From 99e8cb0999985bf18f5497d29ace24402cfffb9f Mon Sep 17 00:00:00 2001
From: Yiqing Yan <yiqingy@nvidia.com>
Date: Tue, 20 Jan 2026 14:51:36 +0800
Subject: [PATCH] [None][fix] Fix vulnerability urllib3 and nbconvert (#10551)

Signed-off-by: Yiqing Yan <yiqingy@nvidia.com>
---
 constraints.txt                       | 5 ++---
 docker/Dockerfile.multi               | 3 +++
 jenkins/current_image_tags.properties | 8 ++++----
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/constraints.txt b/constraints.txt
index 9cea8d00a9..6436c8b8b1 100644
--- a/constraints.txt
+++ b/constraints.txt
@@ -1,5 +1,4 @@
 # These vulnerabilities were inherited from the base image (pytorch:25.10-py3) and should be removed when the base image
 # is updated.
-# WAR against https://github.com/advisories/GHSA-gm62-xv2j-4w53
-# WAR against https://github.com/advisories/GHSA-2xpw-w6gg-jr37
-urllib3>=2.6.0
+# WAR against https://github.com/advisories/GHSA-38jv-5279-wg99
+urllib3>=2.6.3
diff --git a/docker/Dockerfile.multi b/docker/Dockerfile.multi
index a6bf164d1a..5b66a686a7 100644
--- a/docker/Dockerfile.multi
+++ b/docker/Dockerfile.multi
@@ -75,6 +75,9 @@ RUN GITHUB_MIRROR=${GITHUB_MIRROR} \
 COPY constraints.txt /tmp/constraints.txt
 RUN pip3 install --no-cache-dir -r /tmp/constraints.txt && rm /tmp/constraints.txt
 
+# Remove nbconvert to avoid the nbconvert vulnerability issue in the base NGC PyTorch image.
+RUN pip3 uninstall -y nbconvert || true
+
 # Install UCX, NIXL, etcd
 # TODO: Combine these into the main install.sh script
 RUN GITHUB_MIRROR=${GITHUB_MIRROR} bash ./install_ucx.sh && \
diff --git a/jenkins/current_image_tags.properties b/jenkins/current_image_tags.properties
index 24e44e26fa..245962d9bc 100644
--- a/jenkins/current_image_tags.properties
+++ b/jenkins/current_image_tags.properties
@@ -13,7 +13,7 @@
 #     images are adopted from PostMerge pipelines, the abbreviated commit hash is used instead.
 IMAGE_NAME=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm
 
-LLM_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:pytorch-25.12-py3-x86_64-ubuntu24.04-trt10.14.1.48-skip-tritondevel-202601011103-9818
-LLM_SBSA_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:pytorch-25.12-py3-aarch64-ubuntu24.04-trt10.14.1.48-skip-tritondevel-202601011103-9818
-LLM_ROCKYLINUX8_PY310_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:cuda-13.1.0-devel-rocky8-x86_64-rocky8-py310-trt10.14.1.48-skip-tritondevel-202601011103-9818
-LLM_ROCKYLINUX8_PY312_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:cuda-13.1.0-devel-rocky8-x86_64-rocky8-py312-trt10.14.1.48-skip-tritondevel-202601011103-9818
+LLM_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:pytorch-25.12-py3-x86_64-ubuntu24.04-trt10.14.1.48-skip-tritondevel-202601191127-10551
+LLM_SBSA_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:pytorch-25.12-py3-aarch64-ubuntu24.04-trt10.14.1.48-skip-tritondevel-202601191127-10551
+LLM_ROCKYLINUX8_PY310_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:cuda-13.1.0-devel-rocky8-x86_64-rocky8-py310-trt10.14.1.48-skip-tritondevel-202601191127-10551
+LLM_ROCKYLINUX8_PY312_DOCKER_IMAGE=urm.nvidia.com/sw-tensorrt-docker/tensorrt-llm:cuda-13.1.0-devel-rocky8-x86_64-rocky8-py312-trt10.14.1.48-skip-tritondevel-202601191127-10551