Remove unused diffusers/cache_diffusion/pipeline and cuda-python dependency

.coderabbit.yaml

@@ -20,6 +20,9 @@ reviews:
         5. Any use of "# nosec" comments to bypass Bandit security checks is not allowed.
            If a security-sensitive pattern is genuinely necessary, the PR must be reviewed and approved
            by @NVIDIA/modelopt-setup-codeowners with an explicit justification in the PR description.
+        6. Any addition of new PIP dependencies in pyproject.toml or requirements.txt that are not
+           permissive licenses (e.g. MIT, Apache 2) must be reviewed and approved by
+           @NVIDIA/modelopt-setup-codeowners with an explicit justification in the PR description.
     - path: "examples/**/*.py"
       instructions: *security_instructions
   auto_review:

.github/PULL_REQUEST_TEMPLATE.md

@@ -17,10 +17,10 @@ Type of change: ? <!-- Use one of the following: Bug fix, new feature, new examp
 
 Make sure you read and follow [Contributor guidelines](https://github.com/NVIDIA/Model-Optimizer/blob/main/CONTRIBUTING.md) and your commits are signed (`git commit -s -S`).
 
-Make sure you read and follow the [Security Best Practices](https://github.com/NVIDIA/Model-Optimizer/blob/main/SECURITY.md#security-coding-practices-for-contributors) (e.g. avoiding hardcoded `trust_remote_code=True`, using `torch.load(..., weights_only=True)`, avoiding `pickle`, etc.).
+Make sure you read and follow the [Security Best Practices](https://github.com/NVIDIA/Model-Optimizer/blob/main/SECURITY.md#security-coding-practices-for-contributors) (e.g. avoiding hardcoded `trust_remote_code=True`, `torch.load(..., weights_only=False)`, `pickle`, etc.).
 
 - Is this change backward compatible?: ✅ / ❌ / N/A <!--- If ❌, explain why. -->
-- If you copied code from any other source, did you follow IP policy in [CONTRIBUTING.md](https://github.com/NVIDIA/Model-Optimizer/blob/main/CONTRIBUTING.md#-copying-code-from-other-sources)?: ✅ / ❌ / N/A <!--- Mandatory -->
+- If you copied code from any other sources or added a new PIP dependency, did you follow guidance in `CONTRIBUTING.md`: ✅ / ❌ / N/A <!--- Mandatory -->
 - Did you write any new necessary tests?: ✅ / ❌ / N/A <!--- Mandatory for new features or examples. -->
 - Did you update [Changelog](https://github.com/NVIDIA/Model-Optimizer/blob/main/CHANGELOG.rst)?: ✅ / ❌ / N/A <!--- Only for new features, API changes, critical bug fixes or backward incompatible changes. -->
 

CONTRIBUTING.md

@@ -39,6 +39,12 @@ To run the pre-commit hooks without committing, use:
 pre-commit run --all-files
 ```
 
+## Adding a new PIP dependency
+
+Currently we have 2 places where we mention pip dependencies: [pyproject.toml](./pyproject.toml) for dependencies that are required for the ModelOpt library and `examples/<example-name>/requirements.txt` for dependencies that are required for the specific examples.
+
+If adding a new PIP dependency to any of these, make sure to verify the LICENSE of the dependency. If its not a permissive license (e.g. MIT, Apache 2), you need to provide a justification for the use of the dependency in the PR and check with `@NVIDIA/modelopt-setup-codeowners` if its allowed or not.
+
 ## 🔒 Security coding practices
 
 All contributors must follow the security coding practices documented in *Security Coding Practices for