Release 1.5.1 Updates

[ericspod]

Fixes #8569.

Description

This updates documentation and other components for the 1.5.1 release.

Types of changes

• Non-breaking change (fix or new feature that would not break existing functionality).
• Breaking change (fix or new feature that would cause existing functionality to change).
• New tests added to cover the changes.
• Integration tests passed locally by running ./runtests.sh -f -u --net --coverage.
• Quick tests passed locally by running ./runtests.sh --quick --unittests --disttests.
• In-line docstrings updated.
• Documentation updated, tested make html command in the docs/ folder.

[coderabbitai]

Walkthrough

Adds a 1.5.1 release entry to CHANGELOG.md with dated subsections (Added, Fixed, Changed) describing PyTorch 2.7/2.8 support, GPU compatibility notes, security fixes, dependency updates, new YAML config and input validation items, conditioning/classifier-guidance and DiffusionModelEncoder enhancements, and other minor fixes. Adds docs/source/whatsnew_1_5_1.md with the 1.5.1 release notes, updates docs/source/whatsnew.rst to include the new page in the toctree, and removes trailing emoji from the main heading in docs/source/whatsnew_1_5.md. No public/exported API signatures changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues Check	❓ Inconclusive	The changes implement the linked issue's coding-related objectives by adding the CHANGELOG entry and whatsnew documentation for 1.5.1, satisfying the release-note drafting requirement, but the changelog currently references PR #8580 which remains unmerged and several other release checklist items in the linked issue are still open, so I cannot confirm full compliance with all linked coding objectives. Non-coding/manual verification tasks were ignored per instructions. Because an important referenced PR is pending, full compliance is inconclusive at this time.	Merge PR #8580 and ensure any other required documentation PRs (README, monai.io highlights, or related doc updates) are included or referenced, then re-run this compliance check.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "Release 1.5.1 Updates" clearly and succinctly communicates the primary intent to update release 1.5.1 materials and matches the changeset (changelog and docs updates). It is concise, specific, and free of noisy file lists or emojis, so a teammate scanning history will understand the main change. The phrasing is appropriate for a release-preparation PR.
Out of Scope Changes Check	✅ Passed	The provided diffs are limited to documentation files (CHANGELOG.md and docs/whatsnew entries) and a minor heading edit; there are no code, public API, or unrelated tooling changes in the summary. I find no evidence of out-of-scope or unrelated code changes introduced by this PR.
Description Check	✅ Passed	The PR description follows the repository template: it includes "Fixes #8569", a short Description, and the "Types of changes" checklist with the non-breaking box checked, so required template sections are present and the core intent (documentation and release updates) is clear. Several optional checklist items remain unchecked and the changelog references PR #8580 which is not yet merged, but these are non-blocking for documenting the release note itself. Overall the description is sufficiently complete for review.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[KumoLiu]

/build

[KumoLiu]

Hi @ericspod, does this PR ready for review?

[ericspod]

Hi @ericspod, does this PR ready for review?

I've just added a few more items for the changelog but we should be ready to go now. Thanks!

[ericspod]

#8580 is mentioned in the changelog although it hasn't been merged yet, it should be merged before the release.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (6)

CHANGELOG.md (5)

22-24: Fix MD034 (bare URLs) and improve readability of advisories.

Wrap advisory URLs with link text.

Apply:

-* Fix for insecure zip file extraction to address https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-x6ww-pf9m-m73m (#8568)
-* Fix for insecure use of `torch.load` and `pickle` to address https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-6vm5-6jv9-rjpj and https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-p8cm-mm2v-gwjm (#8566)
+* Fix for insecure zip file extraction to address [GHSA-x6ww-pf9m-m73m](https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-x6ww-pf9m-m73m) (#8568)
+* Fix for insecure use of `torch.load` and `pickle` to address [GHSA-6vm5-6jv9-rjpj](https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-6vm5-6jv9-rjpj) and [GHSA-p8cm-mm2v-gwjm](https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-p8cm-mm2v-gwjm) (#8566)

---

24-24: Capitalize TorchVision consistently.

-* Torchvision fix for loading pretrained weights using current syntax (#8563)
+* TorchVision fix for loading pretrained weights using current syntax (#8563)

---

25-26: Proper nouns and acronyms: MAISI, VAE.

-* Fix bug in maisi vae (#8517)
+* Fix bug in MAISI VAE (#8517)

---

8-8: Nit: double space before date.

-## [1.5.1] -  2025-09-22
+## [1.5.1] - 2025-09-22

---

1264-1285: Add missing link ref for [1.5.1] and prep [Unreleased] compare for post‑tag.

Apply now; flip Unreleased compare after tagging:

-[Unreleased]: https://github.com/Project-MONAI/MONAI/compare/1.5.0...HEAD
+[Unreleased]: https://github.com/Project-MONAI/MONAI/compare/1.5.1...HEAD
+[1.5.1]: https://github.com/Project-MONAI/MONAI/compare/1.5.0...1.5.1

Ensure you switch the Unreleased link in the same commit that creates the 1.5.1 tag.

docs/source/whatsnew_1_5_1.md (1)

2-12: Tighten wording, capitalization, emoji, and link to CHANGELOG.

Apply:

-# What's new in 1.5.1 🎉🎉
+# What's new in 1.5.1

-This is a minor update for MONAI to address security concerns and improve compatibility with the newest PyTorch release.
+This minor release addresses security advisories and adds compatibility with the latest PyTorch release.

-With the upgrade support for PyTorch 2.8, MONAI now directly support NVIDIA GeForce RTX 50 series GPUs and other Blackwell-based GPUs!
+With support for PyTorch 2.8, MONAI now supports NVIDIA GeForce RTX 50‑series and other Blackwell‑based GPUs (subject to matching CUDA/driver versions).

-- Support up to PyTorch 2.8.
-- Security fixes to address advisories [GHSA-x6ww-pf9m-m73m](https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-x6ww-pf9m-m73m), [GHSA-6vm5-6jv9-rjpj](https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-6vm5-6jv9-rjpj), and [GHSA-p8cm-mm2v-gwjm](https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-p8cm-mm2v-gwjm),
-- Updated version of supported Huggingface Transformers library to address security advisories raised for it.
-- Updated Torchvision pretrained network loading to use current arguments.
-- Many minor fixes to identified issues, see release notes for details on merged PRs.
+- Support up to PyTorch 2.8.
+- Security fixes addressing [GHSA-x6ww-pf9m-m73m](https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-x6ww-pf9m-m73m), [GHSA-6vm5-6jv9-rjpj](https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-6vm5-6jv9-rjpj), and [GHSA-p8cm-mm2v-gwjm](https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-p8cm-mm2v-gwjm).
+- Updated supported version of the Hugging Face Transformers library to address its advisories.
+- Updated TorchVision pretrained model loading to current argument patterns.
+- Many minor fixes; see the [CHANGELOG 1.5.1 section](../../CHANGELOG.md#151---2025-09-22) for details.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between cf5790d and 2c3606f.

📒 Files selected for processing (4)

• CHANGELOG.md (1 hunks)
• docs/source/whatsnew.rst (1 hunks)
• docs/source/whatsnew_1_5.md (1 hunks)
• docs/source/whatsnew_1_5_1.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.rst

⚙️ CodeRabbit configuration file

Remember that documentation must be updated with the latest information.

Files:

• docs/source/whatsnew.rst

**/*.md

⚙️ CodeRabbit configuration file

Remember that documentation must be updated with the latest information.

Files:

• docs/source/whatsnew_1_5.md
• CHANGELOG.md
• docs/source/whatsnew_1_5_1.md

🪛 markdownlint-cli2 (0.18.1)

CHANGELOG.md

22-22: Bare URL used

(MD034, no-bare-urls)

---

23-23: Bare URL used

(MD034, no-bare-urls)

---

23-23: Bare URL used

(MD034, no-bare-urls)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (19)

• GitHub Check: min-dep-pytorch (2.5.1)
• GitHub Check: quick-py3 (ubuntu-latest)
• GitHub Check: min-dep-pytorch (2.6.0)
• GitHub Check: min-dep-pytorch (2.8.0)
• GitHub Check: quick-py3 (macOS-latest)
• GitHub Check: packaging
• GitHub Check: build-docs
• GitHub Check: min-dep-os (macOS-latest)
• GitHub Check: flake8-py3 (pytype)
• GitHub Check: quick-py3 (windows-latest)
• GitHub Check: min-dep-pytorch (2.7.1)
• GitHub Check: min-dep-py3 (3.12)
• GitHub Check: flake8-py3 (mypy)
• GitHub Check: min-dep-os (ubuntu-latest)
• GitHub Check: min-dep-py3 (3.11)
• GitHub Check: min-dep-py3 (3.9)
• GitHub Check: flake8-py3 (codeformat)
• GitHub Check: min-dep-py3 (3.10)
• GitHub Check: min-dep-os (windows-latest)

🔇 Additional comments (5)

CHANGELOG.md (2)

8-8: Release date is in the future—confirm before merging.

“2025-09-22” is tomorrow (current date: 2025-09-21). Either confirm the date matches the tag cut or leave it blank until tagging.

---

12-20: Version support claims—ensure CI matrices and docs match.

“PyTorch 2.7 and 2.8 support” and “DiffusionModelEncoder updates (#8578, #8580)” should be reflected in requirements, CI envs, and docs. Verify the min/max versions and CUDA/toolkit combos are tested.

docs/source/whatsnew_1_5.md (1)

2-2: Heading style consistency looks good.

docs/source/whatsnew.rst (1)

9-9: Add 1.5.1 to toctree—LGTM.

Run “make html” to ensure MyST parses the new .md page cleanly.

docs/source/whatsnew_1_5_1.md (1)

6-6: Hardware claim—verify CUDA/driver matrix and CI coverage.

Ensure CI includes PyTorch 2.8 + appropriate CUDA/driver versions that enable Blackwell/RTX 50 support; otherwise soften the claim further.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (5)

CHANGELOG.md (5)

18-18: Hyphenate “classifier‑free guidance”.

Microcopy polish.

-* Add classifier free guidance unconditioned value (#8562)
+* Add classifier‑free guidance unconditioned value (#8562)

---

25-27: Capitalize proper nouns.

VAE and RetinaNet.

-* Fix bug in MAISI vae (#8517)
-* Throw exception on invalid images in retinanet detector (#8515)
+* Fix bug in MAISI VAE (#8517)
+* Throw exception on invalid images in RetinaNet detector (#8515)

---

30-31: Tighten wording.

Grammar/readability.

-* Fix for gdown downloading fails (#8576)
+* Fix gdown download failures (#8576)

---

33-38: Consistent naming and capitalization.

CI/Test/Hugging Face formatting.

-* CI: Add custom timeout to ci job in order to save resources (#8504)
-* Tests Cleanup and refactor (#8405, #8535)
-* Updated supported version of Huggingface Transformers (#8574)
+* CI: Add custom timeout to CI job to save resources (#8504)
+* Test cleanup and refactor (#8405, #8535)
+* Updated supported version of Hugging Face Transformers (#8574)

---

10-39: Sync with docs “What’s New” page.

Ensure bullets and wording match docs/source/whatsnew_1_5_1.md (e.g., GPU compatibility notes).

If desired, I can auto‑diff the docs and normalize phrasing.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 2c3606f and fb212a5.

📒 Files selected for processing (1)

• CHANGELOG.md (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.md

⚙️ CodeRabbit configuration file

Remember that documentation must be updated with the latest information.

Files:

• CHANGELOG.md

🔇 Additional comments (3)

CHANGELOG.md (3)

1264-1265: Compare links will 404 until tags exist — OK as-is. Both compare URLs returned 404 when tested; that's expected. No change required — re-run the validation after creating the tag.

---

8-8: Do not set the release date in the changelog until the tag exists.

Tag 1.5.1 is not present; remove the hardcoded date in CHANGELOG.md (line 8) and use "(planned)" or leave blank — set the final date when you create the tag.

File: CHANGELOG.md (line 8)

## [1.5.1] - 2025-09-22

---

21-24: Security advisories verified — confirm fixes implement recommended remediations

• GHSA-x6ww-pf9m-m73m: path traversal via zipfile.extractall — sanitize/normalize entries (reject absolute paths and “..”), or use a safe-extract helper; sandbox extraction of untrusted archives.
• GHSA-6vm5-6jv9-rjpj: unsafe torch.load usage — use torch.load(..., weights_only=True) or equivalent, validate provenance (signatures/checksums), and sandbox checkpoint loading.
• GHSA-p8cm-mm2v-gwjm: unsafe pickle.loads — remove/untrusted unpickling or use a restricted unpickler/whitelist; prefer safer formats (JSON/msgpack) when possible.
• CHANGELOG references fixes — verify the code changes actually implement the mitigations above (search for zipfile.extractall, torch.load checkpoint paths, pickle.loads usage — e.g., monai/data/utils.py) and add patched release/version numbers to the changelog.

[KumoLiu]

/build