Skip to content

VULN UPGRADE: torch (minor → 2.9.1) [torchserve/tests]#22280

Closed
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/pip/tests/0-1767828974
Closed

VULN UPGRADE: torch (minor → 2.9.1) [torchserve/tests]#22280
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/pip/tests/0-1767828974

Conversation

@campaigner-prod
Copy link
Copy Markdown

@campaigner-prod campaigner-prod Bot commented Jan 7, 2026

Summary: Critical-severity security update — 1 package upgraded (MINOR changes included)

Manifests changed:

  • torchserve/tests (pip)

Updates

Package From To Type Vulnerabilities Fixed
torch 2.0.1 2.9.1 minor 1 CRITICAL, 2 HIGH, 1 MODERATE, 1 LOW, 5 UNKNOWN

Security Details

🚨 Critical & High Severity (3 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
torch GHSA-53q9-r3pm-6pq6 CRITICAL PyTorch: torch.load with weights_only=True leads to remote code execution 2.0.1 2.6.0
torch GHSA-pg7h-5qx3-wjr3 HIGH Pytorch use-after-free vulnerability 2.0.1 2.2.0
torch GHSA-5pcm-hx3q-hm94 HIGH PyTorch heap buffer overflow vulnerability 2.0.1 2.2.0
ℹ️ Other Vulnerabilities (7)
Package CVE Severity Summary Unsafe Version Fixed In
torch GHSA-887c-mr87-cxwp MODERATE PyTorch Improper Resource Shutdown or Release vulnerability 2.0.1 2.8.0
torch GHSA-3749-ghw9-m3mg LOW PyTorch susceptible to local Denial of Service 2.0.1 2.7.1-rc1
torch PYSEC-2024-251 unknown - 2.0.1 9c7071b0e324f9fb68ab881283d6b8d388a4bcd2
torch PYSEC-2024-252 unknown - 2.0.1 b5c3a17c2c207ebefcb85043f0cf94be9b2fef81
torch PYSEC-2025-41 unknown - 2.0.1 2.6.0
torch PYSEC-2024-250 unknown - 2.0.1 7c35874ad664e74c8e4252d67521f3986eadb0e6
torch PYSEC-2024-259 unknown - 2.0.1 2.5.0

Review Checklist

Enhanced review recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod Bot requested a review from a team as a code owner January 7, 2026 23:39
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jan 7, 2026

⚠️ Recommendation: Add qa/skip-qa label

This PR does not modify any files shipped with the agent.

To help streamline the release process, please consider adding the qa/skip-qa label if these changes do not require QA testing.

@codecov
Copy link
Copy Markdown

codecov Bot commented Jan 7, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.03%. Comparing base (288fc11) to head (6f9a3f6).
⚠️ Report is 33 commits behind head on master.

Additional details and impacted files
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Kyle-Neale
Copy link
Copy Markdown
Contributor

Kyle-Neale commented Jan 14, 2026

Closing since these are just test dependencies that are only used in CI

@Kyle-Neale Kyle-Neale closed this Jan 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment