Skip to content

Upgrade package transformers due to vulnerability #309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pakerimus wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Upgrade package transformers due to vulnerability #309

pakerimus wants to merge 3 commits into from
+18 −14

Conversation

@pakerimus
Copy link

@pakerimus pakerimus commented Nov 21, 2025
edited
Loading

Change Description

This PR upgrades the vulnerable package transformers to 4.53.0..
According to uv-secure:

┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┓
┃ Package         ┃ Version       ┃ Vulnerability ID          ┃ Fix Versions   ┃
┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━┩
│ transformers    │ 4.51.3        │ GHSA-phhr-52qp-3mj4       │ 4.52.1         │
│ transformers    │ 4.51.3        │ GHSA-37mw-44qp-f5jm       │ 4.52.1         │
│ transformers    │ 4.51.3        │ GHSA-9356-575x-2w9m       │ 4.53.0         │
│ transformers    │ 4.51.3        │ GHSA-59p9-h35m-wg4g       │ 4.53.0         │
│ transformers    │ 4.51.3        │ GHSA-rcv9-qm8p-9p6j       │ 4.53.0         │
│ transformers    │ 4.51.3        │ GHSA-4w7r-h757-3r74       │ 4.53.0         │
└─────────────────┴───────────────┴───────────────────────────┴────────────────┘

It required to bump the version of optimum and optimum[onnxruntime] to 1.27.0

After pre-commit check failures, claude fixed it for me:

  Fixed Type Errors

  1. transformers_recognizer.py (lines 142-143)

  - Issue: Type mismatch between "ner" task and the expected "zero-shot-object-detection" literal type
  - Fix: Added # type: ignore[arg-type] comments to suppress the type checker error since this is a valid use case with dynamic string types from the transformers library

  2. relevance.py (line 99)

  - Issue: model.onnx_revision is str | None but from_pretrained() expects str
  - Fix: Build the kwargs dictionary conditionally, only adding the revision parameter when it's not None

  3. util.py (line 228)

  - Issue: Invalid escape sequence \* in non-raw string literal
  - Fix: Changed "([^\*]+)" to r"([^\*]+)" to use a raw string

Issue reference

No issue was detected with this

Checklist

  • I have reviewed the contribution guidelines
  • My code includes unit tests
  • All unit tests and lint checks pass locally
  • My PR contains documentation updates / additions if required

@pakerimus pakerimus requested a review from asofter as a code owner November 21, 2025 05:06
@pakerimus pakerimus marked this pull request as draft November 21, 2025 05:12
@pakerimus pakerimus changed the title upgraded vulnerable transformers package Upgrade package transformers due to vulnerability Nov 22, 2025
@pakerimus pakerimus marked this pull request as ready for review November 24, 2025 23:06
@pakerimus pakerimus mentioned this pull request Dec 1, 2025
Open
@Riddhikshah21
Copy link

Riddhikshah21 commented Jan 5, 2026
edited
Loading

@pakerimus any updates on when this ticket will be resolved? Thank you!

@pakerimus
Copy link
Author

pakerimus commented Jan 6, 2026

@Riddhikshah21 it doesn't depend on me, we need @asofter to review and merge

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asofter asofter Awaiting requested review from asofter

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pakerimus @Riddhikshah21