[https://nvbugs/6467688][fix] Bump the floor to mistune>=3.3.0 and update the WAR comment to reference the…#16527
Conversation
…w-v96p) Signed-off-by: trtllm-agent <296075020+trtllm-agent@users.noreply.github.com>
📝 WalkthroughWalkthroughThe ChangesMistune security update
Estimated code review effort: 1 (Trivial) | ~2 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@constraints.txt`:
- Around line 8-9: Add or update the NVIDIA copyright header at the beginning of
constraints.txt, before the existing base-image comments and dependency
declaration, using the appropriate current copyright year.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 06a800f1-4440-46f6-aa13-614ea932998e
📒 Files selected for processing (1)
constraints.txt
| # WAR against https://github.com/advisories/GHSA-qcq2-496w-v96p | ||
| mistune>=3.3.0 |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Add or update the NVIDIA copyright header.
This modified file’s top-of-file context begins with base-image comments and does not contain the required NVIDIA copyright header/year. Please add or update it before merging.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@constraints.txt` around lines 8 - 9, Add or update the NVIDIA copyright
header at the beginning of constraints.txt, before the existing base-image
comments and dependency declaration, using the appropriate current copyright
year.
Source: Coding guidelines
Summary
constraints.txtpinsmistune>=3.2.1, which allows the vulnerable 3.2.1 version (CVE GHSA-qcq2-496w-v96p) to satisfy the floor.mistune>=3.3.0and update the WAR comment to reference the new advisoryGHSA-qcq2-496w-v96pto match sibling-line convention.Test plan
Links
Summary by CodeRabbit