[3PRe] [Thorough review needed] Fix vulnerability- pypi/upgrade transformers reference from 3.4.0-transitional (vuln) to 4.41.2 (less vuln)

Catherine Balajadia · facebook-github-bot · commit 53ced6432886 · 2025-03-18T12:31:01.000-07:00
Summary: The 3P Library Vulnerability Remediation Team is dedicated to remediating high-risk external libraries at Meta using both manual and automated processes. Older versions of this library have been identified as risky, and this diff stack is intended to upgrade the library to a recommended version. ----------- We kindly request your help with the diff review. Please commandeer this diff stack if specific merges need to be added or if there are any build or dependency failures. ----------- General change: 1. Update library reference to old library to newer version in bzl 2. Update import reference to old library to the newer version in actual codes ________________ TPMS: https://fburl.com/third_party_metadata/e12wxl9w Vulnerability Information: CVE-2023-2800 ( cvss3=4.7 ) https://www.internalfb.com/intern/vulnerability_management/vulnerabilities/CVE-2023-2800 CVE-2023-6730 ( cvss3=8.8 ) https://www.internalfb.com/intern/vulnerability_management/vulnerabilities/CVE-2023-6730 CVE-2023-7018 ( cvss3=7.8 ) https://www.internalfb.com/intern/vulnerability_management/vulnerabilities/CVE-2023-7018 CVE-2024-11392 ( cvss3=8.8 ) https://www.internalfb.com/intern/vulnerability_management/vulnerabilities/CVE-2024-11392 CVE-2024-11393 ( cvss3=8.8 ) https://www.internalfb.com/intern/vulnerability_management/vulnerabilities/CVE-2024-11393 CVE-2024-11394 ( cvss3=8.8 ) https://www.internalfb.com/intern/vulnerability_management/vulnerabilities/CVE-2024-11394 CVE-2024-3568 ( cvss3=3.4 ) https://www.internalfb.com/intern/vulnerability_management/vulnerabilities/CVE-2024-3568 SNYK-PYTHON-TRANSFORMERS-3092483 ( cvss3=5.4 ) https://www.internalfb.com/intern/vulnerability_management/vulnerabilities/SNYK-PYTHON-TRANSFORMERS-3092483 SNYK-PYTHON-TRANSFORMERS-6220003 ( cvss3=6.5 ) https://www.internalfb.com/intern/vulnerability_management/vulnerabilities/SNYK-PYTHON-TRANSFORMERS-6220003 Reviewed By: ebsmothers Differential Revision: D71058400 fbshipit-source-id: 77a291aea93f46340ce2dc1e4b8e8845c377f3f5
diff --git a/mmf/modules/hf_layers.py b/mmf/modules/hf_layers.py
@@ -8,7 +8,8 @@
 from torch import nn, Tensor
 
 try:
-    from transformers3.modeling_bert import (
+    from transformers.modeling_utils import PreTrainedModel
+    from transformers.models.bert.modeling_bert import (
         BertAttention,
         BertEmbeddings,
         BertEncoder,
@@ -18,17 +19,17 @@
         BertSelfAttention,
         BertSelfOutput,
     )
-    from transformers3.modeling_roberta import (
+    from transformers.models.roberta.modeling_roberta import (
         RobertaAttention,
         RobertaEmbeddings,
         RobertaEncoder,
         RobertaLayer,
         RobertaModel,
         RobertaSelfAttention,
     )
-    from transformers3.modeling_utils import PreTrainedModel
 except ImportError:
-    from transformers.modeling_bert import (
+    from transformers.modeling_utils import PreTrainedModel
+    from transformers.models.bert.modeling_bert import (
         BertAttention,
         BertEmbeddings,
         BertEncoder,
@@ -38,15 +39,14 @@
         BertSelfAttention,
         BertSelfOutput,
     )
-    from transformers.modeling_roberta import (
+    from transformers.models.roberta.modeling_roberta import (
         RobertaAttention,
         RobertaEmbeddings,
         RobertaEncoder,
         RobertaLayer,
         RobertaModel,
         RobertaSelfAttention,
     )
-    from transformers.modeling_utils import PreTrainedModel
 
 
 patch_functions = [
