aglinxinyuan opened a new pull request, #6265:
URL: https://github.com/apache/texera/pull/6265

   ### What changes were proposed in this PR?
   
   Backport of #6219 to `release/v1.2`.
   
   On `release/v1.2`, **both** torch pins in `amber/operator-requirements.txt` 
are at `2.12.0` — the top of the **CVE-2025-3000** / 
[GHSA-rrmf-rvhw-rf47](https://github.com/advisories/GHSA-rrmf-rvhw-rf47) 
affected range (`torch.jit.script` memory corruption; CVSS 5.3, `<= 2.12.0`, no 
upstream patched version). (On `main` only the non-Linux line was in range, 
since its Linux line had already moved to `2.12.1+cpu`.)
   
   | Line | Before | After |
   | --- | --- | --- |
   | Linux x86_64 (CPU wheel) | `2.12.0+cpu` | `2.12.1+cpu` |
   | macOS / Windows / other | `2.12.0` | `2.12.1` |
   | `amber/LICENSE-binary-python` | `torch==2.12.0` | `torch==2.12.1` |
   
   Because the advisory's upper bound is `2.12.0`, moving to `2.12.1` takes 
both platforms out of range and clears the Dependabot alert on the release line.
   
   Notes:
   - `2.12.1` ships the same cp312 wheel matrix as `2.12.0` (`win_amd64`, 
`macosx_*_arm64`, Linux CPU) — a patch-level move with no platform-coverage 
change.
   - `amber/LICENSE-binary-python` is bumped in lock-step so the binary-license 
check stays in sync (no drift).
   - `torch.jit.script` is never called in Texera; `torch` is only a transitive 
runtime dependency of `transformers` (the HuggingFace operators), so the 
vulnerable path is unreachable — this is dependency hygiene to clear the alert.
   
   ### Any related issues, documentation, discussions?
   
   Backport of #6219 (main). Original issue: #6218.
   
   Advisory: 
[GHSA-rrmf-rvhw-rf47](https://github.com/advisories/GHSA-rrmf-rvhw-rf47) / 
[CVE-2025-3000](https://nvd.nist.gov/vuln/detail/CVE-2025-3000).
   
   ### How was this PR tested?
   
   Dependency-only change; no code paths are altered. Verified:
   
   - `torch==2.12.1` / `2.12.1+cpu` cp312 wheels exist for `win_amd64`, 
`macosx_*_arm64`, and the PyTorch Linux CPU index (same matrix as `2.12.0`), so 
both pins stay installable on `release/v1.2`.
   - `2.12.1 > 2.12.0`, so both lines exit the CVE-2025-3000 `<= 2.12.0` 
affected range.
   - `amber/LICENSE-binary-python` bumped to `torch==2.12.1` in the same 
commit, keeping the `build / pyamber` binary-license check green.
   
   ### Was this PR authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Code (Opus 4.8 [1M context])
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to