Skip to content

Bump pyasn1 due to cve GHSA-63vm-454h-vhhq for r1.1.0#1424

Closed
ayushdg wants to merge 1 commit intoNVIDIA-NeMo:r1.1.0from
ayushdg:r1.1.0-cve-fixes
Closed

Bump pyasn1 due to cve GHSA-63vm-454h-vhhq for r1.1.0#1424
ayushdg wants to merge 1 commit intoNVIDIA-NeMo:r1.1.0from
ayushdg:r1.1.0-cve-fixes

Conversation

@ayushdg
Copy link
Contributor

@ayushdg ayushdg commented Jan 23, 2026

Description

Usage

# Add snippet demonstrating usage

Checklist

  • I am familiar with the Contributing Guide.
  • New or Existing tests cover these changes.
  • The documentation is up to date with these changes.

@ayushdg
Bump pyasn1 due to cve GHSA-63vm-454h-vhhq
91c5340 
Signed-off-by: Ayush Dattagupta <ayushdg95@gmail.com>
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Jan 23, 2026

No reviewable files after applying ignore patterns.

praateekmahajan
praateekmahajan reviewed Jan 23, 2026
View reviewed changes
Copy link
Contributor

@praateekmahajan praateekmahajan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't we add this bump in the constraints like the other CVEs?

@ayushdg
Copy link
Contributor Author

ayushdg commented Jan 23, 2026

shouldn't we add this bump in the constraints like the other CVEs?

Since this isn't a direct dependency but an indirect one coming from other packages I figured just bumping the uv lock file is sufficient. I'm not sure if that's the criteria. @thomasdhc Do you have thoughts?

@praateekmahajan
Copy link
Contributor

praateekmahajan commented Jan 23, 2026

IIUC that's what constraint-dependencies solves for https://docs.astral.sh/uv/reference/settings/#constraint-dependencies

@thomasdhc thomasdhc added the r1.1.0 Pick this label for auto cherry-picking into r1.1.0 label Feb 2, 2026
@thomasdhc
Copy link
Contributor

thomasdhc commented Feb 2, 2026

pyasn1 is already constrained https://github.com/NVIDIA-NeMo/Curator/blob/r1.1.0/pyproject.toml#L186

@ayushdg
Copy link
Contributor Author

ayushdg commented Feb 2, 2026

Closing since it's already been updated.

@ayushdg ayushdg closed this Feb 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@praateekmahajan praateekmahajan praateekmahajan left review comments

Assignees

No one assigned

Labels

r1.1.0 Pick this label for auto cherry-picking into r1.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ayushdg @praateekmahajan @thomasdhc