KEMBAR78
[None][fix] Upgrade dependencies version to avoid security vulnerability by yibinl-nvidia · Pull Request #6506 · NVIDIA/TensorRT-LLM · GitHub
Skip to content

Conversation

@yibinl-nvidia
Copy link
Collaborator

@yibinl-nvidia yibinl-nvidia commented Jul 31, 2025

Summary by CodeRabbit

  • Chores
    • Updated several package versions to improve compatibility and performance.
    • Added a new dependency to support enhanced functionality.

Description

Test Coverage

GitHub Bot Help

/bot [-h] ['run', 'kill', 'skip', 'reuse-pipeline'] ...

Provide a user friendly way for developers to interact with a Jenkins server.

Run /bot [-h|--help] to print this help message.

See details below for each supported subcommand.

run [--reuse-test (optional)pipeline-id --disable-fail-fast --skip-test --stage-list "A10-PyTorch-1, xxx" --gpu-type "A30, H100_PCIe" --test-backend "pytorch, cpp" --add-multi-gpu-test --only-multi-gpu-test --disable-multi-gpu-test --post-merge --extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx" --detailed-log --debug(experimental)]

Launch build/test pipelines. All previously running jobs will be killed.

--reuse-test (optional)pipeline-id (OPTIONAL) : Allow the new pipeline to reuse build artifacts and skip successful test stages from a specified pipeline or the last pipeline if no pipeline-id is indicated. If the Git commit ID has changed, this option will be always ignored. The DEFAULT behavior of the bot is to reuse build artifacts and successful test results from the last pipeline.

--disable-reuse-test (OPTIONAL) : Explicitly prevent the pipeline from reusing build artifacts and skipping successful test stages from a previous pipeline. Ensure that all builds and tests are run regardless of previous successes.

--disable-fail-fast (OPTIONAL) : Disable fail fast on build/tests/infra failures.

--skip-test (OPTIONAL) : Skip all test stages, but still run build stages, package stages and sanity check stages. Note: Does NOT update GitHub check status.

--stage-list "A10-PyTorch-1, xxx" (OPTIONAL) : Only run the specified test stages. Examples: "A10-PyTorch-1, xxx". Note: Does NOT update GitHub check status.

--gpu-type "A30, H100_PCIe" (OPTIONAL) : Only run the test stages on the specified GPU types. Examples: "A30, H100_PCIe". Note: Does NOT update GitHub check status.

--test-backend "pytorch, cpp" (OPTIONAL) : Skip test stages which don't match the specified backends. Only support [pytorch, cpp, tensorrt, triton]. Examples: "pytorch, cpp" (does not run test stages with tensorrt or triton backend). Note: Does NOT update GitHub pipeline status.

--only-multi-gpu-test (OPTIONAL) : Only run the multi-GPU tests. Note: Does NOT update GitHub check status.

--disable-multi-gpu-test (OPTIONAL) : Disable the multi-GPU tests. Note: Does NOT update GitHub check status.

--add-multi-gpu-test (OPTIONAL) : Force run the multi-GPU tests in addition to running L0 pre-merge pipeline.

--post-merge (OPTIONAL) : Run the L0 post-merge pipeline instead of the ordinary L0 pre-merge pipeline.

--extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx" (OPTIONAL) : Run the ordinary L0 pre-merge pipeline and specified test stages. Examples: --extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx".

--detailed-log (OPTIONAL) : Enable flushing out all logs to the Jenkins console. This will significantly increase the log volume and may slow down the job.

--debug (OPTIONAL) : Experimental feature. Enable access to the CI container for debugging purpose. Note: Specify exactly one stage in the stage-list parameter to access the appropriate container environment. Note: Does NOT update GitHub check status.

For guidance on mapping tests to stage names, see docs/source/reference/ci-overview.md
and the scripts/test_to_stage_mapping.py helper.

kill

kill

Kill all running builds associated with pull request.

skip

skip --comment COMMENT

Skip testing for latest commit on pull request. --comment "Reason for skipping build/test" is required. IMPORTANT NOTE: This is dangerous since lack of user care and validation can cause top of tree to break.

reuse-pipeline

reuse-pipeline

Reuse a previous pipeline to validate current commit. This action will also kill all currently running builds associated with the pull request. IMPORTANT NOTE: This is dangerous since lack of user care and validation can cause top of tree to break.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jul 31, 2025

📝 Walkthrough

Walkthrough

Dependency versions were updated in three requirements files. The transformers and onnx packages received version bumps, accelerate was added as a new dependency, and the gradio package was updated in an optional dependencies section. No code or exported entities were modified.

Changes

Cohort / File(s) Change Summary
Mixtral requirements update
examples/models/core/mixtral/requirements.txt
Updated transformers from 4.38.2 to 4.54.0; added accelerate==0.25.0; other dependencies unchanged.
Qwen requirements update
examples/models/core/qwen/requirements.txt
Updated optional gradio dependency from 4.36.0 to 4.44.1; no other changes.
Root requirements update
requirements.txt
Increased minimum onnx version from 1.12.0 to 1.18.0; no other changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~6 minutes

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.


📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7db7bcc and 8302b79.

📒 Files selected for processing (3)
  • examples/models/core/mixtral/requirements.txt (1 hunks)
  • examples/models/core/qwen/requirements.txt (1 hunks)
  • requirements.txt (1 hunks)
✅ Files skipped from review due to trivial changes (1)
  • requirements.txt
🚧 Files skipped from review as they are similar to previous changes (2)
  • examples/models/core/qwen/requirements.txt
  • examples/models/core/mixtral/requirements.txt
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Pre-commit Check
✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai generate unit tests to generate unit tests for this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@yibinl-nvidia yibinl-nvidia changed the title Upgrade dependencies version to avoid security vulnerability [Draft - WIP] Upgrade dependencies version to avoid security vulnerability Jul 31, 2025
@yibinl-nvidia
Copy link
Collaborator Author

/bot run --disable-fail-fast

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
examples/models/core/qwen/requirements.txt (1)

13-13: Gradio 4.36 → 4.44 may break the demo UI

4.41 introduced an internal server refactor and removed several deprecated props. Ensure that:

  • demo.launch(share=…) still works in headless environments,
  • custom CSS / JS overrides in qwen_demo.py render correctly.

Consider adding a minimal smoke-test that starts the UI in CI to catch silent regressions.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d38c26b and 7db7bcc.

📒 Files selected for processing (3)
  • examples/models/core/mixtral/requirements.txt (1 hunks)
  • examples/models/core/qwen/requirements.txt (1 hunks)
  • requirements.txt (1 hunks)
🧰 Additional context used
🧠 Learnings (2)
requirements.txt (1)

Learnt from: CR
PR: NVIDIA/TensorRT-LLM#0
File: CODING_GUIDELINES.md:0-0
Timestamp: 2025-07-31T04:50:23.272Z
Learning: Applies to **/*.py : The code developed for TensorRT-LLM should conform to Python 3.8+.

examples/models/core/mixtral/requirements.txt (2)

Learnt from: CR
PR: NVIDIA/TensorRT-LLM#0
File: CODING_GUIDELINES.md:0-0
Timestamp: 2025-07-31T04:50:23.272Z
Learning: Applies to **/*.py : The code developed for TensorRT-LLM should conform to Python 3.8+.

Learnt from: moraxu
PR: #6303
File: tests/integration/test_lists/qa/examples_test_list.txt:494-494
Timestamp: 2025-07-28T17:06:08.621Z
Learning: In TensorRT-LLM testing, it's common to have both CLI flow tests (test_cli_flow.py) and PyTorch API tests (test_llm_api_pytorch.py) for the same model. These serve different purposes: CLI flow tests validate the traditional command-line workflow, while PyTorch API tests validate the newer LLM API backend. Both are legitimate and should coexist.

🔇 Additional comments (2)
requirements.txt (1)

11-11: Confirm ONNX 1.18 compatibility with our CUDA / PyTorch stack

Going from 1.12 → 1.18 is a large jump (five minor releases). 1.18 wheels are built against newer CUDA / cuDNN and assume NumPy ≥ 1.23; we still cap NumPy at <2 but do not pin a minimum. Please sanity-check that

  1. the wheel pulled on CI matches the CUDA 12.8 runtime used by the TRT-LLM images,
  2. all custom ONNX-GraphSurgeon and shape-inference code paths still behave the same,
  3. no ABI clash occurs with onnxruntime-gpu should users install it side-by-side.

If we knowingly rely on 1.18-only operators, document that in the release notes.

examples/models/core/mixtral/requirements.txt (1)

3-3: Check breaking changes between 4.53 → 4.54

If we keep 4.54, audit:

  • MixtralForCausalLM API – tokenizer / config files generated by 4.53 are still accepted.
  • Flash-Attention & AWQ patches compile against the new C++ extension layout.

No action needed if tests pass, but worth noting for downstream integrators.

@tensorrt-cicd
Copy link
Collaborator

PR_Github #13628 [ run ] triggered by Bot

@tensorrt-cicd
Copy link
Collaborator

PR_Github #13628 [ run ] completed with state SUCCESS
/LLM/main/L0_MergeRequest_PR pipeline #10224 completed with status: 'FAILURE'

@yibinl-nvidia
Copy link
Collaborator Author

/bot run --disable-fail-fast

@yibinl-nvidia
Copy link
Collaborator Author

/bot run

@tensorrt-cicd
Copy link
Collaborator

PR_Github #13751 [ run ] triggered by Bot

@tensorrt-cicd
Copy link
Collaborator

PR_Github #13751 [ run ] completed with state SUCCESS
/LLM/main/L0_MergeRequest_PR pipeline #10335 completed with status: 'FAILURE'

Signed-off-by: Yibin Li <109242046+yibinl-nvidia@users.noreply.github.com>
@yibinl-nvidia yibinl-nvidia force-pushed the dev-yibinl-upgrade-dependency-version branch from 7db7bcc to 8302b79 Compare August 1, 2025 05:18
@yibinl-nvidia
Copy link
Collaborator Author

/bot run

@tensorrt-cicd
Copy link
Collaborator

PR_Github #13765 [ run ] triggered by Bot

@tensorrt-cicd
Copy link
Collaborator

PR_Github #13765 [ run ] completed with state SUCCESS
/LLM/main/L0_MergeRequest_PR pipeline #10345 completed with status: 'SUCCESS'

@yibinl-nvidia
Copy link
Collaborator Author

/bot run --only-multi-gpu-test

@tensorrt-cicd
Copy link
Collaborator

PR_Github #13815 [ run ] triggered by Bot

@tensorrt-cicd
Copy link
Collaborator

PR_Github #13815 [ run ] completed with state SUCCESS
/LLM/main/L0_MergeRequest_PR pipeline #10386 (Partly Tested) completed with status: 'SUCCESS'

@yibinl-nvidia
Copy link
Collaborator Author

/bot run --post-merge

@tensorrt-cicd
Copy link
Collaborator

PR_Github #13839 [ run ] triggered by Bot

@tensorrt-cicd
Copy link
Collaborator

PR_Github #13839 [ run ] completed with state SUCCESS
/LLM/main/L0_MergeRequest_PR pipeline #10407 completed with status: 'FAILURE'

@yibinl-nvidia
Copy link
Collaborator Author

/bot run --post-merge

@tensorrt-cicd
Copy link
Collaborator

PR_Github #13846 [ run ] triggered by Bot

@tensorrt-cicd
Copy link
Collaborator

PR_Github #13846 [ run ] completed with state SUCCESS
/LLM/main/L0_MergeRequest_PR pipeline #10414 completed with status: 'FAILURE'

@yibinl-nvidia
Copy link
Collaborator Author

/bot run --post-merge

@tensorrt-cicd
Copy link
Collaborator

PR_Github #13904 [ run ] triggered by Bot

@tensorrt-cicd
Copy link
Collaborator

PR_Github #13904 [ run ] completed with state SUCCESS
/LLM/main/L0_MergeRequest_PR pipeline #10467 completed with status: 'FAILURE'

@yibinl-nvidia
Copy link
Collaborator Author

/bot run --post-merge

@tensorrt-cicd
Copy link
Collaborator

PR_Github #14035 [ run ] triggered by Bot

@tensorrt-cicd
Copy link
Collaborator

PR_Github #14035 [ run ] completed with state SUCCESS
/LLM/main/L0_MergeRequest_PR pipeline #10585 completed with status: 'SUCCESS'

@yibinl-nvidia yibinl-nvidia changed the title [Draft - WIP] Upgrade dependencies version to avoid security vulnerability [None][Fix] Upgrade dependencies version to avoid security vulnerability Aug 5, 2025
@yibinl-nvidia yibinl-nvidia marked this pull request as ready for review August 5, 2025 19:24
@yibinl-nvidia yibinl-nvidia changed the title [None][Fix] Upgrade dependencies version to avoid security vulnerability [None][fix] Upgrade dependencies version to avoid security vulnerability Aug 5, 2025
@yibinl-nvidia yibinl-nvidia self-assigned this Aug 5, 2025
@yibinl-nvidia
Copy link
Collaborator Author

cc @nv-guomingz @Shixiaowei02 for doc review

@kevinch-nv kevinch-nv merged commit 2a94685 into NVIDIA:main Aug 6, 2025
4 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants