This is a research repository for a UCLA CS 269 final project. It is not a production-grade application. Nevertheless we take security seriously and treat known dependency vulnerabilities as quality bugs.

The training pipeline runs offline on single-host machines (Colab, a local GPU box, or a DagsHub workspace). It consumes:

• Trusted training data (nuPlan-mini, downloaded once via DagsHub)
• Trusted model checkpoints (produced by our own training runs)
• Hydra YAML configs in the repo

It does not accept network input at training or inference time, run inference servers exposed to the public, parse untrusted user-supplied files, or deserialize attacker-controlled pickles. Checkpoint loads use torch.load(weights_only=True) with a controlled fallback for legacy files (see security commit 7ec9033).

We track upstream CVEs via pip-audit and GitHub Dependabot. Current state after the dependency bumps in flow_planner/requirements.txt:

• tensorboard==2.11.2 → ==2.17.1 — clears CVE-2023-25658 (path traversal), CVE-2023-25662 (open redirect)
• torch==2.3.0 → ==2.12.0 — clears 19 prior CVEs (full list in commit b73ca15 and follow-up)
• pytorch-lightning==2.4.0 → ==2.5.5 — tracks the torch line
• All 5 previously-unpinned deps (flow-matching, dagshub, matplotlib, numpy, pytorch-lightning) are now pinned so Dependabot can alert on them.

Both of these have no upstream fix released — the only way to "fix" them is to avoid the vulnerable function, which we already do.

• torch.load(weights_only=True) everywhere checkpoints are loaded (inference_eval.py, visualize_bev.py, visualize_bev_gif.py) — see commit 7ec9033.
• No eval() / pickle.loads() of user input anywhere in the repo.
• No subprocess.shell=True calls touching user input.

If you find a vulnerability that affects the offline training threat model above, open an issue on GitHub. Use the security label.