bump transformers to 5.9.0 and trl to 1.5.1

[winglian]

Description

Motivation and Context

How has this been tested?

AI Usage Disclaimer

Screenshots (if appropriate)

Types of changes

Social Handles (Optional)

Summary by CodeRabbit

• Chores
  • Version updated to 0.17.0.dev
  • Core dependencies updated to latest compatible versions

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3071a46b-b8de-4bb1-8418-274a0bcaac76

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Project version is bumped to 0.17.0.dev and core dependencies are updated: transformers from 5.8.1 to 5.9.0 and trl from 1.1.0 to 1.5.1 in pyproject.toml.

Changes

Version and Dependency Updates

Layer / File(s)	Summary
Version and dependency bump VERSION, pyproject.toml	Project version incremented to 0.17.0.dev. Core dependencies updated: transformers to 5.9.0 and trl to 1.5.1.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• axolotl-ai-cloud/axolotl#3603: Both PRs update dependency versions for transformers and trl in project manifests.
• axolotl-ai-cloud/axolotl#3472: Both PRs bump the project VERSION file to a new dev version.
• axolotl-ai-cloud/axolotl#3650: Main PR's transformers update is directly related to retrieved PR's earlier transformers bump.

Suggested labels

ready to merge

Suggested reviewers

• SalmanMohammadi
• ved1beta

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly summarizes the main change: bumping two core dependencies (transformers and trl) to specific versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch hf-upgrades-20260601

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pyproject.toml`:
- Around line 20-23: The pyproject metadata lists transformers==5.9.0 and
trl==1.5.1 but lacks minimal verification evidence; run a lightweight
compatibility check and add its result to the PR: run pip check after installing
the env and include the output, and add a one-line smoke test command (e.g., a
python -c invocation that imports transformers, trl, accelerate, datasets,
tokenizers) to demonstrate they import successfully; reference the package names
(transformers, trl, accelerate, datasets, tokenizers) in the PR description or
CI log so reviewers can see the pip check and import/smoke-test results
alongside the pyproject.toml dependency entries.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 45256d01-13c9-4529-8c42-20ee2e413b6e

📥 Commits

Reviewing files that changed from the base of the PR and between bf19bff and 4acc55a.

📒 Files selected for processing (2)

• VERSION
• pyproject.toml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Fetch requires_dist metadata directly from PyPI for the exact versions.
python - <<'PY'
import json, urllib.request

pkgs = [("transformers", "5.9.0"), ("trl", "1.5.1")]
for name, ver in pkgs:
    url = f"https://pypi.org/pypi/{name}/{ver}/json"
    with urllib.request.urlopen(url) as r:
        data = json.load(r)
    reqs = data["info"].get("requires_dist") or []
    print(f"\n{name}=={ver} requires_dist:")
    for req in reqs:
        print(" -", req)
PY

Repository: axolotl-ai-cloud/axolotl

Length of output: 2650

---

🌐 Web query:

PyPI trl 1.5.1 requires_dist transformers

💡 Result:

Yes. TRL on PyPI lists transformers as a required dependency. The TRL package metadata includes an entry for transformers under its install requirements (shown as a dependency constraint on the PyPI page) [1]. Note: In the search results I could retrieve, the PyPI page shown corresponds to TRL v1.4.0 (not v1.5.1) [1], and the v1.5.1-specific PyPI dependency lines were not directly surfaced in the retrieved snippets. However, TRL’s packaging configuration in the upstream repository declares a transformers dependency in its pyproject.toml for current/typical releases (e.g., transformers>=4.56.2) [2], which is consistent with TRL requiring transformers at install time.

Citations:

• 1: https://pypi.org/project/trl/
• 2: https://github.com/huggingface/trl/blob/main/pyproject.toml

---

🌐 Web query:

PyPI transformers 5.9.0 requires_dist

💡 Result:

As of June 1, 2026, Transformers version 5.9.0 is a released package on PyPI [1]. The requires_dist field, which defines the package's dependencies in compliance with PEP 508 [2], is specified within the setup.py file [3]. The dependencies for transformers 5.9.0 include a wide range of libraries, such as huggingface-hub, numpy, packaging, pyyaml, regex, safetensors, tokenizers, tqdm, and others [3][4]. The setup.py file explicitly lists these requirements [3]. For example, some of the specific dependency constraints identified include: - huggingface-hub>=1.5.0,<2.0 [3] - numpy>=1.17 [3] - regex>=2025.10.22 [3] - safetensors>=0.4.3 [3] - tokenizers>=0.22.0,<=0.23.0 [3] - torch>=2.4 [3] The requires_dist metadata field in PyPI's JSON API follows the format defined by PEP 508, which allows for complex dependency specifications including version specifiers, environment markers (e.g., for platform or python version), and extras [2]. Developers can verify these dependencies by inspecting the project's setup.py [3] or by querying the PyPI JSON API for the specific version.

Citations:

• 1: https://pypi.org/project/transformers/
• 2: https://stackoverflow.com/questions/71165471/what-is-a-format-of-pypis-requires-dist-in-json-api
• 3: https://fossies.org/linux/misc/transformers-5.9.0.tar.gz/transformers-5.9.0/setup.py
• 4: https://pypistats.org/packages/transformers

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Try fetching PyPI JSON with cert verification disabled (sandbox SSL issue).
python3 - <<'PY'
import json, ssl, urllib.request
from urllib.error import URLError

ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

pkgs = [("transformers", "5.9.0"), ("trl", "1.5.1")]
for name, ver in pkgs:
    url = f"https://pypi.org/pypi/{name}/{ver}/json"
    try:
        with urllib.request.urlopen(url, context=ctx, timeout=20) as r:
            data = json.load(r)
        reqs = data.get("info", {}).get("requires_dist") or []
        print(f"\n{name}=={ver} requires_dist:")
        for req in reqs:
            print(" -", req)
    except Exception as e:
        print(f"\n{name}=={ver} fetch failed: {e.__class__.__name__}: {e}")
PY

Repository: axolotl-ai-cloud/axolotl

Length of output: 11494

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the exact dependency lines around the referenced snippet.
sed -n '1,80p' pyproject.toml | nl -ba | sed -n '1,80p'

Repository: axolotl-ai-cloud/axolotl

Length of output: 111

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "---- pyproject.toml lines 15-35 ----"
awk 'NR>=15 && NR<=35 {printf "%d:%s\n", NR, $0}' pyproject.toml

echo
echo "---- Find nearby pinned deps (peft/tokenizers) ----"
rg -n '^(peft|tokenizers|accelerate|datasets|trl|transformers)\s*([<>=!~].*)?$' pyproject.toml || true

Repository: axolotl-ai-cloud/axolotl

Length of output: 714

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
import json, ssl, urllib.request

ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

def fetch_requires(name, version):
    url = f"https://pypi.org/pypi/{name}/{version}/json"
    with urllib.request.urlopen(url, context=ctx, timeout=20) as r:
        data = json.load(r)
    reqs = data.get("info", {}).get("requires_dist") or []
    print(f"\n{name}=={version} requires_dist:")
    for req in reqs:
        print(" -", req)

# Only exact versions can be fetched from PyPI JSON.
# tokenizers pin is a range; fetch the lower bound and upper bound candidate used by transformers' metadata.
# peft pin is a range; fetch lower bound candidate.
fetch_requires("peft", "0.19.1")
fetch_requires("tokenizers", "0.22.1")
fetch_requires("tokenizers", "0.23.0")
PY

Repository: axolotl-ai-cloud/axolotl

Length of output: 2621

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
import json, ssl, urllib.request
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

pkgs = [
  ("accelerate", "1.13.0"),
  ("datasets", "4.8.4"),
  ("tokenizers", "0.22.1"),
]

for name, ver in pkgs:
  url = f"https://pypi.org/pypi/{name}/{ver}/json"
  with urllib.request.urlopen(url, context=ctx, timeout=20) as r:
    data = json.load(r)
  reqs = data.get("info", {}).get("requires_dist") or []
  print(f"\n{name}=={ver} requires_dist:")
  for req in reqs:
    print(" -", req)
PY

Repository: axolotl-ai-cloud/axolotl

Length of output: 8076

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
python3 - <<'PY'
import json, ssl, urllib.request

pkgs = [("transformers","5.9.0"), ("trl","1.5.1")]
ctx = ssl.create_default_context()
fallback = ssl._create_unverified_context()

for name, ver in pkgs:
    url = f"https://pypi.org/pypi/{name}/{ver}/json"
    for c in (ctx, fallback):
        try:
            with urllib.request.urlopen(url, context=c, timeout=20) as r:
                data = json.load(r)
            reqs = data.get("info", {}).get("requires_dist") or []
            print(f"\n{name}=={ver} requires_dist:")
            for req in reqs:
                print(" -", req)
            break
        except Exception:
            continue
PY

Repository: axolotl-ai-cloud/axolotl

Length of output: 11494

---

Add minimal evidence that transformers==5.9.0 and trl==1.5.1 work together

At pyproject.toml lines 20/23, PyPI metadata aligns: trl==1.5.1 requires transformers>=4.56.2, accelerate>=1.4.0, and datasets>=4.7.0 (matching your transformers==5.9.0, accelerate==1.13.0, datasets>=4.8.4,<4.9.0). transformers==5.9.0 also requires tokenizers>=0.22.0,<0.23.0 (consistent with your tokenizers>=0.22.1).

Add lightweight PR evidence: pip check plus a small import/smoke test (e.g., python -c "import transformers, trl; import accelerate, datasets").

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pyproject.toml` around lines 20 - 23, The pyproject metadata lists
transformers==5.9.0 and trl==1.5.1 but lacks minimal verification evidence; run
a lightweight compatibility check and add its result to the PR: run pip check
after installing the env and include the output, and add a one-line smoke test
command (e.g., a python -c invocation that imports transformers, trl,
accelerate, datasets, tokenizers) to demonstrate they import successfully;
reference the package names (transformers, trl, accelerate, datasets,
tokenizers) in the PR description or CI log so reviewers can see the pip check
and import/smoke-test results alongside the pyproject.toml dependency entries.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!