Outdated pinned dependencies in tools/ray_tpu/ (TF 2.9.3, JAX 0.3.4, numpy 1.22) #3540
Description
Description
The dependency files in tools/ray_tpu/ have pinned versions that are 3+ years old and may have known security vulnerabilities or compatibility issues with modern Python environments.
tools/ray_tpu/src/tune/requirements.txt
| Package | Pinned Version | Latest Stable | Age |
|---|---|---|---|
tensorflow-cpu |
2.9.3 | 2.18+ | ~3 years |
jax |
0.3.4 | 0.4.x+ | ~4 years |
jaxlib |
0.3.2 | 0.4.x+ | ~4 years |
numpy |
1.22.0 | 1.26+ | ~4 years |
protobuf |
3.19.0 | 4.x+ | ~4 years |
flax |
0.4.1 | 0.8+ | ~3 years |
tensorflow-datasets |
4.4.0 | 4.9+ | ~3 years |
tools/ray_tpu/src/serve/requirements.txt
ray[serve]is pinned to2.5.1(June 2023)fastapiandpillowhave no version pins at all (inconsistent with the tune requirements)
Impact
- Users following the Ray TPU examples may encounter installation failures or incompatibilities with current Python 3.10+ environments
- Older versions of
protobufandnumpyhave known CVEs jax0.3.x is incompatible with current TPU runtimes
Suggested Fix
Update all pinned versions to current stable releases, or at minimum specify a compatible range (e.g., numpy>=1.22,<2.0).