Skip to content

Fix PT 2.10 package regression and PT 2.9 ECR scan failures#6138

Open
zhuofuAMZ wants to merge 3 commits into
aws:masterfrom
zhuofuAMZ:fix-ecrscan
Open

Fix PT 2.10 package regression and PT 2.9 ECR scan failures#6138
zhuofuAMZ wants to merge 3 commits into
aws:masterfrom
zhuofuAMZ:fix-ecrscan

Conversation

@zhuofuAMZ
Copy link
Copy Markdown
Contributor

@zhuofuAMZ zhuofuAMZ commented May 25, 2026

PT 2.10: Pin cachetools>=7.0.5, greenlet>=3.4.0, starlette>=1.0.0 in SageMaker extra packages to prevent transitive dependency downgrades detected by test_package_version_regression_in_image.

PT 2.9: Add torch CVE-2026-4538 and flash_attn CVE-2026-31253 to ECR enhanced scan allowlists. Both are local-only attack vectors with no upstream fix available for these framework versions.

Purpose

Test Plan

Test Result

Toggle if you are merging into master Branch

By default, docker image builds and tests are disabled. Two ways to run builds and tests:

  1. Using dlc_developer_config.toml
  2. Using this PR description (currently only supported for PyTorch, TensorFlow, vllm, and base images)
How to use the helper utility for updating dlc_developer_config.toml

Assuming your remote is called origin (you can find out more with git remote -v)...

  • Run default builds and tests for a particular buildspec - also commits and pushes changes to remote; Example:

python src/prepare_dlc_dev_environment.py -b </path/to/buildspec.yml> -cp origin

  • Enable specific tests for a buildspec or set of buildspecs - also commits and pushes changes to remote; Example:

python src/prepare_dlc_dev_environment.py -b </path/to/buildspec.yml> -t sanity_tests -cp origin

  • Restore TOML file when ready to merge

python src/prepare_dlc_dev_environment.py -rcp origin

NOTE: If you are creating a PR for a new framework version, please ensure success of the local, standard, rc, and efa sagemaker tests by updating the dlc_developer_config.toml file:

  • sagemaker_remote_tests = true
  • sagemaker_efa_tests = true
  • sagemaker_rc_tests = true
  • sagemaker_local_tests = true
How to use PR description Use the code block below to uncomment commands and run the PR CodeBuild jobs. There are two commands available:
  • # /buildspec <buildspec_path>
    • e.g.: # /buildspec pytorch/training/buildspec.yml
    • If this line is commented out, dlc_developer_config.toml will be used.
  • # /tests <test_list>
    • e.g.: # /tests sanity security ec2
    • If this line is commented out, it will run the default set of tests (same as the defaults in dlc_developer_config.toml): sanity, security, ec2, ecs, eks, sagemaker, sagemaker-local.
# /buildspec <buildspec_path>
# /tests <test_list>
Toggle if you are merging into main Branch

PR Checklist

  • [] I ran pre-commit run --all-files locally before creating this PR. (Read DEVELOPMENT.md for details).

@zhuofuAMZ
Fix PT 2.10 package regression and PT 2.9 ECR scan failures
5b5d26c 
PT 2.10: Pin cachetools>=7.0.5, greenlet>=3.4.0, starlette>=1.0.0 in
SageMaker extra packages to prevent transitive dependency downgrades
detected by test_package_version_regression_in_image.

PT 2.9: Add torch CVE-2026-4538 and flash_attn CVE-2026-31253 to ECR
enhanced scan allowlists. Both are local-only attack vectors with no
upstream fix available for these framework versions.
@zhuofuAMZ zhuofuAMZ requested a review from a team as a code owner May 25, 2026 00:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

authorized

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zhuofuAMZ