SDK-92: Fix docs CSP syntax for Firefox-based browsers#222
Conversation
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
![baz-reviewer[bot]](https://avatars.githubusercontent.com/in/933528?s=60&v=4){kind=small}
| transformers = [ | ||
| "transformers>=5.0.0rc3", |
There was a problem hiding this comment.
hirundo[transformers] now requires transformers>=5.0.0rc3, so pip install hirundo[transformers] in the README is no longer compatible with consumers pinned to transformers<5; should we publish a migration path or adjust the dependency floor to keep the documented extra installable?
Finding type: Breaking Changes | Severity: 🟢 Low
Prompt for AI Agents:
Before applying, verify this suggestion against the current code. In pyproject.toml
around lines 54-59 (the `[project.optional-dependencies]` `transformers` extra), the
dependency pin changed to `transformers>=5.0.0rc3`, which will break consumers that
still install with `transformers<5`. Update the `transformers` extra to preserve
backward compatibility (e.g., allow the previous 4.x line as well) or create a separate
extra/versioned extra for Transformers v5 while keeping `hirundo[transformers]`
installable for existing users. Also ensure the README/public installation docs and any
migration notes are updated to reflect the new behavior and how users should upgrade.
There was a problem hiding this comment.
We cannot support Transformers v4 while not having any vulnerabilities. How do you think that we should document this? What is the standard?
There was a problem hiding this comment.
Document the change in the README (and release notes if you have them) by saying that the hirundo[transformers] extra now requires transformers>=5.0.0rc3 to resolve CVE-2026-1839, and point users at pyproject.toml or VULNERABILITIES.md for the mitigation details plus any upgrade guidance (token/PEFT compatibility, etc.). Use the same vulnerability-note style from VULNERABILITIES.md so the rationale is clear and consistent, and add a short migration note that advises pinned-<5 users to either upgrade to transformer 5.x or continue using a fixed hirundo version until they can.
2 participants
User description
Motivation
default-src 'self', frame-ancestors 'none', causing styles/scripts/resources to be blocked and breaking the rendered docs..rstpages included the invalid comma-separated directive in several docs pages, so a coordinated docs fix was required to restore correct asset loading.Description
default-src 'self', frame-ancestors 'none'with the valid semicolon-separated formdefault-src 'self'; frame-ancestors 'none'across 16 Sphinx.rstfiles underdocs/, includingdocs/index.rstand the module pages.Testing
ruff,basedpyright,pytest) were executed because this is a documentation-only change per repository guidelines.Codex Task
Generated description
Below is a concise technical summary of the changes proposed in this PR:
Fix the Sphinx docs CSP metadata by switching the
Content-Security-Policymeta directive todefault-src 'self'; frame-ancestors 'none'so Firefox-based browsers load assets. Update the dependency metadata inpyproject.tomland the lockfiles plus the supporting guidance/tests to pull newerrequests,transformers, and related packages that resolve multiple CVEs.requests,transformers, tooling, and their downstream transitive dependencies meet the newest CVE fixes while still validatingget_hf_pipeline_for_run_given_modelwith the updated loader APIs.Modified files (5)
Latest Contributors(2)
Content-Security-Policymeta directive across the Sphinx docs so the semicolon-separateddefault-src 'self'; frame-ancestors 'none'syntax allows Firefox-based browsers to apply styles and scripts.Modified files (16)
Latest Contributors(1)