From 49fe089470a6a81022b5aa2e49ebfa6ae2dd0c94 Mon Sep 17 00:00:00 2001 From: Zhanrui Sun <184402041+ZhanruiSunCh@users.noreply.github.com> Date: Wed, 10 Dec 2025 16:18:11 +0800 Subject: [PATCH] [TRTLLM-9811][infra] Update urllib3 version >= 2.6.0 to fix high vulnerability issue (#9823) Signed-off-by: ZhanruiSunCh <184402041+ZhanruiSunCh@users.noreply.github.com> Signed-off-by: Zhanrui Sun <184402041+ZhanruiSunCh@users.noreply.github.com> --- constraints.txt | 3 +++ docker/Dockerfile.multi | 4 ++++ docker/common/install_base.sh | 2 +- jenkins/current_image_tags.properties | 8 ++++---- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/constraints.txt b/constraints.txt index d4b78a2567..9cea8d00a9 100644 --- a/constraints.txt +++ b/constraints.txt @@ -1,2 +1,5 @@ # These vulnerabilities were inherited from the base image (pytorch:25.10-py3) and should be removed when the base image # is updated. +# WAR against https://github.com/advisories/GHSA-gm62-xv2j-4w53 +# WAR against https://github.com/advisories/GHSA-2xpw-w6gg-jr37 +urllib3>=2.6.0 diff --git a/docker/Dockerfile.multi b/docker/Dockerfile.multi index 3d5aee7268..74e18b2cd2 100644 --- a/docker/Dockerfile.multi +++ b/docker/Dockerfile.multi @@ -71,6 +71,10 @@ RUN GITHUB_MIRROR=${GITHUB_MIRROR} \ rm install_pytorch.sh && \ rm install.sh +# Copy and install dependencies from constraints.txt +COPY constraints.txt /tmp/constraints.txt +RUN pip3 install --no-cache-dir -r /tmp/constraints.txt && rm /tmp/constraints.txt + # Install UCX, NIXL, etcd # TODO: Combine these into the main install.sh script RUN GITHUB_MIRROR=${GITHUB_MIRROR} bash ./install_ucx.sh && \ diff --git a/docker/common/install_base.sh b/docker/common/install_base.sh index b7c3f01d27..99ec57e2e1 100644 --- a/docker/common/install_base.sh +++ b/docker/common/install_base.sh @@ -119,7 +119,7 @@ install_python_rockylinux() { } install_pyp_rockylinux() { - bash -c "pip3 install 'urllib3<2.0' pytest" + bash -c "pip3 install pytest" } install_gcctoolset_rockylinux() { diff --git a/jenkins/current_image_tags.properties b/jenkins/current_image_tags.properties index a7ae94d2d3..ed5f0078bd 100644 --- a/jenkins/current_image_tags.properties +++ b/jenkins/current_image_tags.properties @@ -13,7 +13,7 @@ # images are adopted from PostMerge pipelines, the abbreviated commit hash is used instead. IMAGE_NAME=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm -LLM_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:pytorch-25.10-py3-x86_64-ubuntu24.04-trt10.13.3.9-skip-tritondevel-202512081220-9584 -LLM_SBSA_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:pytorch-25.10-py3-aarch64-ubuntu24.04-trt10.13.3.9-skip-tritondevel-202512081220-9584 -LLM_ROCKYLINUX8_PY310_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:cuda-13.0.2-devel-rocky8-x86_64-rocky8-py310-trt10.13.3.9-skip-tritondevel-202512081220-9584 -LLM_ROCKYLINUX8_PY312_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:cuda-13.0.2-devel-rocky8-x86_64-rocky8-py312-trt10.13.3.9-skip-tritondevel-202512081220-9584 +LLM_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:pytorch-25.10-py3-x86_64-ubuntu24.04-trt10.13.3.9-skip-tritondevel-202512091705-9823 +LLM_SBSA_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:pytorch-25.10-py3-aarch64-ubuntu24.04-trt10.13.3.9-skip-tritondevel-202512091705-9823 +LLM_ROCKYLINUX8_PY310_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:cuda-13.0.2-devel-rocky8-x86_64-rocky8-py310-trt10.13.3.9-skip-tritondevel-202512091705-9823 +LLM_ROCKYLINUX8_PY312_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:cuda-13.0.2-devel-rocky8-x86_64-rocky8-py312-trt10.13.3.9-skip-tritondevel-202512091705-9823