[MNT] Upgrade to `torch>2.2.2` because of CVE-2024-5480

[RobKuebler]

Hi!

I cannot install pytorch-forecasting in my organization because of https://www.cvedetails.com/cve/CVE-2024-5480/. Can you upgrade the dependency in the pyproject.tmol to torch>2.2.2, please?

Thanks a lot!

Best
Robert

[fkiraly]

Torch is not directly restricted by the pyproject, it is torch<3.0.0 - could you kindly check whether the bound is coming from something in pytorch-forecasting, or something in your environment?

[RobKuebler]

Hi!

I think the security only checks for the project.toml and just sees that the torch version is restricted as torch>2,<3.

[felipeangelimvieira]

@Garve if you pin your pytorch version> 2.2.2 in your pyproject, you still have this problem?

[RobKuebler]

Hi Felipe! Yeah I think they check the pyproject.toml of pytorch-forecasting and just see that it potentially allows torch<2.2.2.

My company made an exception for now, so I can use it now, but maybe other people have the same problem.

Best
Robert

[fkiraly]

@Garve, can you explain the policy? The company could force an additional bound of torch>2.2.2, it does not imply torch<2.2.2.

Why would we need to update this in the pyproject.toml?

[RobKuebler]

Hi! We found a workaround now.

But I think since in the pyproject.toml it only says >2, potentially a torch version <2.2.2 could be installed, and maybe that's the only thing the software checks. At least that's the only clue I have why it complained about pytorch-forecasting in particular.

Best
Robert