Skip to content

fix: ignore diffusers GHSA-98h9-4798-4q5v in pip-audit#24

Merged
timzsu merged 1 commit into
mainfrom
zsu/ignore-diffusers-cve
May 7, 2026
Merged

fix: ignore diffusers GHSA-98h9-4798-4q5v in pip-audit#24
timzsu merged 1 commit into
mainfrom
zsu/ignore-diffusers-cve

Conversation

@timzsu
Copy link
Copy Markdown
Collaborator

@timzsu timzsu commented May 7, 2026

Purpose

Silence pip-audit on GHSA-98h9-4798-4q5v (CVE-2026-44513, HIGH, CVSS 8.8) in diffusers==0.36.0. Same upgrade blocker as the already-ignored GHSA-j7w6-vpvq-j3gm — both are fixed in diffusers 0.38.0, which requires safetensors>=0.8.0rc0 pre-release that uv lock won't pick up without an explicit opt-in.

Changes

  • .github/workflows/security.yml — add --ignore-vuln GHSA-98h9-4798-4q5v to both pip-audit blocks (worker CPU and worker GPU delta).
  • docs/CODE_STYLE.md — add a row in the ignored-CVE table referencing the same blocker as the existing diffusers row.

Design

The advisory is a trust_remote_code=False bypass in DiffusionPipeline.from_pretrained via custom_pipeline= (cross-repo or local-snapshot variants) or local snapshots whose model_index.json references custom-component .py files. The DiffusersExecutor calls AutoPipelineForText2Image.from_pretrained(ident, **load_kwargs) with a Hub identifier (no local path), no custom_pipeline= argument, and trust_remote_code=True only when the workflow explicitly opts in via spec.model_trust_remote_code. The advisory variants 1 and 2 are unreachable; variant 3 (HF cache snapshot with custom components) is theoretically reachable but bounded by the workflow author's existing trust scope (they can already set model_trust_remote_code=True).

Bumping to 0.38.0 is the only real fix per the advisory, but it pulls in a safetensors pre-release. Track the blocker on the GHSA-j7w6-vpvq-j3gm row and drop both ignores together when the cap lifts.

Test Plan

CI.

Test Result

CI passes.

Pre-submission Checklist
  • I have read the contribution guidelines.
  • I have run pre-commit run --all-files and fixed any issues.
  • I have added or updated tests covering my changes (if applicable).
  • I have verified that uv run pytest tests/ passes locally.
  • If I changed shared schemas or proto definitions, I have checked downstream compatibility across Server and Worker.
  • If I changed the SDK or CLI, I have verified the affected packages work (uv sync --all-extras --frozen).
  • If this is a breaking change, I have prefixed the PR title with [BREAKING] and described migration steps above.
  • I have updated documentation or config examples if user-facing behavior changed.

@timzsu
chore: ignore diffusers GHSA-98h9-4798-4q5v in pip-audit
652ae37 
Same upgrade blocker as the already-ignored GHSA-j7w6-vpvq-j3gm — both
are fixed in diffusers 0.38.0, which requires safetensors>=0.8.0rc0
pre-release. Drop both ignores together when the safetensors cap lifts.

Signed-off-by: Zhengyuan Su <su.zhengyuan@u.nus.edu>
@timzsu timzsu changed the title chore: ignore diffusers GHSA-98h9-4798-4q5v in pip-audit fix: ignore diffusers GHSA-98h9-4798-4q5v in pip-audit May 7, 2026
@timzsu timzsu requested a review from kaiitunnz May 7, 2026 08:13
kaiitunnz
kaiitunnz approved these changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@kaiitunnz kaiitunnz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@timzsu timzsu merged commit ca03aa8 into main May 7, 2026
10 of 11 checks passed
@timzsu timzsu deleted the zsu/ignore-diffusers-cve branch May 7, 2026 08:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kaiitunnz kaiitunnz kaiitunnz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@timzsu @kaiitunnz