-
Notifications
You must be signed in to change notification settings - Fork 1.8k
[None][fix] Upgrade dependencies version to avoid security vulnerability #6506
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[None][fix] Upgrade dependencies version to avoid security vulnerability #6506
Conversation
📝 WalkthroughWalkthroughDependency versions were updated in three requirements files. The Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~6 minutes Note ⚡️ Unit Test Generation is now available in beta!Learn more here, or try it out under "Finishing Touches" below. 📜 Recent review detailsConfiguration used: .coderabbit.yaml 📒 Files selected for processing (3)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (2)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
Documentation and Community
|
/bot run --disable-fail-fast |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 1
🧹 Nitpick comments (1)
examples/models/core/qwen/requirements.txt (1)
13-13
: Gradio 4.36 → 4.44 may break the demo UI4.41 introduced an internal server refactor and removed several deprecated props. Ensure that:
demo.launch(share=…)
still works in headless environments,- custom CSS / JS overrides in
qwen_demo.py
render correctly.Consider adding a minimal smoke-test that starts the UI in CI to catch silent regressions.
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
examples/models/core/mixtral/requirements.txt
(1 hunks)examples/models/core/qwen/requirements.txt
(1 hunks)requirements.txt
(1 hunks)
🧰 Additional context used
🧠 Learnings (2)
requirements.txt (1)
Learnt from: CR
PR: NVIDIA/TensorRT-LLM#0
File: CODING_GUIDELINES.md:0-0
Timestamp: 2025-07-31T04:50:23.272Z
Learning: Applies to **/*.py : The code developed for TensorRT-LLM should conform to Python 3.8+.
examples/models/core/mixtral/requirements.txt (2)
Learnt from: CR
PR: NVIDIA/TensorRT-LLM#0
File: CODING_GUIDELINES.md:0-0
Timestamp: 2025-07-31T04:50:23.272Z
Learning: Applies to **/*.py : The code developed for TensorRT-LLM should conform to Python 3.8+.
Learnt from: moraxu
PR: #6303
File: tests/integration/test_lists/qa/examples_test_list.txt:494-494
Timestamp: 2025-07-28T17:06:08.621Z
Learning: In TensorRT-LLM testing, it's common to have both CLI flow tests (test_cli_flow.py) and PyTorch API tests (test_llm_api_pytorch.py) for the same model. These serve different purposes: CLI flow tests validate the traditional command-line workflow, while PyTorch API tests validate the newer LLM API backend. Both are legitimate and should coexist.
🔇 Additional comments (2)
requirements.txt (1)
11-11
: Confirm ONNX 1.18 compatibility with our CUDA / PyTorch stackGoing from 1.12 → 1.18 is a large jump (five minor releases). 1.18 wheels are built against newer CUDA / cuDNN and assume NumPy ≥ 1.23; we still cap NumPy at
<2
but do not pin a minimum. Please sanity-check that
- the wheel pulled on CI matches the CUDA 12.8 runtime used by the TRT-LLM images,
- all custom ONNX-GraphSurgeon and shape-inference code paths still behave the same,
- no ABI clash occurs with
onnxruntime-gpu
should users install it side-by-side.If we knowingly rely on 1.18-only operators, document that in the release notes.
examples/models/core/mixtral/requirements.txt (1)
3-3
: Check breaking changes between 4.53 → 4.54If we keep 4.54, audit:
MixtralForCausalLM
API – tokenizer / config files generated by 4.53 are still accepted.- Flash-Attention & AWQ patches compile against the new C++ extension layout.
No action needed if tests pass, but worth noting for downstream integrators.
PR_Github #13628 [ run ] triggered by Bot |
PR_Github #13628 [ run ] completed with state |
/bot run --disable-fail-fast |
/bot run |
PR_Github #13751 [ run ] triggered by Bot |
PR_Github #13751 [ run ] completed with state |
Signed-off-by: Yibin Li <109242046+yibinl-nvidia@users.noreply.github.com>
7db7bcc
to
8302b79
Compare
/bot run |
PR_Github #13765 [ run ] triggered by Bot |
PR_Github #13765 [ run ] completed with state |
/bot run --only-multi-gpu-test |
PR_Github #13815 [ run ] triggered by Bot |
PR_Github #13815 [ run ] completed with state |
/bot run --post-merge |
PR_Github #13839 [ run ] triggered by Bot |
PR_Github #13839 [ run ] completed with state |
/bot run --post-merge |
PR_Github #13846 [ run ] triggered by Bot |
PR_Github #13846 [ run ] completed with state |
/bot run --post-merge |
PR_Github #13904 [ run ] triggered by Bot |
PR_Github #13904 [ run ] completed with state |
/bot run --post-merge |
PR_Github #14035 [ run ] triggered by Bot |
PR_Github #14035 [ run ] completed with state |
cc @nv-guomingz @Shixiaowei02 for doc review |
Summary by CodeRabbit
Description
Test Coverage
GitHub Bot Help
/bot [-h] ['run', 'kill', 'skip', 'reuse-pipeline'] ...
Provide a user friendly way for developers to interact with a Jenkins server.
Run
/bot [-h|--help]
to print this help message.See details below for each supported subcommand.
run [--reuse-test (optional)pipeline-id --disable-fail-fast --skip-test --stage-list "A10-PyTorch-1, xxx" --gpu-type "A30, H100_PCIe" --test-backend "pytorch, cpp" --add-multi-gpu-test --only-multi-gpu-test --disable-multi-gpu-test --post-merge --extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx" --detailed-log --debug(experimental)]
Launch build/test pipelines. All previously running jobs will be killed.
--reuse-test (optional)pipeline-id
(OPTIONAL) : Allow the new pipeline to reuse build artifacts and skip successful test stages from a specified pipeline or the last pipeline if no pipeline-id is indicated. If the Git commit ID has changed, this option will be always ignored. The DEFAULT behavior of the bot is to reuse build artifacts and successful test results from the last pipeline.--disable-reuse-test
(OPTIONAL) : Explicitly prevent the pipeline from reusing build artifacts and skipping successful test stages from a previous pipeline. Ensure that all builds and tests are run regardless of previous successes.--disable-fail-fast
(OPTIONAL) : Disable fail fast on build/tests/infra failures.--skip-test
(OPTIONAL) : Skip all test stages, but still run build stages, package stages and sanity check stages. Note: Does NOT update GitHub check status.--stage-list "A10-PyTorch-1, xxx"
(OPTIONAL) : Only run the specified test stages. Examples: "A10-PyTorch-1, xxx". Note: Does NOT update GitHub check status.--gpu-type "A30, H100_PCIe"
(OPTIONAL) : Only run the test stages on the specified GPU types. Examples: "A30, H100_PCIe". Note: Does NOT update GitHub check status.--test-backend "pytorch, cpp"
(OPTIONAL) : Skip test stages which don't match the specified backends. Only support [pytorch, cpp, tensorrt, triton]. Examples: "pytorch, cpp" (does not run test stages with tensorrt or triton backend). Note: Does NOT update GitHub pipeline status.--only-multi-gpu-test
(OPTIONAL) : Only run the multi-GPU tests. Note: Does NOT update GitHub check status.--disable-multi-gpu-test
(OPTIONAL) : Disable the multi-GPU tests. Note: Does NOT update GitHub check status.--add-multi-gpu-test
(OPTIONAL) : Force run the multi-GPU tests in addition to running L0 pre-merge pipeline.--post-merge
(OPTIONAL) : Run the L0 post-merge pipeline instead of the ordinary L0 pre-merge pipeline.--extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx"
(OPTIONAL) : Run the ordinary L0 pre-merge pipeline and specified test stages. Examples: --extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx".--detailed-log
(OPTIONAL) : Enable flushing out all logs to the Jenkins console. This will significantly increase the log volume and may slow down the job.--debug
(OPTIONAL) : Experimental feature. Enable access to the CI container for debugging purpose. Note: Specify exactly one stage in thestage-list
parameter to access the appropriate container environment. Note: Does NOT update GitHub check status.For guidance on mapping tests to stage names, see
docs/source/reference/ci-overview.md
and the
scripts/test_to_stage_mapping.py
helper.kill
kill
Kill all running builds associated with pull request.
skip
skip --comment COMMENT
Skip testing for latest commit on pull request.
--comment "Reason for skipping build/test"
is required. IMPORTANT NOTE: This is dangerous since lack of user care and validation can cause top of tree to break.reuse-pipeline
reuse-pipeline
Reuse a previous pipeline to validate current commit. This action will also kill all currently running builds associated with the pull request. IMPORTANT NOTE: This is dangerous since lack of user care and validation can cause top of tree to break.