From 847f7e1c1413a0e0f9d5061d02891766b78dba02 Mon Sep 17 00:00:00 2001 From: Charlie Truong Date: Fri, 26 Jun 2026 16:04:19 -0500 Subject: [PATCH] Bump dependencies for CVE (#15832) Signed-off-by: Charlie Truong Signed-off-by: NeMo Bot --- pyproject.toml | 4 +++- uv.lock | 31 +++++++++++++++++++------------ 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index ad7711a3d582..a53bd1c71e52 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -445,7 +445,8 @@ override-dependencies = [ "urllib3>=2.6.0", "opencv-python-headless; sys_platform == 'never'", "lxml>=6.1.0", - "gitpython>=3.1.50" + "gitpython>=3.1.50", + "mako>=1.3.12" ] no-binary-package = [ "causal-conv1d", @@ -476,6 +477,7 @@ torch = [ { index = "pypi", marker = "sys_platform == 'darwin'" }, ] transformer-engine = { git = "https://github.com/NVIDIA/TransformerEngine.git", tag = "v2.15" } +nltk = { git = "https://github.com/nltk/nltk.git", tag = "v3.10.0-rc1" } [[tool.uv.index]] name = "pypi" diff --git a/uv.lock b/uv.lock index a6be21cea190..866116dbeed6 100644 --- a/uv.lock +++ b/uv.lock @@ -46,6 +46,7 @@ overrides = [ { name = "cryptography", specifier = ">=46.0.5" }, { name = "gitpython", specifier = ">=3.1.50" }, { name = "lxml", specifier = ">=6.1.0" }, + { name = "mako", specifier = ">=1.3.12" }, { name = "mlflow", specifier = ">=3.9.0rc0" }, { name = "opencv-python-headless", marker = "sys_platform == 'never'" }, { name = "urllib3", specifier = ">=2.6.0" }, @@ -1898,6 +1899,15 @@ name = "deep-ep" version = "1.2.1+9af0e0d" source = { git = "https://github.com/deepseek-ai/DeepEP.git?tag=v1.2.1#9af0e0d0e74f3577af1979c9b9e1ac2cad0104ee" } +[[package]] +name = "defusedxml" +version = "0.7.1" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/0f/d5/c66da9b79e5bdb124974bfe172b4daf3c984ebd9c2a06e2b8a4dc7331c72/defusedxml-0.7.1.tar.gz", hash = "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69", size = 75520, upload-time = "2021-03-08T10:59:26.269Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/07/6c/aa3f2f849e01cb6a001cd8554a88d4c77c5c1a31c95bdf1cf9301e6d9ef4/defusedxml-0.7.1-py2.py3-none-any.whl", hash = "sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61", size = 25604, upload-time = "2021-03-08T10:59:24.45Z" }, +] + [[package]] name = "dill" version = "0.4.1" @@ -3243,14 +3253,14 @@ wheels = [ [[package]] name = "mako" -version = "1.3.11" +version = "1.3.12" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "markupsafe" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/59/8a/805404d0c0b9f3d7a326475ca008db57aea9c5c9f2e1e39ed0faa335571c/mako-1.3.11.tar.gz", hash = "sha256:071eb4ab4c5010443152255d77db7faa6ce5916f35226eb02dc34479b6858069", size = 399811, upload-time = "2026-04-14T20:19:51.493Z" } +sdist = { url = "https://files.pythonhosted.org/packages/00/62/791b31e69ae182791ec67f04850f2f062716bbd205483d63a215f3e062d3/mako-1.3.12.tar.gz", hash = "sha256:9f778e93289bd410bb35daadeb4fc66d95a746f0b75777b942088b7fd7af550a", size = 400219, upload-time = "2026-04-28T19:01:08.512Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/68/a5/19d7aaa7e433713ffe881df33705925a196afb9532efc8475d26593921a6/mako-1.3.11-py3-none-any.whl", hash = "sha256:e372c6e333cf004aa736a15f425087ec977e1fcbd2966aae7f17c8dc1da27a77", size = 78503, upload-time = "2026-04-14T20:19:53.233Z" }, + { url = "https://files.pythonhosted.org/packages/bc/b1/a0ec7a5a9db730a08daef1fdfb8090435b82465abbf758a596f0ea88727e/mako-1.3.12-py3-none-any.whl", hash = "sha256:8f61569480282dbf557145ce441e4ba888be453c30989f879f0d652e39f53ea9", size = 78521, upload-time = "2026-04-28T19:01:10.393Z" }, ] [[package]] @@ -4615,9 +4625,9 @@ requires-dist = [ { name = "nemo-text-processing", marker = "'aarch' not in platform_machine and 'arm' not in platform_machine and sys_platform != 'darwin' and extra == 'all'" }, { name = "nemo-text-processing", marker = "'aarch' not in platform_machine and 'arm' not in platform_machine and sys_platform != 'darwin' and extra == 'speechlm2'" }, { name = "nemo-text-processing", marker = "'aarch' not in platform_machine and 'arm' not in platform_machine and sys_platform != 'darwin' and extra == 'tts'" }, - { name = "nltk", marker = "extra == 'all'" }, - { name = "nltk", marker = "extra == 'speechlm2'" }, - { name = "nltk", marker = "extra == 'tts'" }, + { name = "nltk", marker = "extra == 'all'", git = "https://github.com/nltk/nltk.git?tag=v3.10.0-rc1" }, + { name = "nltk", marker = "extra == 'speechlm2'", git = "https://github.com/nltk/nltk.git?tag=v3.10.0-rc1" }, + { name = "nltk", marker = "extra == 'tts'", git = "https://github.com/nltk/nltk.git?tag=v3.10.0-rc1" }, { name = "numba", marker = "sys_platform == 'darwin'" }, { name = "numba-cuda", extras = ["cu12"], marker = "sys_platform != 'darwin' and extra == 'cu12'" }, { name = "numba-cuda", extras = ["cu13"], marker = "sys_platform != 'darwin' and extra == 'cu13'" }, @@ -4884,18 +4894,15 @@ wheels = [ [[package]] name = "nltk" -version = "3.9.4" -source = { registry = "https://pypi.org/simple" } +version = "3.10.0" +source = { git = "https://github.com/nltk/nltk.git?tag=v3.10.0-rc1#16a32d680d070254d5744e33fa83f9c0056d5a1f" } dependencies = [ { name = "click" }, + { name = "defusedxml" }, { name = "joblib" }, { name = "regex" }, { name = "tqdm" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/74/a1/b3b4adf15585a5bc4c357adde150c01ebeeb642173ded4d871e89468767c/nltk-3.9.4.tar.gz", hash = "sha256:ed03bc098a40481310320808b2db712d95d13ca65b27372f8a403949c8b523d0", size = 2946864, upload-time = "2026-03-24T06:13:40.641Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/9d/91/04e965f8e717ba0ab4bdca5c112deeab11c9e750d94c4d4602f050295d39/nltk-3.9.4-py3-none-any.whl", hash = "sha256:f2fa301c3a12718ce4a0e9305c5675299da5ad9e26068218b69d692fda84828f", size = 1552087, upload-time = "2026-03-24T06:13:38.47Z" }, -] [[package]] name = "numba"