[Snyk] Security upgrade torch from 1.13.1 to 2.2.0

[glenn-jocher]

Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• requirements.txt

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Out-of-bounds Read

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

Bumps the minimum PyTorch dependency to torch>=2.2.0 to address a Snyk-reported security upgrade 🔒⚙️

📊 Key Changes

• Updated requirements.txt to raise the minimum supported Torch version from >=1.8.0 to >=2.2.0.

🎯 Purpose & Impact

• Improves security posture by moving off older Torch versions flagged by dependency scanning 🛡️
• May require users/environments pinned to older PyTorch (or older CUDA wheels) to update their stack; could surface compatibility issues on legacy systems 🧩

[UltralyticsAssistant]

👋 Hello @glenn-jocher, thank you for submitting a ultralytics/yolov3 🚀 PR! To ensure a seamless integration of your work, please review the following checklist:

• ✅ Define a Purpose: Clearly explain the purpose of your fix or feature in your PR description, and link to any relevant issues. Ensure your commit messages are clear, concise, and adhere to the project's conventions.
• ✅ Synchronize with Source: Confirm your PR is synchronized with the ultralytics/yolov3 main branch. If it's behind, update it by clicking the 'Update branch' button or by running git pull and git merge main locally.
• ✅ Ensure CI Checks Pass: Verify all Ultralytics Continuous Integration (CI) checks are passing. If any checks fail, please address the issues.
• ✅ Update Documentation: Update the relevant documentation for any new or modified features.
• ✅ Add Tests: If applicable, include or update tests to cover your changes, and confirm that all tests are passing.
• ✅ Sign the CLA: Please ensure you have signed our Contributor License Agreement if this is your first Ultralytics PR by writing "I have read the CLA Document and I sign the CLA" in a new message.
• ✅ Minimize Changes: Limit your changes to the minimum necessary for your bug fix or feature addition. "It is not daily increase but daily decrease, hack away the unessential. The closer to the source, the less wastage there is." — Bruce Lee

For more guidance, please refer to our Contributing Guide. This is an automated message 🤖—an engineer will assist shortly. Don’t hesitate to leave a comment if you have any questions. Thank you for contributing to Ultralytics! 🚀

[UltralyticsAssistant]

🔍 PR Review

_{Made with ❤️ by Ultralytics Actions}

Clean, minimal change, but the new torch>=2.2.0 constraint introduces a high-likelihood compatibility issue with the existing torchvision>=0.9.0 requirement. Update torchvision (or pin compatible pairs) to avoid broken installs/resolution failures.

💬 Posted 1 inline comment

[UltralyticsAssistant]

⚠️ HIGH: Raising torch to >=2.2.0 likely breaks dependency compatibility because torchvision>=0.9.0 (still in this file) is not compatible with Torch 2.2.x. This can lead to resolver conflicts or runtime import errors (ABI/ops mismatch). Please bump torchvision to a version compatible with Torch 2.2 (or pin the Torch+Torchvision pair) to keep installs reproducible.