feat: support vLLM nightly builds via wheels.vllm.ai#736
feat: support vLLM nightly builds via wheels.vllm.ai#736doringeman wants to merge 1 commit intomainfrom
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces support for installing vLLM from wheels.vllm.ai, enabling the use of nightly builds and specific commit hashes. However, a critical command injection vulnerability has been identified in both the Dockerfile and Makefile. This occurs because the user-provided VLLM_VERSION is used in shell commands within double quotes, allowing for shell expansion and potential arbitrary command execution, even affecting the validation check. Additionally, the current implementation has a critical issue where release versions are not correctly prefixed with v (e.g., v0.12.0) as required by wheels.vllm.ai, which will cause default builds to fail. To mitigate the command injection, it is recommended to use single quotes around variables in shell commands to prevent shell expansion.
Signed-off-by: Dorin Geman <dorin.geman@docker.com>
doringeman
force-pushed
the
vllm-from-commit
branch
from
f8c69db to
1b2aefe
Compare
|
CUDA/ROCm and Metal make sense for us to integrate, there's a really simplified installation guide here now: |
2 participants
Install vLLM from https://wheels.vllm.ai/{VLLM_VERSION}/{VLLM_CUDA_VERSION} instead of GitHub Releases, allowing nightly builds to be used via
make docker-run-vllm VLLM_VERSION=nightly(or pinned to a specific commit hash for reproducible builds).vLLM stable releases (0.16.x) do not yet support Qwen3.5 (#731) — support is available on the main branch ahead of 0.17.0. vLLM publishes pre-built wheels for every merged commit at wheels.vllm.ai, which this change allows us to use.
Tested in https://github.com/docker/model-runner/actions/runs/22712921339.
Usage
E.g.,
E.g., (intentionally the same commit as nightly)
E.g.,