fix(deps): Address container scan vulnerabilities in nemo_toolkit

[aryanjsingh]

Summary

This commit resolves security vulnerabilities found in the Curator container scan. It addresses two high-severity issues in nemo_toolkit (GHSA-hvjw-vp7g-39h5, GHSA-9379-mwvr-7wxx) by adding a dependency override to pyproject.toml, ensuring a secure version of the package is installed.

Changes

• pyproject.toml: Added an override for nemo_toolkit>=2.7.2 in [tool.uv.override-dependencies] to explicitly enforce the use of a non-vulnerable version, addressing GHSA-hvjw-vp7g-39h5 and GHSA-9379-mwvr-7wxx.

Related Issue

Closes #1642

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[greptile-apps]

Greptile Summary

This PR adds a nemo_toolkit>=2.7.2 entry to the [tool.uv].override-dependencies table in pyproject.toml to address two high-severity security advisories (GHSA-hvjw-vp7g-39h5 and GHSA-9379-mwvr-7wxx). The change is minimal, targeted, and consistent with the project's existing pattern of using uv override/constraint entries to enforce secure transitive-dependency versions.

Key observations:

• The uv.lock file already resolves nemo-toolkit to 2.7.2, so there is no immediate behavioral change for developers using the current lockfile. The override formalises the minimum-version requirement so that future uv lock runs will continue to respect it.
• The audio_common optional-extra already declares nemo_toolkit[asr]>=2.7.2 as a direct dependency (line 99), so the override primarily protects against transitive paths that could otherwise resolve an older, vulnerable version.
• The new entry is alphabetically ordered within the list, consistent with the surrounding entries.
• Other CVE-related fixes in this file (e.g., aiohttp, cryptography, protobuf) are placed in constraint-dependencies, whereas this fix is placed in override-dependencies. Both are uv-specific mechanisms and either would be effective; using an override provides a slightly stronger guarantee (it wins even when a transitive dependency pins an incompatible older version), so the choice is defensible.

Confidence Score: 5/5

Safe to merge — the change is a single-line, targeted security override that enforces a minimum safe version of nemo_toolkit and is consistent with established project patterns.

The change is minimal and surgical: one entry added to an existing override list, alphabetically ordered, with a clear comment tying it to the addressed CVEs. The uv.lock file already resolves nemo-toolkit to 2.7.2, confirming the override is compatible with the current dependency graph. The audio_common extra already required >=2.7.2, so there is no risk of introducing a new incompatible version. No logic, tests, or runtime code is touched.

No files require special attention.

Important Files Changed

Filename	Overview
pyproject.toml	Adds nemo_toolkit>=2.7.2 override to enforce a secure package version; one-line, targeted change consistent with the project's existing CVE-remediation pattern.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[uv dependency resolution] --> B{nemo_toolkit requested?}
    B -->|direct dep via audio_common| C[nemo_toolkit >= 2.7.2]
    B -->|transitive dep any version| D[override-dependencies enforces >= 2.7.2]
    C --> E[Resolved: nemo_toolkit 2.7.2]
    D --> E
    E --> F[GHSA-hvjw-vp7g-39h5 addressed]
    E --> G[GHSA-9379-mwvr-7wxx addressed]

Loading

_{Reviews (1): Last reviewed commit: "fix(deps): add override for nemo_toolkit..." | Re-trigger Greptile}

[ayushdg]

Thanks for opening @aryanjsingh . This has already been addressed with #1612 and changes are in the pyproject.toml file already https://github.com/NVIDIA-NeMo/Curator/pull/1740/changes#diff-50c86b7ed8ac2cf95bd48334961bf0530cdc77b5a56f852c5c61b89d735fd711R99