Skip to content

chore: bump visual-retrieval-colpali deps to fix Mend CVEs#1909

Open
odosk wants to merge 1 commit intomasterfrom
fix/cve-deps-2026-05-07
Open

chore: bump visual-retrieval-colpali deps to fix Mend CVEs#1909
odosk wants to merge 1 commit intomasterfrom
fix/cve-deps-2026-05-07

Conversation

@odosk
Copy link
Copy Markdown
Contributor

@odosk odosk commented May 7, 2026

Note

This PR was opened by Claude Code as part of an automated Mend -> Jira -> GitHub security sweep.

Summary

Whole-manifest sweep of visual-retrieval-colpali/ to clear the 18 HIGH/CRITICAL Mend findings reported in the 2026-05-07 rescan.

The preceding Renovate auto-merge of transformers==5.0.0 (commit 952bb5f) left pyproject.toml and the lockfile in an unsatisfiable state because the rest of the dependency tree (vidore-benchmark[interpretability]<5.0.0, colpali-engine==0.3.1) requires transformers<5.0.0. This PR reverts that pin to the latest resolvable 4.x line and refreshes every other dependency in the lockfile.

Changed Files

Path Change
visual-retrieval-colpali/pyproject.toml transformers==5.0.0 -> transformers>=4.57.6,<5.0.0
visual-retrieval-colpali/src/legacy-requirements.txt regenerated via uv pip compile pyproject.toml -o src/legacy-requirements.txt --upgrade (-145 / +126 lines)

Notable transitions in the lockfile:

Package Before After
accelerate 0.34.2 1.13.0
python-multipart 0.0.26 0.0.27
torch 2.8.0 2.11.0
transformers 5.0.0 (broken) 4.57.6
huggingface-hub 0.36.0 0.36.2
tokenizers 0.20.3 0.22.2
pillow 10.4.0 10.4.0 (BLOCKED, see below)

CVEs Addressed

CVE Library Before After Fixed? Note
CVE-2024-11392 transformers 4.47.1 4.57.6 yes ZDI deserialization, fixed long before 4.57
CVE-2024-11393 transformers 4.47.1 4.57.6 yes ZDI deserialization
CVE-2024-11394 transformers 4.47.1 4.57.6 yes ZDI deserialization
CVE-2025-14920 transformers 4.47.1 4.57.6 yes (no OSV match against 4.57.6) Perceiver model RCE
CVE-2025-14921 transformers 4.47.1 4.57.6 yes ZDI RCE
CVE-2025-14924 transformers 4.47.1 4.57.6 yes ZDI RCE
CVE-2025-14926 transformers 4.47.1 4.57.6 yes ZDI RCE
CVE-2025-14927 transformers 4.47.1 4.57.6 yes ZDI RCE
CVE-2025-14928 transformers 4.47.1 4.57.6 yes ZDI RCE
CVE-2025-14929 transformers 4.47.1 4.57.6 yes ZDI RCE
CVE-2025-14930 transformers 4.47.1 4.57.6 yes ZDI RCE
CVE-2025-14925 accelerate 0.34.2 1.13.0 yes Deserialization RCE
CVE-2025-55551 torch 2.8.0 2.11.0 yes DoS in torch.linalg.lu
CVE-2026-24747 torch 2.8.0 2.11.0 yes weights_only unpickler escape, fixed in 2.10.0
CVE-2026-25990 pillow 10.4.0 10.4.0 NO Fixed in 12.1.1 - blocked, see below
CVE-2026-40192 pillow 10.4.0 10.4.0 NO FITS decompression bomb - blocked
CVE-2026-42311 pillow 10.4.0 10.4.0 NO blocked
CVE-2026-42561 python-multipart 0.0.26 0.0.27 yes Already covered in #1908

The transformers ZDI advisories are not yet indexed in OSV against specific transformers version ranges, so the "fixed in 4.57.6" claim is best-effort: 4.57.6 is the most recent 4.x release and OSV reports no transformers vulns against it other than the unrelated CVE-2026-1839 (Trainer class) which was not in this Mend batch.

Cannot fix in this PR (pillow CVEs)

Pillow stays at 10.4.0 because both colpali-engine==0.3.1 and vidore-benchmark[interpretability]>=4.0.0,<5.0.0 transitively require pillow<11.0.0. The pillow CVEs need pillow>=12.1.1.

Lifting the pillow constraint requires one of:

  • Migrating vidore-benchmark to 5.x. Blocker: vidore 5.0.0 deleted the interpretability module that src/backend/colpali.py:14 and prepare_feed_deploy.py:67 import. Needs application-code refactor.
  • Bumping colpali-engine past 0.3.1 to a release without the strict pillow ceiling. Blocker: chain leads back to vidore-benchmark 5 / transformers 5 (colpali-engine 0.3.15 requires transformers>=5.3.0), so same blocker.

Surfacing to repo owners as a follow-up: the three pillow CVEs and any forthcoming transformers 5.x-only patches will require porting visual-retrieval-colpali off vidore-benchmark.interpretability.

Supersedes

#1907 is for hypencoder/requirements.txt, a different sub-app, and is not superseded by this PR.

Implementation Notes

  • The previous transformers==5.0.0 pin in pyproject.toml (Renovate, commit 952bb5f) was unsatisfiable. uv pip compile errored:

    Because vidore-benchmark>=4.0.0,<=4.0.1 depends on transformers>=4.41.1,<5.0.0 ... and transformers==5.0.0, your requirements are unsatisfiable.
    The shipped lockfile pinned transformers==5.0.0 anyway because Renovate did a surgical text replace rather than a clean recompile.

  • Constraint relaxed to >=4.57.6,<5.0.0. Latest 4.x is 4.57.6.
  • No other manual edits to pyproject.toml. All other transitions came from the resolver.

Verification

  • Resolver: uv pip compile pyproject.toml -o src/legacy-requirements.txt --upgrade succeeds cleanly.
  • No local tests run -- sample-apps integration tests are heavy and out of scope for an automated dep bump.
  • Recommend Mend rescan after merge to confirm the 15 covered CVEs close out and to confirm the three pillow CVEs (and any transformers 5-only items) remain as known follow-up.

Related

  • VESPANG-3201 (In Progress)
  • VESPANG-3271 (To Do)

@odosk
chore: bump visual-retrieval-colpali deps to fix Mend CVEs
17002af 
Whole-manifest sweep of visual-retrieval-colpali to resolve the 18
HIGH/CRITICAL Mend findings flagged in the 2026-05-07 rescan.

Notable bumps in src/legacy-requirements.txt (full sweep, not just
flagged libs):
  accelerate           0.34.2  -> 1.13.0   (CVE-2025-14925)
  python-multipart     0.0.26  -> 0.0.27   (CVE-2026-42561)
  torch                2.8.0   -> 2.11.0   (CVE-2025-55551, CVE-2026-24747)
  transformers         5.0.0   -> 4.57.6   (CVE-2024-1139[2-4],
                                            CVE-2025-1492[0,1,4,6-30])
  huggingface-hub      0.36.0  -> 0.36.2
  tokenizers           0.20.3  -> 0.22.2

pyproject.toml: relax `transformers==5.0.0` to `>=4.57.6,<5.0.0`.
The previous `==5.0.0` pin (added by Renovate PR #1903 / commit
952bb5f) was unsatisfiable because vidore-benchmark[interpretability]
4.0.x requires `transformers<5.0.0` and the application code imports
`vidore_benchmark.interpretability.torch_utils` (interpretability
module was removed in vidore-benchmark 5.0.0). Reverting to the
latest 4.x line yields a resolvable lockfile while still picking up
the silent CVE patches that landed across 4.48 -> 4.57.

Pillow remains at 10.4.0 -- transitively pinned `<11.0.0` by both
colpali-engine 0.3.1 and vidore-benchmark 4.0.x. Lifting it to 12.x
to clear the three pillow CVEs requires migrating off
vidore-benchmark[interpretability] (used by src/backend/colpali.py
and prepare_feed_deploy.py); that's a code refactor and out of scope
for this dep-bump PR.

Supersedes Renovate PR #1908 (python-multipart 0.0.27).

No local tests run; sample-apps integration tests are too heavy for
a dev box. Mend rescan after merge.

Related: VESPANG-3201, VESPANG-3271
@odosk odosk added the auto security Automated security created PRs label May 7, 2026
@odosk odosk temporarily deployed to Vespa Cloud CD May 7, 2026 06:19 — with GitHub Actions Inactive
@odosk odosk marked this pull request as ready for review May 7, 2026 06:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@kkraune kkraune

Labels

auto security Automated security created PRs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@odosk @kkraune