[None][chore] Update flashinfer-python from 0.6.11.post1 to 0.6.12rc1

[yihwang-nv]

Summary

• Bump flashinfer-python from 0.6.11.post1 to 0.6.12rc1
• 0.6.12rc1 is not yet published to PyPI, so requirements.txt pins to the GitHub tag via git+https://github.com/flashinfer-ai/flashinfer.git@v0.6.12rc1
• Updated version pins in requirements.txt, security_scanning/pyproject.toml, and ATTRIBUTIONS-Python.md
• security_scanning/poetry.lock intentionally left untouched (RC has no PyPI hashes); maintainers regenerate it separately

Test plan

• pip install -r requirements.txt installs successfully (requires building flashinfer from source)
• pytest tests/unittest/_torch/flashinfer/ -v
• pytest tests/unittest/_torch/attention/test_flashinfer_attention.py -v
• CI pre-merge passes

Summary by CodeRabbit

• Chores
  • Updated flashinfer-python dependency to v0.6.12rc1.

[yihwang-nv]

/bot run --disable-fail-fast --add-multi-gpu-test

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the flashinfer-python dependency from version 0.6.11.post1 to 0.6.12rc1 across three files: production requirements switch to a git-sourced installation, the security scanning configuration updates the pinned version, and the attribution document reflects the new version.

Changes

Dependency Version Upgrade

Layer / File(s)	Summary
Dependency version update requirements.txt, security_scanning/pyproject.toml, ATTRIBUTIONS-Python.md	flashinfer-python is upgraded to 0.6.12rc1 in production requirements (switching from PyPI-pinned to git-sourced at tag v0.6.12rc1), security scanning configuration (exact version pin), and attribution documentation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• NVIDIA/TensorRT-LLM#14076: Same dependency update pattern upgrading flashinfer-python across the same three files.
• NVIDIA/TensorRT-LLM#13992: Related version bump of flashinfer-python (0.6.10 → 0.6.11) across requirements, pyproject.toml, and attribution files.
• NVIDIA/TensorRT-LLM#13064: Coordinated flashinfer-python version pin update across the same set of configuration and documentation files.

Suggested reviewers

• wenmingw
• cascade812
• juney-nvidia

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: updating flashinfer-python from 0.6.11.post1 to 0.6.12rc1, with proper format including ticket reference and type label.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description is comprehensive and addresses the template requirements effectively despite not using the exact template structure.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@requirements.txt`:
- Line 57: Replace the mutable tag in the requirements entry for
flashinfer-python with the full commit SHA to ensure reproducible installs:
locate the line containing "flashinfer-python @
git+https://github.com/flashinfer-ai/flashinfer.git@v0.6.12rc1#egg=flashinfer-python"
and change the ref after the @ to the immutable commit
"529e592e9d8c5677b25c3cb38358bbd4def6c6dd" so it reads the same URL but with
"`@529e592e9d8c5677b25c3cb38358bbd4def6c6dd`" instead of "`@v0.6.12rc1`".

In `@security_scanning/pyproject.toml`:
- Line 57: The pyproject pin for the dependency "flashinfer-python
(==0.6.12rc1)" is out of sync with the lockfile which still records
0.6.11.post1; regenerate or update the lockfile so both declare the same
version: either change the pyproject constraint to match the lockfile or run the
dependency manager's lock/update command to produce a poetry.lock that contains
flashinfer-python==0.6.12rc1, then commit the updated lockfile to ensure
scanners read consistent metadata.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fb28b5ac-7611-4a92-b5d3-88c272aa7e47

📥 Commits

Reviewing files that changed from the base of the PR and between 90694fe and b248761.

📒 Files selected for processing (3)

• ATTRIBUTIONS-Python.md
• requirements.txt
• security_scanning/pyproject.toml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify current tag target and whether requirements.txt uses an immutable SHA.
set -euo pipefail

echo "Resolving flashinfer tag:"
git ls-remote https://github.com/flashinfer-ai/flashinfer.git refs/tags/v0.6.12rc1

echo
echo "Current flashinfer requirement line:"
rg -n '^flashinfer-python\s+@\s+git\+https://github.com/flashinfer-ai/flashinfer.git@' requirements.txt

Repository: NVIDIA/TensorRT-LLM

Length of output: 297

---

Pin flashinfer-python to an immutable commit SHA

requirements.txt currently pins flashinfer-python to the mutable tag @v0.6.12rc1 (tag currently points to 529e592e9d8c5677b25c3cb38358bbd4def6c6dd). Pin the full commit SHA for reproducibility and supply-chain integrity.

Suggested update

-flashinfer-python @ git+https://github.com/flashinfer-ai/flashinfer.git@v0.6.12rc1#egg=flashinfer-python
+flashinfer-python @ git+https://github.com/flashinfer-ai/flashinfer.git@529e592e9d8c5677b25c3cb38358bbd4def6c6dd#egg=flashinfer-python

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	flashinfer-python @ git+https://github.com/flashinfer-ai/flashinfer.git@v0.6.12rc1#egg=flashinfer-python
	flashinfer-python @ git+https://github.com/flashinfer-ai/flashinfer.git@529e592e9d8c5677b25c3cb38358bbd4def6c6dd#egg=flashinfer-python

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@requirements.txt` at line 57, Replace the mutable tag in the requirements
entry for flashinfer-python with the full commit SHA to ensure reproducible
installs: locate the line containing "flashinfer-python @
git+https://github.com/flashinfer-ai/flashinfer.git@v0.6.12rc1#egg=flashinfer-python"
and change the ref after the @ to the immutable commit
"529e592e9d8c5677b25c3cb38358bbd4def6c6dd" so it reads the same URL but with
"`@529e592e9d8c5677b25c3cb38358bbd4def6c6dd`" instead of "`@v0.6.12rc1`".

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify pyproject/lock mismatch for flashinfer-python in security_scanning inputs.
set -euo pipefail

echo "pyproject dependency:"
rg -n 'flashinfer-python' security_scanning/pyproject.toml

echo
echo "poetry.lock package stanza:"
rg -n -A6 -B2 'name = "flashinfer-python"' security_scanning/poetry.lock

Repository: NVIDIA/TensorRT-LLM

Length of output: 402

---

Align flashinfer-python version between security_scanning/pyproject.toml and security_scanning/poetry.lock

security_scanning/pyproject.toml pins "flashinfer-python (==0.6.12rc1)", while security_scanning/poetry.lock still lists flashinfer-python as 0.6.11.post1. Update/regenerate security_scanning/poetry.lock (or ensure the security scanner uses the same dependency source) to prevent stale version metadata during scans.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@security_scanning/pyproject.toml` at line 57, The pyproject pin for the
dependency "flashinfer-python (==0.6.12rc1)" is out of sync with the lockfile
which still records 0.6.11.post1; regenerate or update the lockfile so both
declare the same version: either change the pyproject constraint to match the
lockfile or run the dependency manager's lock/update command to produce a
poetry.lock that contains flashinfer-python==0.6.12rc1, then commit the updated
lockfile to ensure scanners read consistent metadata.

[tensorrt-cicd]

PR_Github #50142 [ run ] triggered by Bot. Commit: b248761 Link to invocation

[tensorrt-cicd]

PR_Github #50142 [ run ] completed with state SUCCESS. Commit: b248761
/LLM/main/L0_MergeRequest_PR pipeline #39692 completed with status: 'FAILURE'

CI Report

⚠️ Action Required:

• Please check the failed tests and fix your PR
• If you cannot view the failures, ask the CI triggerer to share details
• Once fixed, request an NVIDIA team member to trigger CI again

CI Agent Failure Analysis

Link to invocation

[yihwang-nv]

/bot run --disable-fail-fast --add-multi-gpu-test

[tensorrt-cicd]

PR_Github #50226 [ run ] triggered by Bot. Commit: b248761 Link to invocation