Track unfixable lm-eval transitive CVEs (sqlitedict, diskcache, transformers)

[JacobPEvans-personal]

Summary

lm-eval[api]==0.4.11 pulls in three transitive dependencies that have outstanding CVEs without an available upstream fix on a stable line we can adopt. Tracking them here so they don't keep showing up as recurring CI noise without context.

Current vulnerable transitive dependencies

Package	Version	Advisory	Upstream status
sqlitedict	2.1.0	CVE-2024-35515	No fix released; project is dormant
diskcache	5.6.3	GHSA-w8v5-vhqr-4h9v	No fix released
transformers	4.57.6	GHSA-69w3-r845-3855	Fixed in 5.0.0rc3 (release candidate, not GA)

Why we are not patching now

• We can't safely silence these in CI per the repo's "no-bypasses" policy. They're real findings; we acknowledge them.
• Bumping transformers to a 5.0 RC would break lm-eval[api]==0.4.11's pin range and is unstable for a production release. We pin lm-eval explicitly for benchmark reproducibility.
• sqlitedict and diskcache have no upstream fix to adopt at all.

Risk assessment

These dependencies are only loaded when running lm_eval locally for benchmarks (a deliberate, isolated workload running our own configs against our own models). They are not exposed to the network or to user input. Risk in our usage: low.

Action items

• Watch upstream lm-eval for a 0.4.x bump that drops sqlitedict / diskcache (issue: EleutherAI/lm-evaluation-harness)
• When transformers 5.0.0 ships GA, evaluate replacing the current lm-eval pin with one compatible with transformers 5
• Re-run pip-audit and osv-scanner quarterly until cleared

CI behavior

CI Gate (_python-security.yml and _osv-scan.yml) currently surfaces these on every run. Until upstream fixes ship, this is expected and acceptable — the alerts are documented, not ignored.