Skip to content

fix(security): bump ray, mlflow, urllib3 and nemo-gym for CVE remediation#2560

Open
kajalj22 wants to merge 2 commits into
mainfrom
bump-ray-mlflow-gym
Open

fix(security): bump ray, mlflow, urllib3 and nemo-gym for CVE remediation#2560
kajalj22 wants to merge 2 commits into
mainfrom
bump-ray-mlflow-gym

Conversation

@kajalj22
Copy link
Copy Markdown
Contributor

@kajalj22 kajalj22 commented May 22, 2026
edited
Loading

Summary

  • ray[default]: ==2.54.0==2.55.1 (direct dep)
  • mlflow: >=3.11.1>=3.12.0 (core dep + override-dependencies)
  • urllib3: >=2.6.3>=2.7.0 (constraint-dependencies)
  • nemo-gym submodule: 1a4912e8e145db (latest Gym main, includes CVE fixes for urllib3, ray, transformers, pytest, grpcio, GitPython)
  • uv.lock updated (ray 2.54.0 → 2.55.1 confirmed in lockfile)

Addresses vulnerabilities flagged by the security scan for nemo-rl and nemo-gym origin packages.

Note: vllm, sglang, and torch bumps are handled in separate PRs. megatron-bridge mlflow bump deferred to the megatron-bridge PR.

Test plan

  • CI passes (/ok to test)
  • uv lock resolves cleanly with new constraints
  • Verify scanned package versions match or exceed targets in next security scan

🤖 Generated with Claude Code

@kajalj22 kajalj22 requested a review from a team as a code owner May 22, 2026 22:45
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 22, 2026

Auto-sync is disabled for ready for review pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

@kajalj22 @claude
fix(security): bump ray, mlflow, urllib3 and nemo-gym for CVE remedia…
b2b1934 
…tion

- ray[default]: 2.54.0 → 2.55.1
- mlflow: >=3.11.1 → >=3.12.0 (core dep + override)
- urllib3: >=2.6.3 → >=2.7.0 (constraint)
- nemo-gym submodule: 1a4912e → 8e145db (includes Gym CVE fixes
  for urllib3, ray, transformers, pytest, grpcio, GitPython)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Kajal Jain <kajalj@nvidia.com>
@kajalj22 kajalj22 force-pushed the bump-ray-mlflow-gym branch from b50f0cb to b2b1934 Compare May 22, 2026 23:34
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 22, 2026

✅ Submodule Fast-Forward Check Results

Check based on commit: b2b1934 (PR #2560 from bump-ray-mlflow-gym)

✅ Submodules that are properly updated:

Gym: ✅ PR branch is ahead of main branch (fast-forward)

All submodule changes look good! ✨

@kajalj22 @claude
chore: update uv.lock after dependency bumps
9f08d9f 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Kajal Jain <kajalj@nvidia.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 22, 2026

✅ Submodule Fast-Forward Check Results

Check based on commit: 9f08d9f (PR #2560 from bump-ray-mlflow-gym)

✅ Submodules that are properly updated:

Gym: ✅ PR branch is ahead of main branch (fast-forward)

All submodule changes look good! ✨

@kajalj22
Copy link
Copy Markdown
Contributor Author

kajalj22 commented May 22, 2026

/ok to test 9f08d9f

@kajalj22 kajalj22 added the CI:Lfast Runs a fast test suite and re-use nightly `main` container (but sync dependencies to PRs version) label May 22, 2026
@kajalj22 kajalj22 added the CI:L1 Run doctests, unit tests, and functional tests label May 22, 2026
@kajalj22 kajalj22 removed the CI:Lfast Runs a fast test suite and re-use nightly `main` container (but sync dependencies to PRs version) label May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CI:L1 Run doctests, unit tests, and functional tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kajalj22