Is is possible to release new pypi package with upgraded torch and numpy version to fix vulnerability?

[shlin168]

Hi adobe team,

The latest version of stringlifier in pypi is v0.1.1.4, which is still using torch==1.6.0 and numpy==1.19.2. The last commit unleashed the version of torch while it’s not packaged to pypi.

We have no problem using the library, while there’s a vulnerability in torch==1.6.0 (CVE-2022-45907). To fix that, we need to upgrade torch to 1.13.1 with corresponding numpy version.

I have tried to clone repo, change requirements.txt with torch==1.13.1 and numpy==1.22.0, then build by ourselves to fix the vulnerability, while I would like to ask 2 questions

1. Is it possible to release a new version to pypi with upgraded torch and numpy. Then we do not need to build by ourselves.
2. Is there any issues for upgrading both libraries?

Thanks!

BR,
Shandi