conversation

@JacopoPan
Copy link
Copy Markdown
Contributor

@JacopoPan JacopoPan commented May 8, 2026
edited
Loading

Description

Dependabot raised transitive dependency alerts in repos depending on SB3 because of GHSA-887c-mr87-cxwp

Motivation and Context

Closes #2250

  • I have raised an issue to propose this change (required for new features and bug fixes)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation (update in the documentation)

Checklist

  • I've read the CONTRIBUTION guide (required)
  • I have updated the changelog accordingly (docs/misc/changelog.md) (required).
  • My change requires a change to the documentation.
  • I have updated the tests accordingly (required for a bug fix or a new feature).
  • I have updated the documentation accordingly.
  • I have opened an associated PR on the SB3-Contrib repository (if necessary)
  • I have opened an associated PR on the RL-Zoo3 repository (if necessary)
  • I have reformatted the code using make format (required)
  • I have checked the codestyle using make check-codestyle and make lint (required)
  • I have ensured make pytest and make type both pass. (required)
  • I have checked that the documentation builds using make doc (required)

@JacopoPan
Copy link
Copy Markdown
Contributor Author

JacopoPan commented May 8, 2026
edited
Loading

@araffin

as mentioned in #2250 I have simply bumped pytorch from 2.3 to 2.8 to address GHSA-887c-mr87-cxwp

However, I noted that in

stable-baselines3/docs/conda_env.yml

Lines 2 to 9 in 40da841

channels:
- pytorch
- conda-forge
dependencies:
- cpuonly=1.0=0
- pip=24.2
- python=3.11
- pytorch=2.5.0=py3.11_cpu_0

channel pytorch is used (with the specific naming for its packages in line 9) but it only contains packages up to version 2.5.1, while newer versions are in channels main and conda-forge

I removed channel pytorch to use version 2.9.1 from conda-forge as in the CI

stable-baselines3/.github/workflows/ci.yml

Line 44 in 40da841

uv pip install --system torch==2.9.1+cpu --index https://download.pytorch.org/whl/cpu

but I don't know if maybe you want to handle it differently

@JacopoPan JacopoPan marked this pull request as ready for review May 8, 2026 17:54
@araffin araffin added the Maintainers on vacation Maintainers are on vacation so they can recharge their batteries, we will be back soon ;) label May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Maintainers on vacation Maintainers are on vacation so they can recharge their batteries, we will be back soon ;)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Question] Update minimum Torch requirement to avoid "Improper Resource Shutdown" (CVE-2025-3730)

2 participants

@JacopoPan @araffin