Skip to content

chore(deps): bump timm from 0.6.13 to 1.0.27 in /DeQA-Score#45

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/DeQA-Score/timm-1.0.27
Open

chore(deps): bump timm from 0.6.13 to 1.0.27 in /DeQA-Score#45
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/DeQA-Score/timm-1.0.27

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 29, 2026

Copy link
Copy Markdown
Contributor

Bumps timm from 0.6.13 to 1.0.27.

Release notes

Sourced from timm's releases.

Release v1.0.27

April 23, 2026

  • Add Gemma4 ViT encoders w/ NaFlex pipeline support (variable aspect/size per image). Thanks Yonghye Kwon
  • Support DINOv3 weights in NaFlexVit. Thanks Yonghye Kwon
  • Some improvements to Muon fallback (AdamW/NadamW) lr behavior

What's Changed

New Contributors

Full Changelog: huggingface/pytorch-image-models@v1.0.26...v1.0.27

Release v1.0.26

March 23, 2026

  • Improve pickle checkpoint handling security. Default all loading to weights_only=True, add safe_global for ArgParse.
  • Improve attention mask handling for core ViT/EVA models & layers. Resolve bool masks, pass is_causal through for SSL tasks.
  • Fix class & register token uses with ViT and no pos embed enabled.
  • Add Patch Representation Refinement (PRR) as a pooling option in ViT. Thanks Sina (https://github.com/sinahmr).
  • Improve consistency of output projection / MLP dimensions for attention pooling layers.
  • Hiera model F.SDPA optimization to allow Flash Attention kernel use.
  • Caution added to SGDP optimizer.
  • Release 1.0.26. First maintenance release since my departure from Hugging Face.

What's Changed

New Contributors

Full Changelog: huggingface/pytorch-image-models@v1.0.25...v1.0.26

Release v1.0.25

Feb 23, 2026

... (truncated)

Commits
  • 0e968e1 Update README.md for release
  • 6a49560 Version 1.0.27
  • 6a928a1 Fix empty command line kwarg passing
  • a60ce8b Avoid test triggering weights_only error for old PyTorch
  • 7dff294 A few more tweaks to task setup for module access. Add back legacy_train.py a...
  • 1953da3 Missed _helpers for task based resume/checkpoint
  • 8bdb7ae More task fixups, made 'trainable_module' consistent, base optimization off t...
  • 56e3981 Fix some performance regressions with torch.compile + Tasks. Fix #2693
  • 6ce166b Add encoder_pool option to gemma4 classification model to toggle soft tokens ...
  • eb11943 Update README.md
  • Additional commits viewable in compare view

@dependabot @github

dependabot Bot commented on behalf of github May 29, 2026

Copy link
Copy Markdown
Contributor Author

Assignees

The following users could not be added as assignees: ByronWilliamsCPA. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions

github-actions Bot commented May 29, 2026

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

License Issues

DeQA-Score/pyproject.toml

PackageVersionLicenseIssue Type
timm1.0.27NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
pip/timm 1.0.27 UnknownUnknown

Scanned Files

  • DeQA-Score/pyproject.toml

Bumps [timm](https://github.com/huggingface/pytorch-image-models) from 0.6.13 to 1.0.27.
- [Release notes](https://github.com/huggingface/pytorch-image-models/releases)
- [Commits](huggingface/pytorch-image-models@v0.6.13...v1.0.27)

---
updated-dependencies:
- dependency-name: timm
  dependency-version: 1.0.27
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/DeQA-Score/timm-1.0.27 branch from c81c7b7 to 73d9446 Compare May 29, 2026 04:14
@sonarqubecloud

Copy link
Copy Markdown

@socket-security

Copy link
Copy Markdown

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: PyTorch: pypi torch`.load` with `weights_only=True` leads to remote code execution

CVE: GHSA-53q9-r3pm-6pq6 PyTorch: torch.load with weights_only=True leads to remote code execution (CRITICAL)

Affected versions: < 2.6.0

Patched version: 2.6.0

From: DeQA-Score/pyproject.tomlpypi/torch@2.0.1

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/torch@2.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants