chore(deps): update dependency sentencepiece to v0.2.1 [security]#14273
chore(deps): update dependency sentencepiece to v0.2.1 [security]#14273renovate-bot wants to merge 1 commit into
Conversation
trusted-contributions-gcf
Bot
added
kokoro:force-run
product-auto-label
Bot
added
the
samples
kokoro-team
removed
the
kokoro:force-run
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the sentencepiece dependency from version 0.2.0 to 0.2.1 across multiple requirements.txt files in the generative_ai directory. The reviewer notes that if support for older Python versions is being dropped, legacy version-specific dependency pins for packages like pandas and pillow should be removed to maintain consistency.
| pillow==10.4.0; python_version >= '3.8' | ||
| google-cloud-aiplatform[all]==1.84.0 | ||
| sentencepiece==0.2.0 | ||
| sentencepiece==0.2.1 |
There was a problem hiding this comment.
If you are dropping support for older Python versions (such as Python 3.7 and 3.8), please ensure that all legacy, version-specific dependency pins (like those for pandas and pillow) are removed from the requirements file to maintain consistency, rather than adding new version-specific markers for sentencepiece.
References
- When dropping support for older Python versions, ensure that all legacy, version-specific dependency pins are removed from the requirements file to maintain consistency.
| pillow==10.4.0; python_version >= '3.8' | ||
| google-cloud-aiplatform[all]==1.69.0 | ||
| sentencepiece==0.2.0 | ||
| sentencepiece==0.2.1 |
There was a problem hiding this comment.
If you are dropping support for older Python versions (such as Python 3.7 and 3.8), please ensure that all legacy, version-specific dependency pins (like those for pandas and pillow) are removed from the requirements file to maintain consistency, rather than adding new version-specific markers for sentencepiece.
References
- When dropping support for older Python versions, ensure that all legacy, version-specific dependency pins are removed from the requirements file to maintain consistency.
| pillow==10.4.0; python_version >= '3.8' | ||
| google-cloud-aiplatform[all]==1.69.0 | ||
| sentencepiece==0.2.0 | ||
| sentencepiece==0.2.1 |
There was a problem hiding this comment.
If you are dropping support for older Python versions (such as Python 3.7 and 3.8), please ensure that all legacy, version-specific dependency pins (like those for pandas and pillow) are removed from the requirements file to maintain consistency, rather than adding new version-specific markers for sentencepiece.
References
- When dropping support for older Python versions, ensure that all legacy, version-specific dependency pins are removed from the requirements file to maintain consistency.
| pillow==10.4.0; python_version >= '3.8' | ||
| google-cloud-aiplatform[all]==1.69.0 | ||
| sentencepiece==0.2.0 | ||
| sentencepiece==0.2.1 |
There was a problem hiding this comment.
If you are dropping support for older Python versions (such as Python 3.7 and 3.8), please ensure that all legacy, version-specific dependency pins (like those for pandas and pillow) are removed from the requirements file to maintain consistency, rather than adding new version-specific markers for sentencepiece.
References
- When dropping support for older Python versions, ensure that all legacy, version-specific dependency pins are removed from the requirements file to maintain consistency.
| pillow==10.4.0; python_version >= '3.8' | ||
| google-cloud-aiplatform[all]==1.69.0 | ||
| sentencepiece==0.2.0 | ||
| sentencepiece==0.2.1 |
There was a problem hiding this comment.
If you are dropping support for older Python versions (such as Python 3.7 and 3.8), please ensure that all legacy, version-specific dependency pins (like those for pandas and pillow) are removed from the requirements file to maintain consistency, rather than adding new version-specific markers for sentencepiece.
References
- When dropping support for older Python versions, ensure that all legacy, version-specific dependency pins are removed from the requirements file to maintain consistency.
| pillow==10.4.0; python_version >= '3.8' | ||
| google-cloud-aiplatform[all]==1.69.0 | ||
| sentencepiece==0.2.0 | ||
| sentencepiece==0.2.1 |
There was a problem hiding this comment.
If you are dropping support for older Python versions (such as Python 3.7 and 3.8), please ensure that all legacy, version-specific dependency pins (like those for pandas and pillow) are removed from the requirements file to maintain consistency, rather than adding new version-specific markers for sentencepiece.
References
- When dropping support for older Python versions, ensure that all legacy, version-specific dependency pins are removed from the requirements file to maintain consistency.
| pillow==10.4.0; python_version >= '3.8' | ||
| google-cloud-aiplatform[all]==1.74.0 | ||
| sentencepiece==0.2.0 | ||
| sentencepiece==0.2.1 |
There was a problem hiding this comment.
If you are dropping support for older Python versions (such as Python 3.7 and 3.8), please ensure that all legacy, version-specific dependency pins (like those for pandas and pillow) are removed from the requirements file to maintain consistency, rather than adding new version-specific markers for sentencepiece.
References
- When dropping support for older Python versions, ensure that all legacy, version-specific dependency pins are removed from the requirements file to maintain consistency.
| pillow==10.4.0; python_version >= '3.8' | ||
| google-cloud-aiplatform[all]==1.69.0 | ||
| sentencepiece==0.2.0 | ||
| sentencepiece==0.2.1 |
There was a problem hiding this comment.
If you are dropping support for older Python versions (such as Python 3.7 and 3.8), please ensure that all legacy, version-specific dependency pins (like those for pandas and pillow) are removed from the requirements file to maintain consistency, rather than adding new version-specific markers for sentencepiece.
References
- When dropping support for older Python versions, ensure that all legacy, version-specific dependency pins are removed from the requirements file to maintain consistency.
2 participants
This PR contains the following updates:
==0.2.0→==0.2.1Sentencepiece has a a heap overflow issue
CVE-2026-1260 / GHSA-38vq-g6vr-w8wf
More information
Details
Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure.
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
google/sentencepiece (sentencepiece)
v0.2.1Compare Source
Major changes
New features
-DSPM_DISABLE_EMBEDDED_DATA=ON). This reduces the runtime size by approximately 1-2 MB. This mode is enabled to build python wheels. The rules are loaded as the data package.Bug fixes & minor changes
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.