New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Raise torch lower version bound to >=1.13.1
(CVE-2022-45907)
#1673
Comments
Hmm |
Oh I misread the vulnerability, this is actually present in all versions, not just 1.13.0, my bad. |
This seems like a relatively minor security vulnerability. From the original pytorch issue on this:
|
I trust your judgement about the trade off between a broader torch compatibility and the security benefits that the fix in 1.13.0 brings, just wanted to make sure it's a conscious one instead of an oversight |
There is a known security vulnerability (CVE-2022-45907) in
torch <= 1.13.0
which is patched since1.13.1
(pytorch/pytorch/issues/89855). However, the torch lower version bound in botorch's current requirements still seems to betorch>=1.11
.What are your thoughts about raising this lower version bound to
torch>=1.13.1
to promote using only dependencies without known security vulnerabilities with the currentbotorch
releases?The text was updated successfully, but these errors were encountered: