[Snyk] Security upgrade transformers from 4.30.2 to 5.0.0rc1#176
[Snyk] Security upgrade transformers from 4.30.2 to 5.0.0rc1#176
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-TRANSFORMERS-14564337
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| langchain | ||
| sentence_transformers No newline at end of file | ||
| sentence_transformers | ||
| transformers>=5.0.0rc1 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
If this repo is still installing a sentence-transformers release that caps transformers below 5.0 (e.g., 2.2.2 as noted in the Snyk warning), then adding transformers>=5.0.0rc1 makes pip’s resolver fail with an unsatisfiable constraint (or installs an incompatible version under legacy resolver). That breaks fresh installs for this app; consider upgrading sentence-transformers to a version that supports Transformers 5.x or loosening this to a compatible 4.x patch that fixes the vulnerability.
Useful? React with 👍 / 👎.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| langchain | ||
| sentence_transformers No newline at end of file | ||
| sentence_transformers | ||
| transformers>=5.0.0rc1 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
Release candidate version pinned for production dependency
The transformers>=5.0.0rc1 pin uses a release candidate version rather than a stable release. According to PyPI, stable version 4.57.3 is available. Release candidates may contain bugs or breaking API changes before final release. Additionally, this is a major version jump (4.x to 5.x) which could cause compatibility issues with sentence-transformers 2.2.2 that the project depends on. The Snyk warnings in the PR description also indicate dependency resolution concerns. This could cause runtime failures when SentenceTransformer is initialized in utils.py.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
Langchain Chatbot/requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Deserialization of Untrusted Data
Note
Addresses dependency security and completeness in
Langchain Chatbot/requirements.txt.transformers>=5.0.0rc1(Snyk-pinned to mitigate vulnerability)sentence_transformersis included alongside existing packagesWritten by Cursor Bugbot for commit 41a5aec. This will update automatically on new commits. Configure here.