chore(deps): sweep visual-retrieval-colpali deps (fixes accelerate CVE-2025-14925)

[odosk]

⚠️ This PR was created by an AI assistant (Claude). Please review all changes carefully before merging.

Once approved, please merge it — this is an automated dependency-update PR and merging is the final step that closes out the linked Mend/Jira findings.

Replaces the closed #1909 (rebase-unmerged after 18 days; see R7a in the security-workflow skill). The branch was 76 commits behind master; this PR opens from a fresh main with the latest dep landscape.

Summary

Full flat-pin sweep on visual-retrieval-colpali/src/legacy-requirements.txt via bump_requirements.py (125 packages updated). The CVE-relevant bumps:

• accelerate: 0.34.2 → 1.13.0 — clears CVE-2025-14925 (HuggingFace Accelerate deserialization RCE).
• transformers: 5.0.0 → 5.9.0 — clears CVE-2025-14920 (firstPatched: 5.0.0rc3) and CVE-2026-4372 (no longer present at ≥5.0.0 per OSV.dev).
• torch: 2.11.0 → 2.12.0
• colpali-engine: 0.3.1 → 0.3.16 (no Mend CVE on this directly; bumped for resolver coherence)
• vidore-benchmark: 4.0.0 → 5.0.0

Changed Files

visual-retrieval-colpali/src/legacy-requirements.txt — 125 pin updates via the bump_requirements.py helper.

hypencoder/requirements.txt is intentionally untouched. Its dep set is expressed as range constraints, not exact pins, and is documented as needing a hard upstream cap (transformers<5) for Hypencoder checkpoint compat. See Cannot fix below.

CVEs Addressed

Verified against OSV.dev / NVD:

Package	CVE(s)	Severity	Fix version reached
accelerate (visual-retrieval-colpali)	CVE-2025-14925	HIGH	1.13.0
transformers (visual-retrieval-colpali)	CVE-2025-14920	HIGH	5.9.0 (≥5.0.0rc3)
transformers (visual-retrieval-colpali)	CVE-2026-4372	HIGH	5.9.0 (not present in OSV at ≥5.0.0)

⚠️ Cannot fix in this PR

Project	Package	CVE	Reason
hypencoder/	transformers @ 4.57.6 (constraint >=4.45,<5)	CVE-2025-14920	The Hypencoder checkpoints' saved config triggers a meta-device path in transformers ≥5 that .from_pretrained() rejects. Constraint documented inline in hypencoder/requirements.txt. Lifting it would require a checkpoint or upstream Hypencoder fix — out of scope.

⚠️ Likely false positives — please report to Mend

Mend's snapshot of visual-retrieval-colpali/src/legacy-requirements.txt is stale — it lists three pillow CVEs against pillow-10.4.0, but the file on current master pins pillow==12.2.0 (since prior sweeps), and 12.2.0 patches all three:

Mend artifact	Why this is incorrect (summary)
pillow-10.4.0 in visual-retrieval-colpali/src/legacy-requirements.txt (CVE-2026-40192, -42311, -25990)	Lockfile on master pins pillow==12.2.0; 12.2.0 patches all three CVEs per OSV. Mend's project snapshot is stale on this file.

h3. Likely false positive: CVE-2026-40192 / CVE-2026-42311 / CVE-2026-25990 in pillow

*TL;DR:* Mend's snapshot for vespa-engine/sample-apps is stale on
visual-retrieval-colpali/src/legacy-requirements.txt — `pillow==12.2.0`
pinned on master patches all three CVEs per OSV.

h4. Mend identifiers
- *Org:* Vespa.ai
- *Application:* GH_sample-apps
- *Project:* GH_sample-apps_master
- *Finding IDs:* (not exposed in the Jira table)

h4. CVE / library
- *CVE:* CVE-2026-40192, CVE-2026-42311, CVE-2026-25990
- *Library reported by Mend:* pillow-10.4.0
- *Mend's classification:* Transitive (via pdf2image / matplotlib / colpali_engine / sentence_transformers / vidore_benchmark)
- *Source file path Mend cites:* /tmp/mend-scm/sample-apps/visual-retrieval-colpali/src/legacy-requirements.txt

h4. Why this is incorrect
The legacy-requirements.txt on the latest master of vespa-engine/sample-apps pins `pillow==12.2.0`, not 10.4.0. CVE-2026-40192 and CVE-2026-42311 are fixed in pillow 12.2.0 (GHSA-whj4-6x5x-4v2j, GHSA-pwv6-vv43-88gr); CVE-2026-25990 is fixed in pillow 12.1.1 (GHSA-cfh3-3jmp-rvhc). The current pin therefore patches all three.

h4. Evidence
- legacy-requirements.txt on origin/master: `pillow==12.2.0`.
- OSV.dev confirmation for pillow 12.0.0:
  curl -s -X POST https://api.osv.dev/v1/query \
    -H "Content-Type: application/json" \
    -d '{"package":{"name":"pillow","ecosystem":"PyPI"},"version":"12.0.0"}'
  Returns CVE-2026-40192 (fix 12.2.0), CVE-2026-42311 (fix 12.2.0),
  CVE-2026-25990 (fix 12.1.1).

h4. Suggested improvement
Trigger a fresh scan of GH_sample-apps_master against the current head; the Mend "Modified" timestamps on these rows (2026-05-22) pre-date the prior pillow-bump sweep.

h4. Resolution path
- *Preferred:* File a Mend support ticket with this block — request a fresh scan of GH_sample-apps_master.
- *Fallback:* Suppress in Mend with reference VESPANG-3395.

*Last verified:* 2026-05-25 by Claude (security-workflow skill).

Implementation Notes

• The flat-pin file legacy-requirements.txt was bumped directly; this is how the repo treats it (it's installed via pip install -r legacy-requirements.txt, bypassing the pyproject resolver). The header comment # This file was autogenerated by uv via the following command is no longer accurate — the file diverges from what uv pip compile pyproject.toml would produce because the pyproject's hard pins (transformers==5.0.0, colpali-engine==0.3.1, uvicorn==0.38.0) are stale. This is pre-existing repo state, not introduced here.
• Pyproject left unchanged so this PR's scope stays narrow (a separate cleanup PR could realign pyproject ↔ legacy-requirements.txt; not in scope for a CVE-fix sweep).

Verification

• bump_requirements.py reports 125 bumped, 0 errors.
• OSV.dev confirms accelerate ≥1.13.0 has no known CVEs; transformers ≥5.0.0 patches CVE-2025-14920.
• grep '^accelerate==' visual-retrieval-colpali/src/legacy-requirements.txt → accelerate==1.13.0.
• Local test run skipped — visual-retrieval-colpali is a sample app needing GPU + Vespa Cloud token + pdf-rendering toolchain unavailable here. The legacy-requirements.txt is a flat pin file; install-validation would only verify pip's ability to fetch the pinned wheels.
• Linked Jira: VESPANG-3395.

🤖 Generated with Claude Code (security-workflow skill)

[odosk]

Rebased onto latest master and re-ran the flat-pin sweep — the prior head (6acd221) had drifted 4 days behind and conflicted on starlette (Renovate's CVE bump 0.49.1 → 1.0.1 landed on master after approval). Reset the branch and regenerated produces 126 bumps, no downgrades, no added/removed packages; CVE coverage on this file is unchanged. The new head still reads MERGEABLE + APPROVED, so it looks like branch protection kept the approval intact — should be good to merge once CI clears.

— posted by Claude (security-workflow skill, R22 carve-out for approved + conflicting PRs).