support for spacy-transformers version v1.3.4 #12
Comments
ncaq
added a commit
to ncaq/ginza-transformers
that referenced
this issue
Sep 20, 2024
Why === transformers have Critical severity vulnerability. [transformers has a Deserialization of Untrusted Data vulnerability · CVE-2023-6730 · GitHub Advisory Database](GHSA-3863-2447-669p) It is patched in `transformers v4.36.0`. `spacy-transformers v1.3.4` use `transformers v4.36.0`. [Release v1.3.4 · explosion/spacy-transformers](https://github.com/explosion/spacy-transformers/releases/tag/v1.3.4)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi there, thanks for providing this package.
While using this package indirectly via
ja-ginza-electra, I got a github's dependabot error thattransformersversion cannot be upgraded more than 4.26.0 which contains vulnerability.According to this NVD page, transformers less than 4.36.0 has a severity 8.8 High vulnerability.
The latest version of
spacy-transformersalready supportstransformersversion up to 4.36.X, butginza-transformersseems to supportspacy-transformersup to 1.1.X (code)So, what I expect is I need this package to support
spacy-transformerv1.3.4 so that we can usetransformersmore than 4.36.0, which has been fixed a high severity security issue. Thanks,For reference, here's the output of
poetry show --treecommand:The text was updated successfully, but these errors were encountered: