Bump up package versions to fix CVEs

[ktangsali]

PhysicsNeMo Pull Request

Description

Checklist

• I am familiar with the Contributing Guidelines.
• New or existing tests cover these changes.
• The documentation is up to date with these changes.
• The CHANGELOG.md is up to date with these changes.
• An issue is linked to this pull request.
• If I am implementing a new model or modifying any existing model, I have followed the Models Implementation Coding Standards.

Dependencies

Review Process

All PRs are reviewed by the PhysicsNeMo team before merging.

Depending on which files are changed, GitHub may automatically assign a maintainer for review.

We are also testing AI-based code review tools (e.g., Greptile), which may add automated comments with a confidence score.
This score reflects the AI’s assessment of merge readiness and is not a qualitative judgment of your work, nor is
it an indication that the PR will be accepted / rejected.

AI-generated feedback should be reviewed critically for usefulness.
You are not required to respond to every AI comment, but they are intended to help both authors and reviewers.
Please react to Greptile comments with 👍 or 👎 to provide feedback on their accuracy.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[NickGeneva]

shout outs mlflow

[greptile-apps]

Greptile Summary

This PR bumps minimum package versions across pyproject.toml and 19 example requirements.txt files to address CVEs (torch ≥ 2.10.0 for CVE-2025-32434/CVE-2026-24747, urllib3 ≥ 2.7.0 for CVE-2026-44432, GitPython ≥ 3.1.49, mlflow ≥ 3.11.0, pillow ≥ 12.2.0, gdown ≥ 5.2.2, pyarrow ≥ 14.0.1).

• torch bumped to >=2.10.0 across core deps, cu12/cu13 extras, and all example files that pinned it; the xmgn example also switches its PyG --find-links from CUDA 12.1 to CUDA 12.8 wheels.
• mlflow major-version bump (2.x → 3.x) applied uniformly across all affected examples and the utils-extras optional dependency; the uv.lock is updated for gitpython (3.1.50) and urllib3 (2.7.0).
• urllib3 >=2.7.0 added as an explicit direct dependency in pyproject.toml to guarantee the transitive decompression-bomb fix is enforced.

Important Files Changed

Filename	Overview
examples/reservoir_simulation/xmgn/requirements.txt	Bumped torch/torchaudio/torchvision/mlflow to pick up CVE fixes and switched PyG wheels to CUDA 12.8; stale "CUDA 12.1" comment not updated on line 2.
pyproject.toml	Bumped torch to >=2.10.0, added urllib3>=2.7.0, updated GitPython and mlflow minimums; torchvision lower bound remains >=0.19.0 while torch now requires >=2.10.0 (compatible torchvision is 0.25.0+).
uv.lock	Lock file updated: gitpython 3.1.46→3.1.50, urllib3 2.6.3→2.7.0, urllib3 added as explicit dependency for nvidia-physicsnemo package.
examples/cfd/flow_reconstruction_diffusion/requirements.txt	Bumped pillow from >=10.3.0 to >=12.2.0 to address CVEs.
examples/weather/healda/requirements.txt	Bumped pyarrow from >=14.0.0 to >=14.0.1 to address CVEs.

Comments Outside Diff (1)

1. examples/reservoir_simulation/xmgn/requirements.txt, line 1-2 (link)

   The header comment still says "CUDA 12.1" but the file now uses CUDA 12.8 wheels (torch-2.10.0+cu128). Any user following this comment will install the wrong CUDA version and hit broken --find-links resolution.

_{Reviews (1): Last reviewed commit: "bump up package versions to fix cves" | Re-trigger Greptile}