Skip to content

fix(deps): vuln major upgrades — 4 packages (major: 3 · minor: 1) #125

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/pip/2-1781558625
Draft

fix(deps): vuln major upgrades — 4 packages (major: 3 · minor: 1) #125
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/pip/2-1781558625

Conversation

@gh-worker-campaigns-3e9aa4

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Summary: High-severity security update — 4 packages upgraded (MAJOR changes included)

Manifests changed:

  • . (pip)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
transformers 4.52.1 5.12.0 major Direct 16 HIGH, 9 MEDIUM
numpy 1.26.4 2.4.6 major Direct -
rich 10.2.2 15.0.0 major Direct -
tqdm 4.66.3 4.68.2 minor Direct -

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (16 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
transformers PYSEC-2025-215 high - 4.52.1 -
transformers CVE-2025-14929 high - 4.52.1 -
transformers PYSEC-2025-216 high - 4.52.1 -
transformers CVE-2025-14928 high - 4.52.1 -
transformers PYSEC-2025-213 high - 4.52.1 -
transformers CVE-2025-14924 high - 4.52.1 -
transformers PYSEC-2025-218 high - 4.52.1 -
transformers CVE-2025-14930 high - 4.52.1 -
transformers CVE-2025-14927 high - 4.52.1 -
transformers PYSEC-2025-217 high - 4.52.1 -
transformers PYSEC-2025-212 high - 4.52.1 -
transformers CVE-2025-14921 high - 4.52.1 -
transformers CVE-2025-14926 high - 4.52.1 -
transformers PYSEC-2025-214 high - 4.52.1 -
transformers CVE-2025-14920 high - 4.52.1 -
transformers PYSEC-2025-211 high - 4.52.1 -
ℹ️ Other Vulnerabilities (9)
Package CVE Severity Summary Unsafe Version Fixed In
transformers CVE-2025-5197 MODERATE - 4.52.1 -
transformers GHSA-59p9-h35m-wg4g MODERATE Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer 4.52.1 4.53.0
transformers GHSA-9356-575x-2w9m MODERATE Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability 4.52.1 4.53.0
transformers CVE-2025-6638 MODERATE - 4.52.1 -
transformers CVE-2025-6921 MODERATE - 4.52.1 -
transformers GHSA-4w7r-h757-3r74 MODERATE Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer 4.52.1 4.53.0
transformers GHSA-rcv9-qm8p-9p6j MODERATE Hugging Face Transformers library has Regular Expression Denial of Service 4.52.1 4.53.0
transformers CVE-2025-6051 MODERATE - 4.52.1 -
transformers GHSA-69w3-r845-3855 MODERATE HuggingFace Transformers allows for arbitrary code execution in the Trainer class 4.52.1 5.0.0rc3
⚠️ Dependencies that have Reached EOL (1)
Dependency Unsafe Version EOL Date New Version Path
rich 10.2.2 May 19, 2026 15.0.0 requirements.txt

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented Jun 15, 2026
edited by datadog-prod-us1-6 Bot
Loading

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 3 Pipeline jobs failed

Black Code Formatting | Run Code Formatting Check   View in Datadog   GitHub Actions

MyPy Type Checking | Run Type Checking   View in Datadog   GitHub Actions

Run CPU Pytests | Run CPU Tests   View in Datadog   GitHub Actions

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 1ce6872 | Docs | Datadog PR Page | Give us feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-fixes-eol adms-high-severity adms-major-update adms-medium-severity adms-mode-all-vulns adms-python campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants