Skip to content

build(deps-dev): bump vllm from 0.20.2 to 0.24.0#6

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/uv/vllm-0.24.0
Open

build(deps-dev): bump vllm from 0.20.2 to 0.24.0#6
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/uv/vllm-0.24.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown

Bumps vllm from 0.20.2 to 0.24.0.

Release notes

Sourced from vllm's releases.

v0.24.0

vLLM v0.24.0 Release Notes

Highlights

This release features 571 commits from 256 contributors (77 new)!

  • MiniMax-M3: Added support for the new MiniMax-M3 model (#45381), with a fast follow-on of BF16/FP8 indexer via MSA (#45892), MXFP4 support (#45896), FP8 sparse GQA (#45744), and extensive AMD/ROCm tuning — mxfp8 MoE/linear on gfx950 (#45725), fp8_per_channel for bf16 weights on MI300X (#45854), FP8 KV-cache fix (#45720), and packed-modules mapping (#45794). A MiniMax-M2 perf regression was also fixed (#45935).
  • DeepSeek-V4 keeps maturing: Following its debut, DeepSeek-V4 received another large optimization pass — a FlashInfer sparse index cache (2–4% TTFT) (#45863), prefill chunk-planning optimization (4% E2E throughput) (#45061), a cluster-cooperative topK kernel for low-latency (#43008), contiguous per-block KV allocations (#44577), TEP=16 for the block-FP8 shared expert (#46001), and native DSA indexer decode for next_n > 2 on SM100 (#45322). It is now enabled on SM120 alongside GLM-5.1 (#43477), with XPU (#44144, #44517, #45240) and ROCm (#44899, #45103, #45681) attention/MoE paths added.
  • Model Runner V2 (MRv2) continues to expand: MRv2 now supports quantized models by default (#44446), enables GraniteMoE by default (#45461), and gained migration of Qwen + DeepSeek-V2 MoE models (#42667), DFlash speculative decoding (#44586), and more accurate FP32 Gumbel sampling (#45996).
  • Streaming Parser Engine: A new streaming parser engine unifies tool-call/reasoning parsing across models, with parsers for Qwen3 (#45413), MiniMax-M2 (#45701), GLM-4.7/5.1/5.2 (#45915), and Nemotron V3 (#45755).
  • Diffusion LLMs: Added DiffusionGemma (#45163), including a CPU path (#45690) and structured-output guardrails for diffusion decoders (#45468).
  • WideEP / DeepEP v2: Integrated DeepEP v2 for expert parallelism (#41183), with follow-on robustness fixes (#46404, #46432).
  • Rust frontend matures further: Added API-key authentication (#44321), CORS (#45753), /tokenize + /detokenize (#44222), /pause /resume /is_paused (#44499), /abort_requests (#44382), /get_world_size (#44801), thinking_token_budget (#46137), a Python bridge for Rust tool parsers (#44624), and many new parsers and validation paths.
  • Device selection change: vLLM no longer sets CUDA_VISIBLE_DEVICES internally; a new device_ids argument is provided instead (#45026). On ROCm, a deprecation window for CUDA_VISIBLE_DEVICES has begun (#46636).

Model Support

  • New models: MiniMax-M3 (#45381), DiffusionGemma (#45163) + Gemma Diffusion on CPU (#45690), Hierarchical Reasoning Model — Text / HrmTextForCausalLM (#43098), OpenMOSS (#44124).
  • Gemma 4: Unified FlashAttention (FA4) across all layers + mm_prefix support (#42175); many parser/serving fixes — forced-JSON skip for required/named tool choice (#45795), parsing with thinking disabled (#45832), streaming reasoning-state init (#45852), reasoning rendering on assistant turns (#45867), offline-parser truncation/token-leak fix (#45553); legacy Gemma4 parsers replaced with an engine-based implementation (#45588).
  • DeepSeek-V4: OOM fix (#44914), MTP projection prefixing (#44821), supported KV-cache dtypes (#44892).
  • Qwen / multimodal: Qwen3-VL video loader (#44412), Qwen2-VL/Qwen2.5-VL processor-mapped video loader (#45555), Qwen3-VL multi-video processing optimization (#46026) and multi-video crash fix (#46305), Qwen3-Omni VIT cu_seqlens device fix (#44264), fused qk-rmsnorm-rope-gate for Qwen3.5 (#44176), Qwen3.5 EP weight-loading fix (#45002).
  • ViT full CUDA graph: GLM-4.1V (#40576), DeepSeek-OCR dual-path (#43586), Kimi-VL (#41992), mllama4 (#40660), Lfm2VL encoder (#44930).
  • Other model fixes: Llama4 weight loading (#45047) and streamed loading to avoid host-OOM (#44645), MiMo v2.x QKV TP sharding + FP4 (#45200), ColQwen3.5 retrieval correctness (#46108), EXAONE-4.5 vision encoder (#45073), MiDashengLM TP>1 audio-encoder crash (#44408), MiniCPM-o/V device-placement and image-size fixes (#43844, #42332, #44980, #45244), Cohere2 MoE weight loading + parser (#44747, #44907), Nemotron V3 reasoning-as-content (#39091), ColBERT AutoWeightsLoader + query/document embedding io processor (#44999, #45210).
  • Kernels: GLM-5 TRT-LLM ragged MLA prefill dimensions (#43525), GLM-5 router GEMM (#46385).

Engine Core

  • Model Runner V2: Quantized models by default (#44446), GraniteMoE default (#45461), Qwen/DSv2 MoE migration (#42667), DFlash (#44586), simplified async output handling (#45442), attention-group split on num_heads_q (#45564), LoRA warmup fix (#35536), more accurate FP32 Gumbel sampling (#45996), min_tokens off-by-one fix in the V2 GPU sampler (#46243), plus assorted model/config compatibility fixes (#45868).
  • Speculative decoding: Dynamic SD (#32374); DFlash with FlashInfer (#43081), mixed KV page sizes (#45181), and Qwen3Next targets (#45319); EAGLE3 support for Qwen3 (#43132); reduced TP communication for large-vocab drafts (#39419); race fix in async accepted counts (#45100); EAGLE multimodal encoder cache fixes (#46315).
  • KV cache & scheduler: KV-cache watermark to reduce preemptions (#44594), two-phase allocation for cross-group prefix-cache hits (#44409), Marconi-style admission policy for hybrid cache (#37898), prefix-cache retention for Mamba/linear attention (#45845), DS Mamba tail-copy for MTP align mode (#45473), reduced scheduler copy overhead (#45840).
  • Attention: Re-enabled cross-layer KV cache layout for MLA via stride-aware kernels (#45111), MLA prefill FA4 fp8 output (#43050), FlexAttention custom mask mods made fully cudagraphable (#45232), triton diff-kv backend for MiMo (#41797), FlashMLA sparse accuracy fix (#36616).
  • Weight loading & core: fastsafetensors ParallelLoader for weight loading (#40183), release of cached device memory under pressure on UMA GPUs (#45179), structured outputs for beam search (#35022), device_ids arg / no internal CUDA_VISIBLE_DEVICES (#45026), graceful fallback when numactl --membind is blocked (#45438), config-class registration before tokenizer init (#40299), async scheduling with prompt embeds for multimodal models (#45673).

Large Scale Serving & Distributed

  • Expert parallel: DeepEP v2 integration (#41183) with token-bound and topk-index fixes (#46404, #46432); NIXL EP — DBO with NIXL EP (#45275), top-k index dtype query (#45298), NVFP4 post-receive quantization skip (#45606), elastic-EP communicator (#45013); reject NCCL-based EPLB with async EPLB (#44978).
  • KV connectors / disaggregated serving: KV push from prefill to decode via NIXL (#35264); per-region KV transfer classification for mixed full-attn + MLA groups (#44583); Mooncake pipeline-parallel PD support (#44528), async lookup (#45659), compact chunk-hash zero-copy lookup (#45969), SWA-block skipping (#45444); P/D fixes with DP supervisor (#46628) and DSV4 disaggregation (#45831); removed P2pNcclConnector (#44854).
  • KV offloading: Multi-tier async batched lookup (#44193), packed HMA KV-cache layout (#46205, gated #46252), parallel-agnostic fs-tier cache (#44733), offloading-manager stats (#35669) and labeled/CPU-usage metrics (#45957, #45737), self-describing KV events (#43468), non-blocking idle flush (#45595), and numerous correctness/race fixes (#44784, #45823, #46231, #46278).
  • Distributed core: Prefill step cadence for better non-PD DP balancing (#44558), KV-event map encoding (#42892), one-shot fused all-reduce PDL NaN fix (#45448).

Hardware & Performance

  • NVIDIA / kernels: SM90 CUTLASS FP8 mm odd-M support via swap_ab (180–290% kernel speedup) (#44572), tuned fused_moe FP8 for Qwen3-Next-80B on H100 (+25%) (#44830), native DSA indexer decode on SM100 (#45322), cluster-cooperative topK for DeepSeek low-latency (#43008), PDL support for DeepGEMM (#46006), FlashInfer cutedsl NVFP4 GEMM (#42235) and cute-dsl MXFP8 linear kernel (#46393), new Helion kernels for FP8/RMSNorm quant (#36902, #33790, #36895, #34432).
  • torch stable ABI: Continued (and completed) migration of kernels to the libtorch stable ABI — MoE [10c/n] (#44565), Marlin [11a/n] (#45176), Machete [11b/n] (#45304), final _C library migration [12/n] (#45415).
  • AMD ROCm: Torch 2.11 (#45362); fused AR + RMSNorm + per-group FP8 quant (#42864), fused softplus-sqrt-topk MoE router under AITER (#44945), DSv4 flash-decode split-K kernel (#44899) and inverse-RoPE fusion (#45103), W4A16 FlyDSL MoE (#44400), A8W4 MoE CDNA4 swizzle gate for gpt-oss (#44804); deprecation window begun for CUDA_VISIBLE_DEVICES on ROCm (#46636).
  • Intel XPU: Sequence-parallel support (#38608), torch-xpu 2.12 (#42262), vllm-xpu-kernels v0.1.10 (#40367), W4A16 int4 group_size=32 MoE (#45136), DeepSeek-V4 attention/MoE paths (#44144, #44517, #45240), top-p sampling correctness fix (#44470).
  • CPU & other architectures: 2.5× faster ASR CPU preprocessing via multi-threading (#44612), CPU W4A16 INT4 MoE (#43409), cgroup memory-limit-aware KV cache sizing (#45086), RISC-V oneDNN W8A8 INT8 (#44478) and RVV micro-GEMM for WNA16 (#44324), pinned memory for WSL2 (#41496), ZenCPU runtime logging (#42726).
  • TPU: tpu-inference upgraded to v0.22.1 (#45793).
  • Misc perf: VLLM_TRITON_FORCE_FIRST_CONFIG to skip Triton autotuning (#42425), Triton recompile detection (#45631), fused multi-group block-table staged writes (#44944).

Quantization

  • Online & mixed-precision: Online FP8 per-token-per-channel (PTPC) quantization (#44132); modelopt_mixed support extended to Ampere/SM80-86 (#45306) and Turing/SM75 (#45375).
  • FP4 / MXFP: FlashInfer cutedsl NVFP4 GEMM backend (#42235) and cute-dsl MXFP8 linear kernel (#46393), MXFP4 W4A4 MoE CUTLASS E8M0 scale fix (#43557), SwiGLU clamp wired for NVFP4 MoE on non-Blackwell (#45836), flashinfer_cutlass allowed as a clamped NVFP4 MoE backend (#46492), NVFP4/OCP MX MoE emulation fix (#46254), FP8 MoE re-enabled on NVIDIA Thor (#46339).

... (truncated)

Commits
  • ee0da84 [KV-Offloading] Fix tensors_per_block stride (#46888)
  • 217c64a [CI] Raise gsm8k startup timeout for MoE Refactor Qwen3 NVFP4 configs (#46882)
  • cfe8a4d [CI] Raise gsm8k startup timeout for Qwen3 NVFP4 trtllm configs (#46881)
  • 6d37570 Fix P/D with DP Supervisor (#46628)
  • f85a9f1 [Bugfix] FLASHINFER_MLA_SPARSE_SM120 compatibility with GLM-5 NVFP4 (#46506)
  • 836b5ac [ROCm] Begin Deprecation Window for CUDA_VISIBLE_DEVICES on ROCm (#46636)
  • b36db10 [KV Offload] Gate packed HMA KV cache on cross-layer config (#46252)
  • b70c13e [Bug] Fix `IndentationError: expected an indented block after 'with' statemen...
  • 6829a6d [Bugfix] Re-enable FP8 MoE on NVIDIA Thor (#46339)
  • 6ed56e0 [Bugfix] Fix illegal memory access from a forward during a partial wake_up (#...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [vllm](https://github.com/vllm-project/vllm) from 0.20.2 to 0.24.0.
- [Release notes](https://github.com/vllm-project/vllm/releases)
- [Changelog](https://github.com/vllm-project/vllm/blob/main/RELEASE.md)
- [Commits](vllm-project/vllm@v0.20.2...v0.24.0)

---
updated-dependencies:
- dependency-name: vllm
  dependency-version: 0.24.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Copilot AI review requested due to automatic review settings July 17, 2026 16:24
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jul 17, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot could not run the full agentic suite for this review because it was automatically requested on a bot-authored pull request. Request a review from Copilot under Reviewers to retry with the full agentic suite. Improved support for bot-authored pull requests is coming soon.

Updates vLLM dependency versions across miner components to target a newer vLLM release.

Changes:

  • Bump vllm pinned version in vllm-miner to 0.24.0
  • Raise vllm minimum version in pearl-gemm dev dependencies to >=0.24.0

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
miner/vllm-miner/pyproject.toml Updates pinned vllm dependency version
miner/pearl-gemm/pyproject.toml Updates vllm minimum version in dev dependency group

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedpypi/​vllm@​0.20.2 ⏵ 0.24.077 +1100 +75100100100
Updatedpypi/​compressed-tensors@​0.15.0.1 ⏵ 0.17.097100100100100

View full report

@sentinel-by-digital-frontier

Copy link
Copy Markdown

🛡️ Sentinel PR review

3 file(s) changed · 0 introduced by this diff (secrets+SAST) · 97 SCA/IaC · 712 CVE at repo baseline. Advisory — the fail-closed gate is the post-merge pentest.

Findings — ranked by criticality

  • 🔴 [CRITICAL · SCA] google.golang.org/grpc v1.79.1CVE-2026-33186 — vulnerable dependency google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation Fix: Upgrade to 1.79.3. (CVSS 9.1 · CWE-285 CWE-551) details (✓ 2 methods agree)
  • 🔴 [CRITICAL · SCA] google.golang.org/grpc v1.79.1GHSA-p77j-4mvh-x3m3 — vulnerable dependency gRPC-Go has an authorization bypass via missing leading slash in :path Fix: Upgrade to 1.79.3. (CVSS 9.1) details (✓ 2 methods agree)
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GHSA-vgwf-h737-ff37 — vulnerable dependency golang.org/x/crypto: Invoking client can cause server deadlock on unexpected responses Fix: Upgrade to 0.52.0. (CVSS 9.1) details (✓ 2 methods agree)
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GHSA-f5wc-c3c7-36mc — vulnerable dependency golang.org/x/crypto doesn't drop invoking agent constraints when forwarding keys Fix: Upgrade to 0.52.0. (CVSS 9.1) details (✓ 2 methods agree)
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GHSA-5cgq-3rg8-m6cv — vulnerable dependency golang.org/x/crypto vulnerable to auth bypass via unenforced @Revoked status Fix: Upgrade to 0.52.0. (CVSS 9.1) details (✓ 2 methods agree)
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GHSA-rm3j-f69w-wqmq — vulnerable dependency golang.org/x/crypto vulnerable to infinite loop on large channel writes Fix: Upgrade to 0.52.0. (CVSS 9.1) details (✓ 2 methods agree)
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GO-2026-5020 — vulnerable dependency When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation cau Fix: Upgrade to 0.52.0. (CVSS 9.1) (✓ 2 methods agree)
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GHSA-x527-x647-q7gg — vulnerable dependency golang.org/x/crypto: Invoking VerifiedPublicKeyCallback permissions skip enforcement Fix: Upgrade to 0.52.0. (CVSS 10) details (✓ 2 methods agree)
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GHSA-89gr-r52h-f8rx — vulnerable dependency golang.org/x/crypto: FIDO/U2F security key physical presence check can be bypassed Fix: Upgrade to 0.52.0. (CVSS 9.1) details (✓ 2 methods agree)
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GO-2026-5019 — vulnerable dependency The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Fix: Upgrade to 0.52.0. (CVSS 9.1) (✓ 2 methods agree)
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GHSA-jppx-rxg9-jmrx — vulnerable dependency golang.org/x/crypto doesn't enforce invoking key constraints Fix: Upgrade to 0.52.0. (CVSS 9.1) details (✓ 2 methods agree)
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GO-2026-5005 — vulnerable dependency The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key wo Fix: Upgrade to 0.52.0. (CVSS 9.1) (✓ 2 methods agree)
  • 🔴 [CRITICAL · SCA] protobufjs 7.5.4CVE-2026-41242 — vulnerable dependency protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields Fix: Upgrade to 8.0.1, 7.5.5. (CVSS 9.8 · CWE-94) details
  • 🔴 [CRITICAL · SCA] github.com/jackc/pgx/v5 v5.6.0CVE-2026-33815 — vulnerable dependency github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability Fix: Upgrade to 5.9.0. (CVSS 9.8 · CWE-787) details
  • 🔴 [CRITICAL · SCA] github.com/jackc/pgx/v5 v5.6.0CVE-2026-33816 — vulnerable dependency github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability Fix: Upgrade to 5.9.0. (CVSS 9.8 · CWE-787) details
  • 🔴 [CRITICAL · SCA] github.com/smallstep/certificates v0.30.0-rc3CVE-2026-30836 — vulnerable dependency github.com/smallstep/certificates: Step CA: Unauthenticated certificate issuance via SCEP Update Request Fix: Upgrade to 0.30.0. (CVSS 10 · CWE-287 CWE-295) details
  • 🔴 [CRITICAL · SCA] protobufjs 7.5.4GHSA-xq3m-2v4x-88gg — vulnerable dependency Arbitrary code execution in protobufjs Fix: Upgrade to 7.5.5. (CVSS 9.8) details
  • 🔴 [CRITICAL · SCA] github.com/jackc/pgx/v5 v5.6.0GHSA-xgrm-4fwx-7qm8 — vulnerable dependency pgx contains memory-safety vulnerability Fix: Upgrade to 5.9.0. (CVSS 9.8) details
  • 🔴 [CRITICAL · SCA] github.com/jackc/pgx/v5 v5.6.0GHSA-9jj7-4m8r-rfcm — vulnerable dependency Memory-safety vulnerability in github.com/jackc/pgx/v5. Fix: Upgrade to 5.9.0. (CVSS 9.8) details
  • 🔴 [CRITICAL · SCA] github.com/smallstep/certificates v0.30.0-rc3GHSA-q4r8-xm5f-56gw — vulnerable dependency step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) Fix: Upgrade to 0.30.0. (CVSS 10) details
  • 🟠 [HIGH · SCA] pyo3 0.24.2GHSA-36hh-v3qg-5jq4 — vulnerable dependency PyO3 has an Out-of-bounds Read in nth / nth_back for PyList and PyTuple iterators Fix: Upgrade to 0.29.0. (CVSS 8.7) details (✓ 6 methods agree)
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-8h8q-6873-q5fj — vulnerable dependency Next.js Vulnerable to Denial of Service with Server Components Fix: Upgrade to 15.5.16, 16.2.5. (CVSS 7.5) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-q4gf-8mx6-v5v3 — vulnerable dependency Next.js has a Denial of Service with Server Components Fix: Upgrade to 15.5.15, 16.2.3. (CVSS 7.5) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] go.opentelemetry.io/otel v1.40.0CVE-2026-29181 — vulnerable dependency github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Denial of Service via crafted multi-value baggage headers Fix: Upgrade to 1.41.0. (CVSS 7.5 · CWE-770) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-39828 — vulnerable dependency golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions Fix: Upgrade to 0.52.0. (CVSS 8.8 · CWE-295 CWE-281) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-39829 — vulnerable dependency golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters Fix: Upgrade to 0.52.0. (CVSS 7.5 · CWE-347 CWE-1284) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-39830 — vulnerable dependency golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses Fix: Upgrade to 0.52.0. (CVSS 7.5 · CWE-119 CWE-772) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-39831 — vulnerable dependency golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Security key bypass due to missing user presence check Fix: Upgrade to 0.52.0. (CVSS 8.1 · CWE-862) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-39832 — vulnerable dependency golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions Fix: Upgrade to 0.52.0. (CVSS 8.7 · CWE-502 CWE-281) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-39835 — vulnerable dependency golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate Fix: Upgrade to 0.52.0. (CVSS 7.5 · CWE-295 CWE-476) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-42508 — vulnerable dependency golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey Fix: Upgrade to 0.52.0. (CVSS 7.4 · CWE-295) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-46595 — vulnerable dependency golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation Fix: Upgrade to 0.52.0. (CVSS 7.1 · CWE-863 CWE-303) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-46597 — vulnerable dependency golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted AES-GCM packet decoder inputs Fix: Upgrade to 0.52.0. (CVSS 7.5 · CWE-704) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5006 — vulnerable dependency When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. D Fix: Upgrade to 0.52.0. (CVSS 8.7) (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5017 — vulnerable dependency A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The bl Fix: Upgrade to 0.52.0. (CVSS 7.5) (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5021 — vulnerable dependency Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' Fix: Upgrade to 0.52.0. (CVSS 7.4) (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] go.opentelemetry.io/otel v1.40.0GHSA-mh2q-q3fh-2475 — vulnerable dependency OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification) Fix: Upgrade to 1.41.0. (CVSS 7.5) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5023 — vulnerable dependency Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed othe Fix: Upgrade to 0.52.0. (CVSS 7.1) (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GHSA-w879-237q-wc7r — vulnerable dependency golang.org/x/crypto: Invoking pathological RSA/DSA parameters may cause DoS Fix: Upgrade to 0.52.0. (CVSS 7.5) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5018 — vulnerable dependency The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or Fix: Upgrade to 0.52.0. (CVSS 7.5) (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5015 — vulnerable dependency SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a Fix: Upgrade to 0.52.0. (CVSS 7.5) (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GHSA-q4h4-gmj2-qvw2 — vulnerable dependency golang.org/x/crypto: Invoking byte arithmetic causes underflow and panic Fix: Upgrade to 0.52.0. (CVSS 7.5) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5013 — vulnerable dependency An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs. Fix: Upgrade to 0.52.0. (CVSS 7.5) (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5014 — vulnerable dependency When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, Fix: Upgrade to 0.52.0. (CVSS 8.8) (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] @grpc/grpc-js 1.14.3CVE-2026-48068 — vulnerable dependency grpc-js: @grpc/grpc-js: Server crash via malformed HTTP/2 stream initiation Fix: Upgrade to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, 1.14.4. (CVSS 7.5 · CWE-248) details
  • 🟠 [HIGH · SCA] @grpc/grpc-js 1.14.3CVE-2026-48069 — vulnerable dependency grpc-js: @grpc/grpc-js: Client or server crash via malformed compressed message Fix: Upgrade to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, 1.14.4. (CVSS 7.5 · CWE-248) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-25639 — vulnerable dependency axios: Axios affected by Denial of Service via proto Key in mergeConfig Fix: Upgrade to 1.13.5, 0.30.3. (CVSS 7.5 · CWE-754 CWE-1287) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-42033 — vulnerable dependency axios: Axios: HTTP Transport Hijacking via Prototype Pollution Fix: Upgrade to 1.15.1, 0.31.1. (CVSS 7.4 · CWE-1321 CWE-915) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-42035 — vulnerable dependency axios: Axios: Arbitrary HTTP header injection via prototype pollution Fix: Upgrade to 1.15.1, 0.31.1. (CVSS 7.4 · CWE-113 CWE-1321) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-42043 — vulnerable dependency axios: Axios: NO_PROXY bypass via crafted URL Fix: Upgrade to 1.15.1, 0.31.1. (CVSS 10 · CWE-183 CWE-441) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-42264 — vulnerable dependency axios: Axios: Prototype pollution allows information disclosure and request manipulation Fix: Upgrade to 1.15.2. (CVSS 9.1 · CWE-1321 CWE-915) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-44486 — vulnerable dependency axios: Axios: Information disclosure of proxy credentials via HTTP redirects Fix: Upgrade to 1.16.0, 0.32.0. (CVSS 7.5 · CWE-200 CWE-201) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-44487 — vulnerable dependency axios: Axios: Information disclosure of proxy credentials via redirect flows Fix: Upgrade to 1.16.0, 0.32.0. (CVSS 7.5 · CWE-201) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-44488 — vulnerable dependency axios: Axios: Denial of Service due to unenforced request and response size limits Fix: Upgrade to 1.16.0. (CVSS 7.5 · CWE-770) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-44494 — vulnerable dependency axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution Fix: Upgrade to 1.16.0. (CVSS 8.7 · CWE-441 CWE-1321) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-44495 — vulnerable dependency axios: Axios: Information disclosure due to prototype pollution vulnerability Fix: Upgrade to 1.15.2, 0.31.1. (CVSS 7 · CWE-94 CWE-1321) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-44496 — vulnerable dependency axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name Fix: Upgrade to 1.16.0, 0.32.0. (CVSS 7.5 · CWE-400 CWE-1333) details
  • 🟠 [HIGH · SCA] flatted 3.3.3CVE-2026-32141 — vulnerable dependency flatted: flatted: Unbounded recursion DoS in parse() revive phase Fix: Upgrade to 3.4.0. (CVSS 7.5 · CWE-674 CWE-770) details
  • 🟠 [HIGH · SCA] flatted 3.3.3CVE-2026-33228 — vulnerable dependency flatted: Flatted: Prototype pollution vulnerability allows arbitrary code execution via crafted JSON. Fix: Upgrade to 3.4.2. (CVSS 9.8 · CWE-1321 CWE-915) details
  • 🟠 [HIGH · SCA] form-data 4.0.5CVE-2026-12143 — vulnerable dependency form-data: form-data: Form field override via CRLF injection Fix: Upgrade to 2.5.6, 3.0.5, 4.0.6. (CVSS 7.5 · CWE-93) details
  • 🟠 [HIGH · SCA] lodash 4.17.21CVE-2026-4800 — vulnerable dependency lodash: lodash: Arbitrary code execution via untrusted input in template imports Fix: Upgrade to 4.18.0. (CVSS 9.8 · CWE-94) details
  • 🟠 [HIGH · SCA] minimatch 3.1.2CVE-2026-26996 — vulnerable dependency minimatch: minimatch: Denial of Service via specially crafted glob patterns Fix: Upgrade to 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3. (CVSS 7.5 · CWE-1333) details
  • 🟠 [HIGH · SCA] minimatch 3.1.2CVE-2026-27903 — vulnerable dependency minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns Fix: Upgrade to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3. (CVSS 7.5 · CWE-407) details
  • 🟠 [HIGH · SCA] minimatch 3.1.2CVE-2026-27904 — vulnerable dependency minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions Fix: Upgrade to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4. (CVSS 7.5 · CWE-1333) details
  • 🟠 [HIGH · SCA] minimatch 9.0.5CVE-2026-26996 — vulnerable dependency minimatch: minimatch: Denial of Service via specially crafted glob patterns Fix: Upgrade to 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3. (CVSS 7.5 · CWE-1333) details
  • 🟠 [HIGH · SCA] minimatch 9.0.5CVE-2026-27903 — vulnerable dependency minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns Fix: Upgrade to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3. (CVSS 7.5 · CWE-407) details
  • 🟠 [HIGH · SCA] minimatch 9.0.5CVE-2026-27904 — vulnerable dependency minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions Fix: Upgrade to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4. (CVSS 7.5 · CWE-1333) details
  • 🟠 [HIGH · SCA] next 15.5.12CVE-2026-44573 — vulnerable dependency next.js: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n Fix: Upgrade to 15.5.16, 16.2.5. (CVSS 7.5 · CWE-863 CWE-551) details
  • 🟠 [HIGH · SCA] next 15.5.12CVE-2026-44574 — vulnerable dependency Next.js: Next.js: Authorization bypass via crafted query parameters Fix: Upgrade to 15.5.16, 16.2.5. (CVSS 8.1 · CWE-288 CWE-551) details
  • 🟠 [HIGH · SCA] next 15.5.12CVE-2026-44575 — vulnerable dependency next.js: Next.js: Unauthorized access to protected content via middleware bypass Fix: Upgrade to 15.5.16, 16.2.5. (CVSS 7.5 · CWE-288 CWE-551) details
  • 🟠 [HIGH · SCA] next 15.5.12CVE-2026-44578 — vulnerable dependency Next.js: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests Fix: Upgrade to 15.5.16, 16.2.5. (CVSS 8.6 · CWE-918) details
  • 🟠 [HIGH · SCA] next 15.5.12CVE-2026-44579 — vulnerable dependency next.js: Next.js: Denial of Service via crafted POST requests to server actions Fix: Upgrade to 15.5.16, 16.2.5. (CVSS 7.5 · CWE-770 CWE-833) details
  • 🟠 [HIGH · SCA] next 15.5.12CVE-2026-45109 — vulnerable dependency next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack Fix: Upgrade to 15.5.18, 16.2.6. (CVSS 7.5 · CWE-288 CWE-358) details
  • 🟠 [HIGH · SCA] picomatch 2.3.1CVE-2026-33671 — vulnerable dependency picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns Fix: Upgrade to 4.0.4, 3.0.2, 2.3.2. (CVSS 7.5 · CWE-1333) details
  • 🟠 [HIGH · SCA] picomatch 4.0.3CVE-2026-33671 — vulnerable dependency picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns Fix: Upgrade to 4.0.4, 3.0.2, 2.3.2. (CVSS 7.5 · CWE-1333) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4CVE-2026-44289 — vulnerable dependency protobufjs: protobufjs: Denial of Service via uncontrolled recursion in protobuf decoding Fix: Upgrade to 7.5.6, 8.0.2. (CVSS 7.5 · CWE-674 CWE-606) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4CVE-2026-44290 — vulnerable dependency protobufjs: protobufjs: Denial of Service via crafted schema Fix: Upgrade to 7.5.6, 8.0.2. (CVSS 7.5 · CWE-1321) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4CVE-2026-44291 — vulnerable dependency protobufjs: protobufjs: Arbitrary Code Execution via prototype pollution Fix: Upgrade to 7.5.6, 8.0.2. (CVSS 8.1 · CWE-94) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4CVE-2026-44293 — vulnerable dependency protobufjs: protobufjs: Arbitrary code execution due to unsafe expression generation from crafted protobuf descriptors Fix: Upgrade to 7.5.6, 8.0.2. (CVSS 8.8 · CWE-94) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4CVE-2026-48712 — vulnerable dependency protobufjs: protobufjs: Denial of Service via uncontrolled recursion with crafted protobuf payload Fix: Upgrade to 7.6.1, 8.4.1. (CVSS 7.5 · CWE-674) details
  • 🟠 [HIGH · SCA] react-router 7.11.0CVE-2026-21884 — vulnerable dependency react-router: @remix-run/react: React Router SSR XSS in ScrollRestoration Fix: Upgrade to 7.12.0. (CVSS 8.2 · CWE-79) details
  • 🟠 [HIGH · SCA] react-router 7.11.0CVE-2026-22029 — vulnerable dependency @remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects Fix: Upgrade to 7.12.0. (CVSS 8 · CWE-79) details
  • 🟠 [HIGH · SCA] react-router 7.11.0CVE-2026-33245 — vulnerable dependency react-router: React Router: Cross-Site Scripting vulnerability via untrusted React Server Component redirects Fix: Upgrade to 7.13.2. (CVSS 8 · CWE-79) details
  • 🟠 [HIGH · SCA] react-router 7.11.0CVE-2026-34077 — vulnerable dependency react-router: React Router: Denial of Service via client-side Cross-Site Scripting in RSC redirect handling Fix: Upgrade to 7.14.0. (CVSS 7.5 · CWE-770) details
  • 🟠 [HIGH · SCA] react-router 7.11.0CVE-2026-42211 — vulnerable dependency React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE Fix: Upgrade to 7.14.2. (CVSS 8.1 · CWE-502) details
  • 🟠 [HIGH · SCA] react-router 7.11.0CVE-2026-42342 — vulnerable dependency react-router: @remix-run/server-runtime: React Router / Remix: Denial of Service via unbounded path expansion in __manifest endpoint Fix: Upgrade to 7.15.0. (CVSS 7.5 · CWE-400) details
  • 🟠 [HIGH · SCA] valibot 0.37.0CVE-2025-66020 — vulnerable dependency Valibot has a ReDoS vulnerability in EMOJI_REGEX Fix: Upgrade to 1.2.0. (CVSS 7.5 · CWE-1333) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2025-47950 — vulnerable dependency coredns: CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification Fix: Upgrade to 1.12.2. (CVSS 7.5 · CWE-770) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2025-58063 — vulnerable dependency github.com/coredns/coredns: CoreDNS Lease ID Confusion Fix: Upgrade to 1.12.4. (CVSS 7.1 · CWE-681) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2026-26017 — vulnerable dependency github.com/coredns/coredns: CoreDNS: DNS access control bypass due to plugin execution order flaw Fix: Upgrade to 1.14.2. (CVSS 7.7 · CWE-367) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2026-26018 — vulnerable dependency github.com/coredns/coredns: CoreDNS: Denial of Service vulnerability due to predictable pseudo-random number generation Fix: Upgrade to 1.14.2. (CVSS 7.5 · CWE-337 CWE-400) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2026-32934 — vulnerable dependency coredns: github.com/coredns/coredns: CoreDNS: Denial of Service due to unbounded resource growth in DNS-over-QUIC (DoQ) stream handling Fix: Upgrade to 1.14.3. (CVSS 7.5 · CWE-770) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2026-32936 — vulnerable dependency github.com/coredns/coredns: CoreDNS: Denial of Service via oversized DNS-over-HTTPS GET requests Fix: Upgrade to 1.14.3. (CVSS 7.5 · CWE-400) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2026-33190 — vulnerable dependency github.com/coredns/coredns: CoreDNS: Authentication bypass via flawed TSIG plugin verification on non-plain-DNS transports Fix: Upgrade to 1.14.3. (CVSS 7.5 · CWE-303) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2026-33489 — vulnerable dependency CoreDNS: github.com/coredns/coredns: CoreDNS: Information disclosure via incorrect ACL stanza selection in transfer plugin Fix: Upgrade to 1.14.3. (CVSS 7.5 · CWE-863) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2026-35579 — vulnerable dependency github.com/coredns/coredns: CoreDNS: Authentication bypass allows unauthorized access to TSIG-protected functionalities Fix: Upgrade to 1.14.3. (CVSS 9.8 · CWE-287 CWE-303) details
  • 🟠 [HIGH · SCA] github.com/quic-go/quic-go v0.42.0CVE-2025-59530 — vulnerable dependency github.com/quic-go/quic-go: quic-go Crash Due to Premature HANDSHAKE_DONE Frame Fix: Upgrade to 0.49.1, 0.54.1. (CVSS 7.5 · CWE-617 CWE-755) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.49.0CVE-2026-25681 — vulnerable dependency golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting Fix: Upgrade to 0.55.0. (CVSS 8.1 · CWE-1021) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.49.0CVE-2026-27136 — vulnerable dependency golang.org/x/net/html: golang: golang.org/x/net/html: Cross-Site Scripting via HTML parsing bypass Fix: Upgrade to 0.55.0. (CVSS 8.1 · CWE-1021) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.49.0CVE-2026-33814 — vulnerable dependency net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame Fix: Upgrade to 0.53.0. (CVSS 7.5 · CWE-835 CWE-606) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.49.0CVE-2026-39821 — vulnerable dependency golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing Fix: Upgrade to 0.55.0. (CVSS 8.2 · CWE-1289) details
  • 🟠 [HIGH · SCA] github.com/caddyserver/caddy/v2 v2.11.2CVE-2026-45135 — vulnerable dependency Caddy is an extensible server platform that uses TLS by default. From ... Fix: Upgrade to 2.11.3. (CVSS 8.1 · CWE-20 CWE-176) details
  • 🟠 [HIGH · SCA] github.com/caddyserver/caddy/v2 v2.11.2CVE-2026-52844 — vulnerable dependency Caddy is an extensible server platform that uses TLS by default. Prior ... Fix: Upgrade to 2.11.4. (CVSS 7.5 · CWE-22 CWE-284) details
  • 🟠 [HIGH · SCA] github.com/caddyserver/caddy/v2 v2.11.2CVE-2026-52845 — vulnerable dependency github.com/caddyserver/caddy: Caddy: Remote client can inject or override identity headers via header normalization Fix: Upgrade to 2.11.4. (CVSS 8.1 · CWE-287 CWE-290) details
  • 🟠 [HIGH · SCA] github.com/go-jose/go-jose/v3 v3.0.4CVE-2026-34986 — vulnerable dependency github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object Fix: Upgrade to 3.0.5. (CVSS 7.5 · CWE-248 CWE-131) details
  • 🟠 [HIGH · SCA] github.com/go-jose/go-jose/v4 v4.1.3CVE-2026-34986 — vulnerable dependency github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object Fix: Upgrade to 4.1.4. (CVSS 7.5 · CWE-248 CWE-131) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.51.0CVE-2026-25681 — vulnerable dependency golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting Fix: Upgrade to 0.55.0. (CVSS 8.1 · CWE-1021) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.51.0CVE-2026-27136 — vulnerable dependency golang.org/x/net/html: golang: golang.org/x/net/html: Cross-Site Scripting via HTML parsing bypass Fix: Upgrade to 0.55.0. (CVSS 8.1 · CWE-1021) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.51.0CVE-2026-33814 — vulnerable dependency net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame Fix: Upgrade to 0.53.0. (CVSS 7.5 · CWE-835 CWE-606) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.51.0CVE-2026-39821 — vulnerable dependency golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing Fix: Upgrade to 0.55.0. (CVSS 8.2 · CWE-1289) details
  • 🟠 [HIGH · IaC] dnsseeder/DockerfileImage user should not be 'root' Specify at least 1 USER command in Dockerfile with non-root user as argument Fix: Add 'USER ' line to the Dockerfile
  • 🟠 [HIGH · IaC] miner/vllm-miner/DockerfileImage user should not be 'root' Specify at least 1 USER command in Dockerfile with non-root user as argument Fix: Add 'USER ' line to the Dockerfile
  • 🟠 [HIGH · IaC] node/DockerfileImage user should not be 'root' Specify at least 1 USER command in Dockerfile with non-root user as argument Fix: Add 'USER ' line to the Dockerfile
  • 🟠 [HIGH · IaC] proxy/DockerfileImage user should not be 'root' Specify at least 1 USER command in Dockerfile with non-root user as argument Fix: Add 'USER ' line to the Dockerfile
  • 🟠 [HIGH · IaC] spv/tools/DockerfileImage user should not be 'root' Specify at least 1 USER command in Dockerfile with non-root user as argument Fix: Add 'USER ' line to the Dockerfile
  • 🟠 [HIGH · IaC] spv/tools/Dockerfile'apt-get' missing '--no-install-recommends' '--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y git' Fix: Add '--no-install-recommends' flag to 'apt-get'
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-c4j6-fc7j-m34r — vulnerable dependency Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades Fix: Upgrade to 15.5.16. (CVSS 8.6) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-43fc-jf86-j433 — vulnerable dependency Axios is Vulnerable to Denial of Service via proto Key in mergeConfig Fix: Upgrade to 1.13.5. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] lodash 4.17.21GHSA-r5fr-rjxr-66jc — vulnerable dependency lodash vulnerable to Code Injection via _.template imports key names Fix: Upgrade to 4.18.0. (CVSS 8.1) details
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-267c-6grr-h53f — vulnerable dependency Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes Fix: Upgrade to 15.5.16. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-cvx7-x8pj-x2gw — vulnerable dependency CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification Fix: Upgrade to 1.12.2. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-35jp-ww65-95wh — vulnerable dependency axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy Fix: Upgrade to 1.16.0. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-h75p-j8xm-m278 — vulnerable dependency CoreDNS Loop Detection Denial of Service Vulnerability Fix: Upgrade to 1.14.2. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] ecdsa 0.19.1GHSA-wj6h-64fc-37mp — vulnerable dependency Minerva timing attack on P-256 in python-ecdsa Fix: No fixed version yet — assess exposure / pin. (CVSS 7.4) details
  • 🟠 [HIGH · SCA] flatted 3.3.3GHSA-rf6f-7fwh-wjgh — vulnerable dependency Prototype Pollution via parse() in NodeJS flatted Fix: Upgrade to 3.4.2. (CVSS 8.9) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-pf86-5x62-jrwf — vulnerable dependency Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking Fix: Upgrade to 1.15.1. (CVSS 7.4) details
  • 🟠 [HIGH · SCA] react-router 7.11.0GHSA-2w69-qvjg-hvjx — vulnerable dependency React Router vulnerable to XSS via Open Redirects Fix: Upgrade to 7.12.0. (CVSS 8) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.49.0GO-2026-4918 — vulnerable dependency When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_F Fix: Upgrade to 0.53.0. (CVSS 7.5)
  • 🟠 [HIGH · SCA] golang.org/x/net v0.51.0GO-2026-4918 — vulnerable dependency When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_F Fix: Upgrade to 0.53.0. (CVSS 7.5)
  • 🟠 [HIGH · SCA] flatted 3.3.3GHSA-25h7-pfq9-p65f — vulnerable dependency flatted vulnerable to unbounded recursion DoS in parse() revive phase Fix: Upgrade to 3.4.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-q8qp-cvcw-x6jj — vulnerable dependency Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking Fix: Upgrade to 1.15.2. (CVSS 7.4) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-63cw-r7xf-jmwr — vulnerable dependency CoreDNS DoH GET oversized dns= query parameter causes pre-validation CPU and memory amplification Fix: Upgrade to 1.14.3. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-p92q-9vqr-4j8v — vulnerable dependency Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter Fix: Upgrade to 1.16.0. (CVSS 8.2) details
  • 🟠 [HIGH · SCA] github.com/go-jose/go-jose/v3 v3.0.4GHSA-78h2-9frx-2jm8 — vulnerable dependency Go JOSE Panics in JWE decryption Fix: Upgrade to 3.0.5. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] github.com/go-jose/go-jose/v4 v4.1.3GHSA-78h2-9frx-2jm8 — vulnerable dependency Go JOSE Panics in JWE decryption Fix: Upgrade to 4.1.4. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-pmwg-cvhr-8vh7 — vulnerable dependency Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 Fix: Upgrade to 1.15.1. (CVSS 7.2) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-777c-7fjr-54vf — vulnerable dependency Allocation of Resources Without Limits or Throttling in Axios Fix: Upgrade to 1.16.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] @grpc/grpc-js 1.14.3GHSA-5375-pq7m-f5r2 — vulnerable dependency @grpc/grpc-js: A malformed request can cause a server crash Fix: Upgrade to 1.14.4. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] @grpc/grpc-js 1.14.3GHSA-99f4-grh7-6pcq — vulnerable dependency @grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash Fix: Upgrade to 1.14.4. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-hfxv-24rg-xrqf — vulnerable dependency Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection Fix: Upgrade to 1.16.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-36qx-fr4f-26g5 — vulnerable dependency Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n Fix: Upgrade to 15.5.16. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4GHSA-685m-2w69-288q — vulnerable dependency protobuf.js: Denial of service through unbounded protobuf recursion Fix: Upgrade to 7.5.6. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] minimatch 3.1.2GHSA-3ppc-4f35-3m26 — vulnerable dependency minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern Fix: Upgrade to 3.1.3. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] minimatch 9.0.5GHSA-3ppc-4f35-3m26 — vulnerable dependency minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern Fix: Upgrade to 9.0.6. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-mg66-mrh9-m8jx — vulnerable dependency Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components Fix: Upgrade to 15.5.16. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-26hh-7cqf-hhc6 — vulnerable dependency Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up Fix: Upgrade to 15.5.18. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-j5f8-grm9-p9fc — vulnerable dependency Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection Fix: Upgrade to 1.16.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-vp29-5652-4fw9 — vulnerable dependency CoreDNS has TSIG authentication bypass on gRPC and QUIC transports Fix: Upgrade to 1.14.3. (CVSS 8.2) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4GHSA-75px-5xx7-5xc7 — vulnerable dependency protobuf.js: Code generation gadget after prototype pollution Fix: Upgrade to 7.5.6. (CVSS 8.1) details
  • 🟠 [HIGH · SCA] minimatch 3.1.2GHSA-7r86-cg39-jmmj — vulnerable dependency minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments Fix: Upgrade to 3.1.3. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] minimatch 9.0.5GHSA-7r86-cg39-jmmj — vulnerable dependency minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments Fix: Upgrade to 9.0.7. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-492v-c6pp-mqqv — vulnerable dependency Next.js has a Middleware / Proxy bypass through dynamic route parameter injection Fix: Upgrade to 15.5.16. (CVSS 8.1) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.49.0GO-2026-5026 — vulnerable dependency The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("x Fix: Upgrade to 0.55.0. (CVSS 8.2)
  • 🟠 [HIGH · SCA] golang.org/x/net v0.51.0GO-2026-5026 — vulnerable dependency The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("x Fix: Upgrade to 0.55.0. (CVSS 8.2)
  • 🟠 [HIGH · SCA] react-router 7.11.0GHSA-8v8x-cx79-35w7 — vulnerable dependency React Router SSR XSS in ScrollRestoration Fix: Upgrade to 7.12.0. (CVSS 8.2) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-2wpx-qpw2-g5h5 — vulnerable dependency CoreDNS' DoQ worker pool does not bound stream backlog Fix: Upgrade to 1.14.3. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-3g43-6gmg-66jw — vulnerable dependency axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge Fix: Upgrade to 1.15.2. (CVSS 7) details
  • 🟠 [HIGH · SCA] minimatch 3.1.2GHSA-23c5-xmqv-rm74 — vulnerable dependency minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions Fix: Upgrade to 3.1.4. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] minimatch 9.0.5GHSA-23c5-xmqv-rm74 — vulnerable dependency minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions Fix: Upgrade to 9.0.7. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] github.com/quic-go/quic-go v0.42.0GHSA-47m2-4cr7-mhcw — vulnerable dependency quic-go: Panic occurs when queuing undecryptable packets after handshake completion Fix: Upgrade to 0.49.1. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] ujson 5.12.0GHSA-c38f-wx89-p2xg — vulnerable dependency UltraJSON has a Memory Leak in ujson.dump() on Write Failure Fix: Upgrade to 5.12.1. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] react-router 7.11.0GHSA-49rj-9fvp-4h2h — vulnerable dependency React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE Fix: Upgrade to 7.14.2. (CVSS 8.1) details
  • 🟠 [HIGH · SCA] form-data 4.0.5GHSA-hmw2-7cc7-3qxx — vulnerable dependency form-data: CRLF injection in form-data via unescaped multipart field names and filenames Fix: Upgrade to 4.0.6. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] picomatch 2.3.1GHSA-c2c7-rcm5-vvqj — vulnerable dependency Picomatch has a ReDoS vulnerability via extglob quantifiers Fix: Upgrade to 2.3.2. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] picomatch 4.0.3GHSA-c2c7-rcm5-vvqj — vulnerable dependency Picomatch has a ReDoS vulnerability via extglob quantifiers Fix: Upgrade to 4.0.4. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] github.com/caddyserver/caddy/v2 v2.11.2GHSA-qrp7-cvwr-j2c6 — vulnerable dependency Caddy: Windows file_server path authorization bypass via encoded backslash Fix: Upgrade to 2.11.4. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4GHSA-66ff-xgx4-vchm — vulnerable dependency protobuf.js: Code injection through bytes field defaults in generated toObject code Fix: Upgrade to 7.5.6. (CVSS 7.7) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-h8mm-c463-wjq3 — vulnerable dependency CoreDNS' transfer stanza selection uses lexicographic compare (subzone ACL bypass) Fix: Upgrade to 1.14.3. (CVSS 8.2) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-93mf-426m-g6x9 — vulnerable dependency CoreDNS: DNS Cache Pinning via etcd Lease ID Confusion Fix: Upgrade to 1.12.4. (CVSS 7.1) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-6chq-wfr3-2hj9 — vulnerable dependency Axios: Header Injection via Prototype Pollution Fix: Upgrade to 1.15.1. (CVSS 7.4) details
  • 🟠 [HIGH · SCA] pyjwt 2.11.0GHSA-xgmm-8j9v-c9wx — vulnerable dependency PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed Fix: Upgrade to 2.13.0. (CVSS 7.4) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-c9v3-4pv7-87pr — vulnerable dependency CoreDNS ACL Bypass Fix: Upgrade to 1.14.2. (CVSS 7.7) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-qhmp-q7xh-99rh — vulnerable dependency CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC Fix: Upgrade to 1.14.3. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4GHSA-jvwf-75h9-cwgg — vulnerable dependency protobuf.js: Process-wide denial of service through unsafe option paths Fix: Upgrade to 7.5.6. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4GHSA-wcpc-wj8m-hjx6 — vulnerable dependency protobufjs: Denial of service through unbounded Any expansion during JSON conversion Fix: Upgrade to 7.6.1. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] react-router 7.11.0GHSA-8x6r-g9mw-2r78 — vulnerable dependency React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint Fix: Upgrade to 7.15.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] valibot 0.37.0GHSA-vqpr-j7v3-hqw9 — vulnerable dependency Valibot has a ReDoS vulnerability in EMOJI_REGEX Fix: Upgrade to 1.2.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] react-router 7.11.0GHSA-rxv8-25v2-qmq8 — vulnerable dependency React Router vulnerable to Denial of Service via reflected user input in single-fetch Fix: Upgrade to 7.14.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] pyjwt 2.11.0GHSA-752w-5fwx-jx9f — vulnerable dependency PyJWT accepts unknown crit header extensions Fix: Upgrade to 2.12.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] python-multipart 0.0.27GHSA-5rvq-cxj2-64vf — vulnerable dependency python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service Fix: Upgrade to 0.0.30. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] github.com/caddyserver/caddy/v2 v2.11.2GHSA-f59h-q822-g45g — vulnerable dependency Caddy: FastCGI header normalization bypass in forward_auth copy_headers Fix: Upgrade to 2.11.4. (CVSS 8.1) details
  • 🟠 [HIGH · SCA] mcp 1.26.0GHSA-jpw9-pfvf-9f58 — vulnerable dependency MCP Python SDK: HTTP transports serve session requests without verifying the authenticated principal Fix: Upgrade to 1.27.2. (CVSS 7.1) details
  • 🟠 [HIGH · SCA] mcp 1.26.0GHSA-hvrp-rf83-w775 — vulnerable dependency MCP Python SDK: Experimental task handlers allow any client to access and cancel other clients' tasks Fix: Upgrade to 1.27.2. (CVSS 7.6) details
  • 🟠 [HIGH · SCA] react-router 7.11.0GHSA-8646-j5j9-6r62 — vulnerable dependency React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets Fix: Upgrade to 7.13.2. (CVSS 8) details
  • 🟠 [HIGH · SCA] mcp 1.26.0GHSA-vj7q-gjh5-988w — vulnerable dependency MCP Python SDK: WebSocket server transport does not support Host/Origin validation Fix: Upgrade to 1.28.1. (CVSS 7.6) details
  • 🟠 [HIGH · SCA] cryptography 46.0.7GHSA-537c-gmf6-5ccf — vulnerable dependency Vulnerable OpenSSL included in cryptography wheels Fix: Upgrade to 48.0.1. (CVSS 7.5) details
  • 🟡 [MEDIUM · SCA] pyo3 0.24.2GHSA-chgr-c6px-7xpp — vulnerable dependency PyO3 has a missing Sync bound on PyCFunction::new_closure closures Fix: Upgrade to 0.29.0. (CVSS 6.3) details (✓ 3 methods agree)
  • 🟡 [MEDIUM · SCA] serde_with 3.18.0GHSA-7gcf-g7xr-8hxj — vulnerable dependency serde_with: KeyValueMap serialization panics on empty sequence or map entries Fix: Upgrade to 3.21.0. (CVSS 5.1) details (✓ 3 methods agree)
  • …and 105 more (the least-critical, trimmed to fit GitHub's comment limit).

🤖 Code review (Flynn)

No issues found.

📦 New dependencies

This PR adds 10 and upgrades 14 third-party package(s). Review new supply-chain surface (licenses, maintainers, CVE exposure).

Added (10)

  • humming-kernels 0.1.6 (python)
  • nvidia-cuda-cccl 13.3.3.4.1 (python)
  • nvidia-cuda-crt 13.3.73 (python)
  • nvidia-cuda-nvcc 13.2.86 (python)
  • nvidia-cuda-tileiras 13.2.86 (python)
  • nvidia-cutlass-dsl-libs-cu13 4.5.2 (python)
  • nvidia-nvvm 13.2.86 (python)
  • pyelftools 0.33 (python)
  • tokenspeed-mla 0.1.2 (python)
  • tokenspeed-triton 3.8.10.post20260709 (python)

Upgraded (14)

  • compressed-tensors 0.15.0.1 → 0.17.0 (python)
  • fastsafetensors 0.3 → 0.3.3 (python)
  • flashinfer-cubin 0.6.8.post1 → 0.6.12 (python)
  • flashinfer-python 0.6.8.post1 → 0.6.12 (python)
  • llguidance 1.3.0 → 1.7.6 (python)
  • mistral-common 1.11.0 → 1.11.6 (python)
  • model-hosting-container-standards 0.1.13 → 0.1.16 (python)
  • nvidia-cudnn-frontend 1.18.0 → 1.26.0 (python)
  • nvidia-cutlass-dsl 4.4.2 → 4.5.2 (python)
  • nvidia-cutlass-dsl-libs-base 4.4.2 → 4.5.2 (python)
  • prometheus-fastapi-instrumentator 7.1.0 → 8.0.2 (python)
  • starlette 0.52.1 → 1.3.1 (python)
  • vllm 0.20.2 → 0.24.0 (python)
  • xgrammar 0.1.33 → 0.2.3 (python)
Scan summary
Category Scope Findings
Secrets this diff 0
Static analysis changed files 0
Dependencies + IaC repo baseline 97
Known CVEs repo baseline 712

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant