Skip to content

[pre-commit.ci] pre-commit autoupdate#191

Open
pre-commit-ci[bot] wants to merge 1 commit into
mainfrom
pre-commit-ci-update-config
Open

[pre-commit.ci] pre-commit autoupdate#191
pre-commit-ci[bot] wants to merge 1 commit into
mainfrom
pre-commit-ci-update-config

Conversation

@pre-commit-ci

@pre-commit-ci pre-commit-ci Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

@amrit110

Copy link
Copy Markdown
Member

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package Version Vulnerability Status
torch 2.11.0 CVE-2025-3000 / GHSA-rrmf-rvhw-rf47 No fix available on PyPI

Why this cannot be auto-fixed

CVE-2025-3000 is a critical memory corruption vulnerability in torch.jit.script. According to the OSV advisory, all versions up to and including the latest release (2.12.0) are still affected (last_affected: 2.12.0). A fix requires the upstream PyTorch maintainers to release a new version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

  1. Monitor the GHSA-rrmf-rvhw-rf47 advisory for a patch release
  2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
  3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

@amrit110

Copy link
Copy Markdown
Member

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package Version Vulnerability Status
torch 2.11.0 CVE-2025-3000 No fix version listed by pip-audit

Why this cannot be auto-fixed

The vulnerability CVE-2025-3000 affects torch.jit.script and was found in PyTorch 2.6.0 (memory corruption). pip-audit reports this for torch 2.11.0 but lists no fix version in its output. The OSV advisory (CVE-2025-3000) uses a GIT commit range rather than a PyPI version range, which means there is no clearly identified patched PyPI release that resolves this vulnerability.

Recommended next steps

  1. Monitor the vulnerability advisory for a patch release on PyPI
  2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
  3. Consider whether this dependency can be replaced or if the usage of torch.jit.script can be avoided

This PR will not be auto-merged until the vulnerability is resolved.

@pre-commit-ci pre-commit-ci Bot force-pushed the pre-commit-ci-update-config branch from f75bb73 to a24cd3a Compare June 22, 2026 19:51
updates:
- [github.com/astral-sh/ruff-pre-commit: v0.15.16 → v0.15.20](astral-sh/ruff-pre-commit@v0.15.16...v0.15.20)
@pre-commit-ci pre-commit-ci Bot force-pushed the pre-commit-ci-update-config branch from a24cd3a to bd8f0e9 Compare June 29, 2026 19:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant