Skip to content

Update dependency transformers to v5 [SECURITY]#30

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-transformers-vulnerability
Open

Update dependency transformers to v5 [SECURITY]#30
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-transformers-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Mar 4, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
transformers ~=4.40.2~=5.0.0 age adoption passing confidence
transformers ~=4.55.2~=5.0.0 age adoption passing confidence
transformers >=4.51.1>=5.0.0 age adoption passing confidence
transformers ==4.45.2==5.0.0 age adoption passing confidence
transformers >=4.55.2>=5.0.0 age adoption passing confidence
transformers ==4.41.2==5.0.0 age adoption passing confidence

Deserialization of Untrusted Data in Hugging Face Transformers

CVE-2024-11392 / GHSA-qxrp-vhvm-j765

More information

Details

Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Deserialization of Untrusted Data in Hugging Face Transformers

CVE-2024-11394 / GHSA-hxxf-235m-72v3

More information

Details

Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012.

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Deserialization of Untrusted Data in Hugging Face Transformers

CVE-2024-11393 / GHSA-wrfc-pvp9-mr9g

More information

Details

Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Transformers Regular Expression Denial of Service (ReDoS) vulnerability

CVE-2024-12720 / GHSA-6rvg-6v2m-4j46

More information

Details

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Transformers Regular Expression Denial of Service (ReDoS) vulnerability

CVE-2025-1194 / GHSA-fpwr-67px-3qhx

More information

Details

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_gpt_neox_japanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Transformers Regular Expression Denial of Service (ReDoS) vulnerability

CVE-2024-12720 / GHSA-6rvg-6v2m-4j46

More information

Details

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Deserialization of Untrusted Data in Hugging Face Transformers

CVE-2024-11394 / GHSA-hxxf-235m-72v3 / PYSEC-2024-229

More information

Details

Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012.

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Deserialization of Untrusted Data in Hugging Face Transformers

CVE-2024-11392 / GHSA-qxrp-vhvm-j765 / PYSEC-2024-227

More information

Details

Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Deserialization of Untrusted Data in Hugging Face Transformers

CVE-2024-11393 / GHSA-wrfc-pvp9-mr9g / PYSEC-2024-228

More information

Details

Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

CVE-2024-11392 / GHSA-qxrp-vhvm-j765 / PYSEC-2024-227

More information

Details

Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

CVE-2024-11393 / GHSA-wrfc-pvp9-mr9g / PYSEC-2024-228

More information

Details

Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

CVE-2024-11394 / GHSA-hxxf-235m-72v3 / PYSEC-2024-229

More information

Details

Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012.

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

CVE-2025-2099 / GHSA-qq3j-4f4f-9583 / PYSEC-2025-40

More information

Details

A vulnerability in the preprocess_string() function of the transformers.testing_utils module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

Transformers Regular Expression Denial of Service (ReDoS) vulnerability

CVE-2025-1194 / GHSA-fpwr-67px-3qhx

More information

Details

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_gpt_neox_japanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hugging Face Transformers Regular Expression Denial of Service

CVE-2025-2099 / GHSA-qq3j-4f4f-9583 / PYSEC-2025-40

More information

Details

A Regular Expression Denial of Service (ReDoS) exists in the preprocess_string() function of the transformers.testing_utils module. In versions before 4.50.0, the regex used to process code blocks in docstrings contains nested quantifiers that can trigger catastrophic backtracking when given inputs with many newline characters. An attacker who can supply such input to preprocess_string() (or code paths that call it) can force excessive CPU usage and degrade availability.

Fix: released in 4.50.0, which rewrites the regex to avoid the inefficient pattern. ([GitHub][1])

  • Affected: < 4.50.0
  • Patched: 4.50.0

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Transformers vulnerable to ReDoS attack through its get_imports() function

CVE-2025-3264 / GHSA-jjph-296x-mrcr

More information

Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the get_imports() function within dynamic_module_utils.py. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern \s*try\s*:.*?except.*?: used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Transformers's ReDoS vulnerability in get_configuration_file can lead to catastrophic backtracking

CVE-2025-3263 / GHSA-q2wp-rjmx-x6x9

More information

Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the get_configuration_file() function within the transformers.configuration_utils module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern config\.(.*)\.json that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Transformers is vulnerable to ReDoS attack through its DonutProcessor class

CVE-2025-3933 / GHSA-37mw-44qp-f5jm

More information

Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's token2json() method. This vulnerability affects versions 4.51.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern <s_(.*?)> which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Transformers's Improper Input Validation vulnerability can be exploited through username injection

CVE-2025-3777 / GHSA-phhr-52qp-3mj4

More information

Details

Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the image_utils.py file. The vulnerability arises from insecure URL validation using the startswith() method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.

Severity

  • CVSS Score: 3.5 / 10 (Low)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer

CVE-2025-6921 / GHSA-4w7r-h757-3r74

More information

Details

The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer

CVE-2025-6638 / GHSA-59p9-h35m-wg4g

More information

Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's remove_language_code() method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability

CVE-2025-5197 / GHSA-9356-575x-2w9m

More information

Details

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the convert_tf_weight_name_to_pt_weight_name() function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern /[^/]*___([^/]*)/ that can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability affects versions up to 4.51.3 and is fixed in version 4.53.0. This issue can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting model conversion processes between TensorFlow and PyTorch formats.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hugging Face Transformers library has Regular Expression Denial of Service

CVE-2025-6051 / GHSA-rcv9-qm8p-9p6j

More information

Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the normalize_numbers() method of the EnglishNormalizer class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

CVE-2025-14920 / PYSEC-2025-211

More information

Details

Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25423.

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

CVE-2025-14921 / PYSEC-2025-212

More information

Details

Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25424.

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

CVE-2025-14924 / PYSEC-2025-213

More information

Details

Hugging Face Transformers megatron_gpt2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27984.

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

CVE-2025-14926 / PYSEC-2025-214

More information

Details

Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint.

The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28251.

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

CVE-2025-14927 / PYSEC-2025-215

More information

Details

Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint.

The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user.

. Was ZDI-CAN-28252.

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

CVE-2025-14928 / PYSEC-2025-216

More information

Details

Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint.

The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28253.

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

CVE-2025-14930 / PYSEC-2025-218

More information

Details

Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of weights. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28309.

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

CVE-2025-14929 / PYSEC-2025-217

More information

Details

Hu

Note

PR body was truncated to here.

@renovate

renovate Bot commented Mar 4, 2025
edited
Loading

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: model-servers/vllm/0.11.0/Pipfile.lock
Command failed: pipenv lock
Creating a virtualenv for this project
Pipfile: 
/tmp/renovate/repos/github/redhat-ai-dev/developer-images/model-servers/vllm/0.1
1.0/Pipfile
Using /usr/local/bin/python 3.11.15 to create virtualenv...
created virtual environment CPython3.11.15.final.0-64-x86_64 in 563ms
  creator CPython3Posix(dest=/runner/cache/others/virtualenvs/0.11.0-aiUPqbIp, 
clear=False, no_vcs_ignore=False, global=False)
  seeder FromAppData(download=False, pip=bundle, setuptools=bundle, via=copy, 
app_data_dir=/tmp/containerbase/cache/.cache/virtualenv)
    added seed packages: pip==26.1.2, setuptools==82.0.1
  activators 
BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator
,PythonActivator,XonshActivator

✔ Successfully created virtual environment!
Virtualenv location: /runner/cache/others/virtualenvs/0.11.0-aiUPqbIp
Locking  dependencies...
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:Cannot 
install -r /tmp/pipenv-jqht5zvu-requirements/pipenv-yjm_06g6-constraints.txt 
(line 34) and filelock~=3.14.0 because these package versions have conflicting 
dependencies.
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:
The conflict is caused by:
    The user requested filelock~=3.14.0
    vllm 0.11.0 depends on filelock>=3.16.1
Additionally, some packages in these conflicts have no matching distributions 
available for your environment:
    filelock
To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip to attempt to solve the dependency 
conflict
Your dependencies could not be resolved. You likely have a mismatch in your 
sub-dependencies.
You can use $ pipenv run pip install <requirement_name> to bypass this 
mechanism, then run $ pipenv graph to inspect the versions actually installed in
the virtualenv.
Hint: try $ pipenv lock --pre if it is a pre-release dependency.
Hint: try $ pipenv lock --verbose to see the full dependency resolution output.
ERROR: ResolutionImpossible: for help visit 
https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-depende
ncy-conflicts
The conflict is caused by:
    The user requested filelock~=3.14.0
    vllm 0.11.0 depends on filelock>=3.16.1

Hint: Re-run with --verbose to see the full dependency resolution output and 
identify which packages are in conflict.
Traceback (most recent call last):
  File 
"/opt/containerbase/tools/pipenv/2026.6.2/3.11.15/lib/python3.11/site-packages/p
ipenv/routines/lock.py", line 94, in do_lock
    venv_resolve_deps(
  File 
"/opt/containerbase/tools/pipenv/2026.6.2/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1467, in venv_resolve_deps
    c = resolve(cmd, st, project=project)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File 
"/opt/containerbase/tools/pipenv/2026.6.2/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1240, in resolve
    raise ResolutionFailure("Failed to lock Pipfile.lock!")
pipenv.exceptions.ResolutionFailure: ERROR: Failed to lock Pipfile.lock!
File name: model-servers/vllm/0.6.4/Pipfile.lock
Command failed: pipenv lock
Creating a virtualenv for this project
Pipfile: 
/tmp/renovate/repos/github/redhat-ai-dev/developer-images/model-servers/vllm/0.6
.4/Pipfile
Using /usr/local/bin/python 3.11.15 to create virtualenv...
created virtual environment CPython3.11.15.final.0-64-x86_64 in 209ms
  creator CPython3Posix(dest=/runner/cache/others/virtualenvs/0.6.4-d_r4MF2m, 
clear=False, no_vcs_ignore=False, global=False)
  seeder FromAppData(download=False, pip=bundle, setuptools=bundle, via=copy, 
app_data_dir=/tmp/containerbase/cache/.cache/virtualenv)
    added seed packages: pip==26.1.2, setuptools==82.0.1
  activators 
BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator
,PythonActivator,XonshActivator

✔ Successfully created virtual environment!
Virtualenv location: /runner/cache/others/virtualenvs/0.6.4-d_r4MF2m
Locking  dependencies...
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:Cannot 
install -r /tmp/pipenv-s4dgs9wd-requirements/pipenv-f6g7582y-constraints.txt 
(line 25) and torch==2.3.0+cu121 because these package versions have conflicting
dependencies.
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:
The conflict is caused by:
    The user requested torch==2.3.0+cu121
    vllm-flash-attn 2.6.2 depends on torch==2.4.0
Additionally, some packages in these conflicts have no matching distributions 
available for your environment:
    torch
To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip to attempt to solve the dependency 
conflict
Your dependencies could not be resolved. You likely have a mismatch in your 
sub-dependencies.
You can use $ pipenv run pip install <requirement_name> to bypass this 
mechanism, then run $ pipenv graph to inspect the versions actually installed in
the virtualenv.
Hint: try $ pipenv lock --pre if it is a pre-release dependency.
Hint: try $ pipenv lock --verbose to see the full dependency resolution output.
ERROR: ResolutionImpossible: for help visit 
https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-depende
ncy-conflicts
The conflict is caused by:
    The user requested torch==2.3.0+cu121
    vllm-flash-attn 2.6.2 depends on torch==2.4.0

Hint: Re-run with --verbose to see the full dependency resolution output and 
identify which packages are in conflict.
Traceback (most recent call last):
  File 
"/opt/containerbase/tools/pipenv/2026.6.2/3.11.15/lib/python3.11/site-packages/p
ipenv/routines/lock.py", line 94, in do_lock
    venv_resolve_deps(
  File 
"/opt/containerbase/tools/pipenv/2026.6.2/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1467, in venv_resolve_deps
    c = resolve(cmd, st, project=project)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File 
"/opt/containerbase/tools/pipenv/2026.6.2/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1240, in resolve
    raise ResolutionFailure("Failed to lock Pipfile.lock!")
pipenv.exceptions.ResolutionFailure: ERROR: Failed to lock Pipfile.lock!
File name: model-servers/vllm/0.6.6/Pipfile.lock
Command failed: pipenv lock
Creating a virtualenv for this project
Pipfile: 
/tmp/renovate/repos/github/redhat-ai-dev/developer-images/model-servers/vllm/0.6
.6/Pipfile
Using /usr/local/bin/python 3.11.15 to create virtualenv...
created virtual environment CPython3.11.15.final.0-64-x86_64 in 218ms
  creator CPython3Posix(dest=/runner/cache/others/virtualenvs/0.6.6-39QtryhM, 
clear=False, no_vcs_ignore=False, global=False)
  seeder FromAppData(download=False, pip=bundle, setuptools=bundle, via=copy, 
app_data_dir=/tmp/containerbase/cache/.cache/virtualenv)
    added seed packages: pip==26.1.2, setuptools==82.0.1
  activators 
BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator
,PythonActivator,XonshActivator

✔ Successfully created virtual environment!
Virtualenv location: /runner/cache/others/virtualenvs/0.6.6-39QtryhM
Locking  dependencies...
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:Cannot 
install -r /tmp/pipenv-mo1faxml-requirements/pipenv-_ebqjsjt-constraints.txt 
(line 17), -r /tmp/pipenv-mo1faxml-requirements/pipenv-_ebqjsjt-constraints.txt 
(line 31) and torch==2.3.0+cu121 because these package versions have conflicting
dependencies.
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:
The conflict is caused by:
    The user requested torch==2.3.0+cu121
    xformers 0.0.26.post1 depends on torch==2.3.0
    vllm-flash-attn 2.6.2 depends on torch==2.4.0
Additionally, some packages in these conflicts have no matching distributions 
available for your environment:
    torch
To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip to attempt to solve the dependency 
conflict
Your dependencies could not be resolved. You likely have a mismatch in your 
sub-dependencies.
You can use $ pipenv run pip install <requirement_name> to bypass this 
mechanism, then run $ pipenv graph to inspect the versions actually installed in
the virtualenv.
Hint: try $ pipenv lock --pre if it is a pre-release dependency.
Hint: try $ pipenv lock --verbose to see the full dependency resolution output.
ERROR: ResolutionImpossible: for help visit 
https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-depende
ncy-conflicts
The conflict is caused by:
    The user requested torch==2.3.0+cu121
    xformers 0.0.26.post1 depends on torch==2.3.0
    vllm-flash-attn 2.6.2 depends on torch==2.4.0

Hint: Re-run with --verbose to see the full dependency resolution output and 
identify which packages are in conflict.
Traceback (most recent call last):
  File 
"/opt/containerbase/tools/pipenv/2026.6.2/3.11.15/lib/python3.11/site-packages/p
ipenv/routines/lock.py", line 94, in do_lock
    venv_resolve_deps(
  File 
"/opt/containerbase/tools/pipenv/2026.6.2/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1467, in venv_resolve_deps
    c = resolve(cmd, st, project=project)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File 
"/opt/containerbase/tools/pipenv/2026.6.2/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1240, in resolve
    raise ResolutionFailure("Failed to lock Pipfile.lock!")
pipenv.exceptions.ResolutionFailure: ERROR: Failed to lock Pipfile.lock!
File name: model-servers/vllm/0.8.4/Pipfile.lock
Command failed: pipenv lock
Creating a virtualenv for this project
Pipfile: 
/tmp/renovate/repos/github/redhat-ai-dev/developer-images/model-servers/vllm/0.8
.4/Pipfile
Using /usr/local/bin/python 3.11.15 to create virtualenv...
created virtual environment CPython3.11.15.final.0-64-x86_64 in 208ms
  creator CPython3Posix(dest=/runner/cache/others/virtualenvs/0.8.4-lR4GvG4y, 
clear=False, no_vcs_ignore=False, global=False)
  seeder FromAppData(download=False, pip=bundle, setuptools=bundle, via=copy, 
app_data_dir=/tmp/containerbase/cache/.cache/virtualenv)
    added seed packages: pip==26.1.2, setuptools==82.0.1
  activators 
BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator
,PythonActivator,XonshActivator

✔ Successfully created virtual environment!
Virtualenv location: /runner/cache/others/virtualenvs/0.8.4-lR4GvG4y
Locking  dependencies...
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:Cannot 
install -r /tmp/pipenv-b5uk2_9f-requirements/pipenv-97tw_clo-constraints.txt 
(line 33) and fastapi~=0.111.0 because these package versions have conflicting 
dependencies.
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:
The conflict is caused by:
    The user requested fastapi~=0.111.0
    vllm 0.8.4 depends on fastapi>=0.115.0
Additionally, some packages in these conflicts have no matching distributions 
available for your environment:
    fastapi
To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip to attempt to solve the dependency 
conflict
Your dependencies could not be resolved. You likely have a mismatch in your 
sub-dependencies.
You can use $ pipenv run pip install <requirement_name> to bypass this 
mechanism, then run $ pipenv graph to inspect the versions actually installed in
the virtualenv.
Hint: try $ pipenv lock --pre if it is a pre-release dependency.
Hint: try $ pipenv lock --verbose to see the full dependency resolution output.
ERROR: ResolutionImpossible: for help visit 
https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-depende
ncy-conflicts
The conflict is caused by:
    The user requested fastapi~=0.111.0
    vllm 0.8.4 depends on fastapi>=0.115.0

Hint: Re-run with --verbose to see the full dependency resolution output and 
identify which packages are in conflict.
Traceback (most recent call last):
  File 
"/opt/containerbase/tools/pipenv/2026.6.2/3.11.15/lib/python3.11/site-packages/p
ipenv/routines/lock.py", line 94, in do_lock
    venv_resolve_deps(
  File 
"/opt/containerbase/tools/pipenv/2026.6.2/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1467, in venv_resolve_deps
    c = resolve(cmd, st, project=project)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File 
"/opt/containerbase/tools/pipenv/2026.6.2/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1240, in resolve
    raise ResolutionFailure("Failed to lock Pipfile.lock!")
pipenv.exceptions.ResolutionFailure: ERROR: Failed to lock Pipfile.lock!

thepetk
thepetk approved these changes Mar 5, 2025
View reviewed changes

@thepetk thepetk left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 54c16f5 to f88c921 Compare March 7, 2025 03:45
@renovate renovate Bot changed the title Update dependency transformers [SECURITY] Update dependency transformers to v4.48.0 [SECURITY] Mar 7, 2025
@thepetk thepetk changed the title Update dependency transformers to v4.48.0 [SECURITY] rebase! Update dependency transformers to v4.48.0 [SECURITY] Mar 7, 2025
@renovate renovate Bot changed the title rebase! Update dependency transformers to v4.48.0 [SECURITY] Update dependency transformers to v4.48.0 [SECURITY] Mar 7, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from f88c921 to 48cb960 Compare March 13, 2025 07:21
@renovate renovate Bot changed the title Update dependency transformers to v4.48.0 [SECURITY] Update dependency transformers [SECURITY] Mar 13, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 48cb960 to aef2157 Compare March 15, 2025 03:20
@renovate renovate Bot changed the title Update dependency transformers [SECURITY] Update dependency transformers to v4.48.0 [SECURITY] Mar 15, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from aef2157 to 4c8e625 Compare March 18, 2025 20:15
@renovate renovate Bot changed the title Update dependency transformers to v4.48.0 [SECURITY] Update dependency transformers [SECURITY] Mar 18, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 4c8e625 to cc82e9a Compare March 21, 2025 23:40
@renovate renovate Bot changed the title Update dependency transformers [SECURITY] Update dependency transformers to v4.48.0 [SECURITY] Mar 21, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from cc82e9a to 020c12d Compare March 25, 2025 16:48
@renovate renovate Bot changed the title Update dependency transformers to v4.48.0 [SECURITY] Update dependency transformers [SECURITY] Mar 25, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 020c12d to 1ad7b15 Compare March 29, 2025 04:06
@renovate renovate Bot changed the title Update dependency transformers [SECURITY] Update dependency transformers to v4.48.0 [SECURITY] Mar 29, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 1ad7b15 to 465bc72 Compare April 2, 2025 00:04
@renovate renovate Bot changed the title Update dependency transformers to v4.48.0 [SECURITY] Update dependency transformers [SECURITY] Apr 2, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 465bc72 to 6e5b47f Compare April 3, 2025 23:56
@renovate renovate Bot changed the title Update dependency transformers [SECURITY] Update dependency transformers to v4.48.0 [SECURITY] Apr 3, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 6e5b47f to b1be93e Compare April 8, 2025 20:13
@renovate renovate Bot changed the title Update dependency transformers to v4.48.0 [SECURITY] Update dependency transformers [SECURITY] Apr 8, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from b1be93e to 3ee72ed Compare April 12, 2025 07:49
@renovate renovate Bot changed the title Update dependency transformers [SECURITY] Update dependency transformers to v4.48.0 [SECURITY] Apr 12, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 3ee72ed to d0b788a Compare April 13, 2025 20:46
@renovate renovate Bot changed the title Update dependency transformers to v4.48.0 [SECURITY] Update dependency transformers [SECURITY] Apr 13, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from d0b788a to ebdfd8f Compare April 18, 2025 04:13
@renovate renovate Bot changed the title Update dependency transformers [SECURITY] Update dependency transformers to v4.48.0 [SECURITY] Apr 18, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 1d21438 to af70393 Compare June 22, 2025 08:09
@renovate renovate Bot changed the title Update dependency transformers to v4.50.0 [SECURITY] Update dependency transformers [SECURITY] Jun 22, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from af70393 to 59cb5e8 Compare June 30, 2025 14:57
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 59cb5e8 to 4fc3c92 Compare July 11, 2025 16:23
@renovate renovate Bot requested a review from a team as a code owner July 11, 2025 16:23
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch 3 times, most recently from e6e8f20 to 51d73f3 Compare August 8, 2025 03:17
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch 2 times, most recently from 5d9d06a to c079476 Compare August 15, 2025 14:42
@renovate renovate Bot changed the title Update dependency transformers [SECURITY] Update dependency transformers to v4.53.0 [SECURITY] Aug 15, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from c079476 to 6e66bb7 Compare August 19, 2025 16:42
@renovate renovate Bot changed the title Update dependency transformers to v4.53.0 [SECURITY] Update dependency transformers [SECURITY] Aug 19, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 6e66bb7 to c02d11b Compare August 19, 2025 23:48
@renovate renovate Bot changed the title Update dependency transformers [SECURITY] Update dependency transformers to v4.53.0 [SECURITY] Aug 19, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from c02d11b to 4d1fca8 Compare September 15, 2025 13:14
@renovate renovate Bot added the renovatebot label Sep 15, 2025
@renovate renovate Bot changed the title Update dependency transformers to v4.53.0 [SECURITY] Update dependency transformers [SECURITY] Sep 15, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 4d1fca8 to 737b982 Compare September 15, 2025 14:22
@renovate renovate Bot changed the title Update dependency transformers [SECURITY] Update dependency transformers to v4.53.0 [SECURITY] Sep 15, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 737b982 to 536512c Compare September 25, 2025 21:26
@renovate renovate Bot changed the title Update dependency transformers to v4.53.0 [SECURITY] Update dependency transformers [SECURITY] Sep 25, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 536512c to 4e2d0da Compare September 26, 2025 00:38
@renovate renovate Bot changed the title Update dependency transformers [SECURITY] Update dependency transformers to v4.53.0 [SECURITY] Sep 26, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 4e2d0da to ec62d2a Compare October 9, 2025 10:11
@renovate renovate Bot changed the title Update dependency transformers to v4.53.0 [SECURITY] Update dependency transformers [SECURITY] Oct 9, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from ec62d2a to 8f7bf47 Compare October 9, 2025 13:41
@renovate renovate Bot changed the title Update dependency transformers [SECURITY] Update dependency transformers to v4.53.0 [SECURITY] Oct 10, 2025
@renovate renovate Bot force-pushed the renovate/pypi-transformers-vulnerability branch from 8f7bf47 to 412c924 Compare October 14, 2025 23:21
@renovate
Update dependency transformers to v5 [SECURITY]
b9db581 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thepetk thepetk thepetk approved these changes

Assignees

No one assigned

Labels

renovatebot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thepetk