chore: bump visual-retrieval-colpali deps to fix Mend CVEs#1909
Open
chore: bump visual-retrieval-colpali deps to fix Mend CVEs#1909
Conversation
Whole-manifest sweep of visual-retrieval-colpali to resolve the 18 HIGH/CRITICAL Mend findings flagged in the 2026-05-07 rescan. Notable bumps in src/legacy-requirements.txt (full sweep, not just flagged libs): accelerate 0.34.2 -> 1.13.0 (CVE-2025-14925) python-multipart 0.0.26 -> 0.0.27 (CVE-2026-42561) torch 2.8.0 -> 2.11.0 (CVE-2025-55551, CVE-2026-24747) transformers 5.0.0 -> 4.57.6 (CVE-2024-1139[2-4], CVE-2025-1492[0,1,4,6-30]) huggingface-hub 0.36.0 -> 0.36.2 tokenizers 0.20.3 -> 0.22.2 pyproject.toml: relax `transformers==5.0.0` to `>=4.57.6,<5.0.0`. The previous `==5.0.0` pin (added by Renovate PR #1903 / commit 952bb5f) was unsatisfiable because vidore-benchmark[interpretability] 4.0.x requires `transformers<5.0.0` and the application code imports `vidore_benchmark.interpretability.torch_utils` (interpretability module was removed in vidore-benchmark 5.0.0). Reverting to the latest 4.x line yields a resolvable lockfile while still picking up the silent CVE patches that landed across 4.48 -> 4.57. Pillow remains at 10.4.0 -- transitively pinned `<11.0.0` by both colpali-engine 0.3.1 and vidore-benchmark 4.0.x. Lifting it to 12.x to clear the three pillow CVEs requires migrating off vidore-benchmark[interpretability] (used by src/backend/colpali.py and prepare_feed_deploy.py); that's a code refactor and out of scope for this dep-bump PR. Supersedes Renovate PR #1908 (python-multipart 0.0.27). No local tests run; sample-apps integration tests are too heavy for a dev box. Mend rescan after merge. Related: VESPANG-3201, VESPANG-3271
lucene-analysis-opennlp:9.12.3 transitively pulls opennlp-tools:1.9.4, which is vulnerable to CVE-2026-42440 (OOM DoS via unbounded array allocation in AbstractModelReader). The lucene version is parent-managed (${lucene.vespa.version}) and cannot be bumped here, so override the transitive opennlp-tools to 2.5.9 (the fixed 2.x release). Lucene 10.x already uses opennlp 2.5.x against the same public API surface, so the upgrade is API-compatible for the consumer. slf4j-api transitive is excluded to satisfy the no-compile-scope container enforcer rule. Also rebased onto current master (no conflicts).
odosk
force-pushed
the
fix/cve-deps-2026-05-07
branch
from
17002af to
018275a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
This PR was opened by Claude Code as part of an automated Mend -> Jira -> GitHub security sweep. It will be merged on approval.
Summary
Whole-manifest sweep of
visual-retrieval-colpali/to clear the 18 HIGH/CRITICAL Mend findings reported in the 2026-05-07 rescan, plus an opennlp-tools override inexamples/lucene-linguistics/going-crazy/for a new finding (CVE-2026-42440) that landed on 2026-05-08.The preceding Renovate auto-merge of
transformers==5.0.0(commit 952bb5f) leftpyproject.tomland the lockfile in an unsatisfiable state because the rest of the dependency tree (vidore-benchmark[interpretability]<5.0.0,colpali-engine==0.3.1) requirestransformers<5.0.0. This PR reverts that pin to the latest resolvable 4.x line and refreshes every other dependency in the lockfile.Changed Files
visual-retrieval-colpali/pyproject.tomltransformers==5.0.0->transformers>=4.57.6,<5.0.0visual-retrieval-colpali/src/legacy-requirements.txtuv pip compile pyproject.toml -o src/legacy-requirements.txt --upgrade(-145 / +126 lines)examples/lucene-linguistics/going-crazy/pom.xmlopennlp-tools:1.9.4fromlucene-analysis-opennlp:9.12.3; add explicitopennlp-tools:2.5.9(with slf4j-api exclusion to satisfy container-enforcer)Notable transitions in the colpali lockfile:
Notable transition in lucene-linguistics/going-crazy:
CVEs Addressed
torch.linalg.luweights_onlyunpickler escape, fixed in 2.10.0examples/lucene-linguistics/going-crazy)The transformers ZDI advisories are not yet indexed in OSV against specific transformers version ranges, so the "fixed in 4.57.6" claim is best-effort: 4.57.6 is the most recent 4.x release and OSV reports no transformers vulns against it other than the unrelated CVE-2026-1839 (Trainer class) which was not in this Mend batch.
Cannot fix in this PR (pillow CVEs)
Pillow stays at 10.4.0 because both
colpali-engine==0.3.1andvidore-benchmark[interpretability]>=4.0.0,<5.0.0transitively requirepillow<11.0.0. The pillow CVEs needpillow>=12.1.1.Lifting the pillow constraint requires one of:
vidore-benchmarkto 5.x. Blocker: vidore 5.0.0 deleted theinterpretabilitymodule thatsrc/backend/colpali.py:14andprepare_feed_deploy.py:67import. Needs application-code refactor.colpali-enginepast 0.3.1 to a release without the strict pillow ceiling. Blocker: chain leads back to vidore-benchmark 5 / transformers 5 (colpali-engine 0.3.15 requirestransformers>=5.3.0), so same blocker.Surfacing to repo owners as a follow-up: the three pillow CVEs and any forthcoming transformers 5.x-only patches will require porting
visual-retrieval-colpalioffvidore-benchmark.interpretability.Supersedes
python-multipart0.0.26 -> 0.0.27 forvisual-retrieval-colpali/src/legacy-requirements.txt) - covered.#1907 is for
hypencoder/requirements.txt, a different sub-app, and is not superseded by this PR.Implementation Notes
transformers==5.0.0pin inpyproject.toml(Renovate, commit 952bb5f) was unsatisfiable.uv pip compileerrored:>=4.57.6,<5.0.0. Latest 4.x is 4.57.6.lucene.versionresolves tolucene.vespa.versionfrom the parent (cloud-tenant-base [8,9)), so the lucene line cannot be bumped from this pom. Lucene 10.4.0's own opennlp module pinsopennlp-tools:2.5.3against the same public API (opennlp.tools.{chunker,lemmatizer,namefind,postag,sentdetect,tokenize,util}) that 9.12.3 uses, so the 2.5.9 override is API-compatible forlucene-analysis-opennlp:9.12.3.pyproject.toml. All other transitions came from the resolver.Verification
uv pip compile pyproject.toml -o src/legacy-requirements.txt --upgradesucceeds cleanly.examples/lucene-linguistics/going-crazy:mvn package -DskipTestspasses;mvn dependency:treeconfirmsorg.apache.opennlp:opennlp-tools:jar:2.5.9resolved (was 1.9.4).sample-appsintegration tests are heavy and out of scope for an automated dep bump.