Skip to content

[pre-commit.ci] pre-commit autoupdate#180

Merged
amrit110 merged 3 commits into
mainfrom
pre-commit-ci-update-config
Jun 18, 2026
Merged

[pre-commit.ci] pre-commit autoupdate#180
amrit110 merged 3 commits into
mainfrom
pre-commit-ci-update-config

Conversation

@pre-commit-ci

@pre-commit-ci pre-commit-ci Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

@pre-commit-ci
[pre-commit.ci] pre-commit autoupdate
74df942 
updates:
- [github.com/astral-sh/ruff-pre-commit: v0.15.16 → v0.15.17](astral-sh/ruff-pre-commit@v0.15.16...v0.15.17)
@amrit110

amrit110 commented Jun 16, 2026

Copy link
Copy Markdown
Member

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package Version Vulnerability Status
torch 2.12.0 CVE-2025-3000 No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability (CVE-2025-3000) exists in torch itself. A fix requires the upstream maintainers (PyTorch) to release a new version. The current latest PyTorch version on PyPI is 2.12.0, which is already the installed version and still listed as vulnerable. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

What was fixed automatically

Recommended next steps

  1. Monitor the CVE-2025-3000 advisory for a PyTorch patch release
  2. Consider whether a pip-audit ignore/exception can be added temporarily with justification (requires human review)
  3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

aieng-bot[bot] added 2 commits June 16, 2026 01:20
chore: bump tornado and aiohttp to fix security vulnerabilities
82f23b2 
- tornado 6.5.5 -> 6.5.7: fix CVE-2026-49854 (websocket mask buffer overread)
- aiohttp 3.14.0 -> 3.14.1: fix CVE-2026-54273 through CVE-2026-54280

Note: torch 2.12.0 CVE-2025-3000 remains unfixable (no patched version on PyPI)

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
chore: bump torch to 2.12.1 to fix CVE-2025-3000
cc9fb07 
Bumps torch from 2.12.0 to 2.12.1 to resolve CVE-2025-3000 (memory
corruption vulnerability in torch.jit.script). Also updates triton
from 3.7.0 to 3.7.1 as a transitive dependency.

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
@amrit110 amrit110 merged commit 0bbb39d into main Jun 18, 2026
7 checks passed
@amrit110 amrit110 deleted the pre-commit-ci-update-config branch June 18, 2026 11:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amrit110