Merge branch 'dev' into dev

Author: e-mny

.dockerignore

@@ -3,11 +3,15 @@
 __pycache__/
 docs/
 
+.vscode
+.git
+.mypy_cache
+.ruff_cache
+.pytype
 .coverage
 .coverage.*
 .coverage/
 coverage.xml
 .readthedocs.yml
-*.toml
 
 !README.md

.github/workflows/pythonapp.yml

@@ -38,7 +38,7 @@ jobs:
       run: |
         find  /opt/hostedtoolcache/* -maxdepth 0 ! -name 'Python' -exec rm -rf {} \;
         python -m pip install --upgrade pip wheel
-        python -m pip install -r requirements-dev.txt
+        python -m pip install --no-build-isolation -r requirements-dev.txt
     - name: Lint and type check
       run: |
         # clean up temporary files
@@ -82,17 +82,17 @@ jobs:
         find  /opt/hostedtoolcache/* -maxdepth 0 ! -name 'Python' -exec rm -rf {} \;
     - name: Install the dependencies
       run: |
-        python -m pip install --user --upgrade pip wheel
+        python -m pip install --user --upgrade pip wheel pybind11
         python -m pip install torch==2.5.1 torchvision==0.20.1
         cat "requirements-dev.txt"
-        python -m pip install -r requirements-dev.txt
+        python -m pip install --no-build-isolation -r requirements-dev.txt
         python -m pip list
-        python setup.py develop  # test no compile installation
+        python -m pip install -e .  # test no compile installation
       shell: bash
     - name: Run compiled (${{ runner.os }})
       run: |
-        python setup.py develop --uninstall
-        BUILD_MONAI=1 python setup.py develop  # compile the cpp extensions
+        python -m pip uninstall -y monai
+        BUILD_MONAI=1 python -m pip install -e .  # compile the cpp extensions
       shell: bash
     - name: Run quick tests (CPU ${{ runner.os }})
       run: |
@@ -174,7 +174,7 @@ jobs:
         cp ${{ steps.root.outputs.pwd }}/requirements*.txt .
         cp -r ${{ steps.root.outputs.pwd }}/tests .
         ls -al
-        python -m pip install -r requirements-dev.txt --extra-index-url https://download.pytorch.org/whl/cpu
+        python -m pip install --no-build-isolation -r requirements-dev.txt --extra-index-url https://download.pytorch.org/whl/cpu
         python -m unittest -v
       env:
         PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION: python  # https://github.com/Project-MONAI/MONAI/issues/4354

.github/workflows/setupapp.yml

@@ -81,7 +81,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ['3.9', '3.10', '3.11']
+        python-version: ['3.10', '3.11', '3.12']
     steps:
     - uses: actions/checkout@v6
       with:
@@ -90,23 +90,12 @@ jobs:
       uses: actions/setup-python@v6
       with:
         python-version: ${{ matrix.python-version }}
-    - name: cache weekly timestamp
-      id: pip-cache
-      run: |
-        echo "datew=$(date '+%Y-%V')" >> $GITHUB_OUTPUT
-    - name: cache for pip
-      uses: actions/cache@v5
-      id: cache
-      with:
-        path: |
-          ~/.cache/pip
-          ~/.cache/torch
-        key: ${{ runner.os }}-${{ matrix.python-version }}-pip-${{ steps.pip-cache.outputs.datew }}
+        cache: pip
     - name: Install the dependencies
       run: |
         find  /opt/hostedtoolcache/* -maxdepth 0 ! -name 'Python' -exec rm -rf {} \;
         python -m pip install --upgrade pip wheel
-        python -m pip install -r requirements-dev.txt
+        python -m pip install --no-build-isolation -r requirements-dev.txt
     - name: Run quick tests CPU ubuntu
       env:
         NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
@@ -115,8 +104,8 @@ jobs:
       run: |
         python -m pip list
         python -c 'import torch; print(torch.__version__); print(torch.rand(5,3))'
-        BUILD_MONAI=0 ./runtests.sh --build --quick --unittests
-        BUILD_MONAI=1 ./runtests.sh --build --quick --min
+        BUILD_MONAI=0 ./runtests.sh --build --coverage --quick --unittests
+        BUILD_MONAI=1 ./runtests.sh --build --coverage --quick --min
         coverage xml --ignore-errors
     - name: Upload coverage
       uses: codecov/codecov-action@v5

.pre-commit-config.yaml

@@ -9,7 +9,7 @@ ci:
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: end-of-file-fixer
       - id: trailing-whitespace
@@ -27,35 +27,18 @@ repos:
       - id: end-of-file-fixer
       - id: mixed-line-ending
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.7.0
+    rev: v0.14.11
     hooks:
-    -   id: ruff
+    -   id: ruff-check
         args: ["--fix"]
         exclude: |
           (?x)(
               ^versioneer.py|
               ^monai/_version.py
           )
 
-  - repo: https://github.com/asottile/yesqa
-    rev: v1.5.0
-    hooks:
-      - id: yesqa
-        name: Unused noqa
-        additional_dependencies:
-          - flake8>=3.8.1
-          - flake8-bugbear<=24.2.6
-          - flake8-comprehensions
-          - pep8-naming
-        exclude: |
-          (?x)^(
-              monai/__init__.py|
-              docs/source/conf.py|
-              tests/utils.py
-          )$
-
   - repo: https://github.com/hadialqattan/pycln
-    rev: v2.5.0
+    rev: v2.6.0
     hooks:
       - id: pycln
         args: [--config=pyproject.toml]

CHANGELOG.md

@@ -5,6 +5,12 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
 
+## [1.5.2] - 2026-01-28
+
+## What's Changed
+### Fixed
+* Fix Zip Slip vulnerability in NGC private bundle download (#8682)
+
 ## [1.5.1] - 2025-09-22
 
 ## What's Changed
@@ -1261,7 +1267,8 @@ the postprocessing steps should be used before calling the metrics methods
 
 [highlights]: https://github.com/Project-MONAI/MONAI/blob/master/docs/source/highlights.md
 
-[Unreleased]: https://github.com/Project-MONAI/MONAI/compare/1.5.1...HEAD
+[Unreleased]: https://github.com/Project-MONAI/MONAI/compare/1.5.2...HEAD
+[1.5.2]: https://github.com/Project-MONAI/MONAI/compare/1.5.1...1.5.2
 [1.5.1]: https://github.com/Project-MONAI/MONAI/compare/1.5.0...1.5.1
 [1.5.0]: https://github.com/Project-MONAI/MONAI/compare/1.4.0...1.5.0
 [1.4.0]: https://github.com/Project-MONAI/MONAI/compare/1.3.2...1.4.0

CITATION.cff

@@ -6,8 +6,8 @@ title: "MONAI: Medical Open Network for AI"
 abstract: "AI Toolkit for Healthcare Imaging"
 authors:
   - name: "MONAI Consortium"
-date-released: 2025-09-22
-version: "1.5.1"
+date-released: 2026-01-29
+version: "1.5.2"
 identifiers:
   - description: "This DOI represents all versions of MONAI, and will always resolve to the latest one."
     type: doi

CONTRIBUTING.md

@@ -37,7 +37,7 @@ Please note that, as per PyTorch, MONAI uses American English spelling. This mea
 
 ### Preparing pull requests
 
-To ensure the code quality, MONAI relies on several linting tools ([flake8 and its plugins](https://gitlab.com/pycqa/flake8), [black](https://github.com/psf/black), [isort](https://github.com/timothycrosley/isort), [ruff](https://github.com/astral-sh/ruff)),
+To ensure the code quality, MONAI relies on several linting tools ([black](https://github.com/psf/black), [isort](https://github.com/timothycrosley/isort), [ruff](https://github.com/astral-sh/ruff)),
 static type analysis tools ([mypy](https://github.com/python/mypy), [pytype](https://github.com/google/pytype)), as well as a set of unit/integration tests.
 
 This section highlights all the necessary preparation steps required before sending a pull request.
@@ -51,7 +51,7 @@ To collaborate efficiently, please read through this section and follow them.
 
 #### Checking the coding style
 
-Coding style is checked and enforced by flake8, black, isort, and ruff, using [a flake8 configuration](./setup.cfg) similar to [PyTorch's](https://github.com/pytorch/pytorch/blob/master/.flake8).
+Coding style is checked and enforced by black, isort, and ruff.
 Before submitting a pull request, we recommend that all linting should pass, by running the following command locally:
 
 ```bash
@@ -380,7 +380,8 @@ All code review comments should be specific, constructive, and actionable.
 
 ### Release a new version
 
-The `dev` branch's `HEAD` always corresponds to MONAI docker image's latest tag: `projectmonai/monai:latest`.
+The `dev` branch's `HEAD` always corresponds to MONAI Docker image's latest tag: `projectmonai/monai:latest`. (No
+release is currently done for the slim MONAI image, this is built locally by users.)
 The `main` branch's `HEAD` always corresponds to the latest MONAI milestone release.
 
 When major features are ready for a milestone, to prepare for a new release:

Dockerfile

@@ -11,7 +11,7 @@
 
 # To build with a different base image
 # please run `docker build` using the `--build-arg PYTORCH_IMAGE=...` flag.
-ARG PYTORCH_IMAGE=nvcr.io/nvidia/pytorch:24.10-py3
+ARG PYTORCH_IMAGE=nvcr.io/nvidia/pytorch:25.12-py3
 FROM ${PYTORCH_IMAGE}
 
 LABEL maintainer="monai.contact@gmail.com"
@@ -42,9 +42,6 @@ COPY LICENSE CHANGELOG.md CODE_OF_CONDUCT.md CONTRIBUTING.md README.md versionee
 COPY tests ./tests
 COPY monai ./monai
 
-# TODO: remove this line and torch.patch for 24.11
-RUN patch -R -d /usr/local/lib/python3.10/dist-packages/torch/onnx/ < ./monai/torch.patch
-
 RUN BUILD_MONAI=1 FORCE_CUDA=1 python setup.py develop \
   && rm -rf build __pycache__
 

Dockerfile.slim

@@ -0,0 +1,93 @@
+# Copyright (c) MONAI Consortium
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#     http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This is a slimmed down version of the MONAI Docker image using a smaller base image and multi-stage building. Not all
+# NVIDIA tools will be present but all libraries and compiled code are included. This image isn't provided through
+# Dockerhub so users must build locally: `docker build -t monai_slim -f Dockerfile.slim .`
+# Containers may require more shared memory, eg.: `docker run -ti --rm --gpus all --shm-size=10gb monai_slim /bin/bash`
+
+ARG IMAGE=debian:12-slim
+
+FROM ${IMAGE} AS build
+
+ARG TORCH_CUDA_ARCH_LIST="7.5 8.0 8.6 8.9 9.0+PTX"
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV APT_INSTALL="apt install -y --no-install-recommends"
+
+RUN apt update && apt upgrade -y && \
+    ${APT_INSTALL} ca-certificates python3-pip python-is-python3 git wget libopenslide0 unzip python3-dev && \
+    wget https://developer.download.nvidia.com/compute/cuda/repos/debian12/x86_64/cuda-keyring_1.1-1_all.deb && \
+    dpkg -i cuda-keyring_1.1-1_all.deb && \
+    apt update && \
+    ${APT_INSTALL} cuda-toolkit-12 && \
+    rm -rf /usr/lib/python*/EXTERNALLY-MANAGED /var/lib/apt/lists/* && \
+    python -m pip install --upgrade --no-cache-dir --no-build-isolation pip
+
+# TODO: remark for issue [revise the dockerfile](https://github.com/zarr-developers/numcodecs/issues/431)
+RUN if [[ $(uname -m) =~ "aarch64" ]]; then \
+      CFLAGS="-O3" DISABLE_NUMCODECS_SSE2=true DISABLE_NUMCODECS_AVX2=true python -m pip install numcodecs; \
+    fi
+
+# NGC Client
+WORKDIR /opt/tools
+ARG NGC_CLI_URI="https://ngc.nvidia.com/downloads/ngccli_linux.zip"
+RUN wget -q ${NGC_CLI_URI} && unzip ngccli_linux.zip && chmod u+x ngc-cli/ngc && \
+    find ngc-cli/ -type f -exec md5sum {} + | LC_ALL=C sort | md5sum -c ngc-cli.md5 && \
+    rm -rf ngccli_linux.zip ngc-cli.md5
+
+WORKDIR /opt/monai
+
+# copy relevant parts of repo
+COPY requirements.txt requirements-min.txt requirements-dev.txt versioneer.py setup.py setup.cfg pyproject.toml ./
+COPY LICENSE CHANGELOG.md CODE_OF_CONDUCT.md CONTRIBUTING.md README.md MANIFEST.in runtests.sh ./
+COPY tests ./tests
+COPY monai ./monai
+
+# install full deps
+RUN python -m pip install --no-cache-dir --no-build-isolation -r requirements-dev.txt
+
+# compile ext
+RUN CUDA_HOME=/usr/local/cuda FORCE_CUDA=1 USE_COMPILED=1 BUILD_MONAI=1 python setup.py develop
+
+# recreate the image without the installed CUDA packages then copy the installed MONAI and Python directories
+FROM ${IMAGE} AS build2
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV APT_INSTALL="apt install -y --no-install-recommends"
+
+RUN apt update && apt upgrade -y && \
+    ${APT_INSTALL} ca-certificates python3-pip python-is-python3 git libopenslide0 && \
+    apt clean && \
+    rm -rf /usr/lib/python*/EXTERNALLY-MANAGED /var/lib/apt/lists/* && \
+    python -m pip install --upgrade --no-cache-dir --no-build-isolation pip
+
+COPY --from=build /opt/monai /opt/monai
+COPY --from=build /opt/tools /opt/tools
+ARG PYTHON_VERSION=3.11
+COPY --from=build /usr/local/lib/python${PYTHON_VERSION}/dist-packages /usr/local/lib/python${PYTHON_VERSION}/dist-packages
+COPY --from=build /usr/local/bin /usr/local/bin
+
+RUN rm -rf /opt/monai/build /opt/monai/monai.egg-info && \
+    find /opt /usr/local/lib -type d -name __pycache__ -exec rm -rf {} +
+
+# flatten all layers down to one
+FROM ${IMAGE}
+LABEL maintainer="monai.contact@gmail.com"
+
+COPY --from=build2 / /
+
+WORKDIR /opt/monai
+
+ENV PATH=${PATH}:/opt/tools:/opt/tools/ngc-cli
+ENV POLYGRAPHY_AUTOINSTALL_DEPS=1
+ENV CUDA_HOME=/usr/local/cuda
+ENV BUILD_MONAI=1

MANIFEST.in

@@ -3,3 +3,5 @@ include monai/_version.py
 
 include README.md
 include LICENSE
+
+prune tests