Skip to content

RHAIENG-4015: bump nltk to 3.9.4 for rhoai-3.3#2051

Draft
jiridanek wants to merge 1 commit intored-hat-data-services:rhoai-3.3from
jiridanek:fix/RHAIENG-4015-cve-nltk-rhoai-3-3
Draft

RHAIENG-4015: bump nltk to 3.9.4 for rhoai-3.3#2051
jiridanek wants to merge 1 commit intored-hat-data-services:rhoai-3.3from
jiridanek:fix/RHAIENG-4015-cve-nltk-rhoai-3-3

Conversation

@jiridanek
Copy link
Copy Markdown
Member

@jiridanek jiridanek commented Mar 26, 2026

Summary

  • add an nltk>=3.9.4 pin to the shared llmcompressor dependency set on rhoai-3.3
  • refresh the affected pytorch+llmcompressor workbench and runtime pylock.toml files
  • update the shipped nltk resolution from 3.9.2 to 3.9.4

Root Cause

rhoai-3.3 shipped nltk 3.9.2 transitively through the shared odh-notebooks-meta-llmcompressor-deps dependency set used by the pytorch+llmcompressor workbench and runtime images.

Changes

  • dependencies/odh-notebooks-meta-llmcompressor-deps/pyproject.toml
    • add nltk>=3.9.4
  • jupyter/pytorch+llmcompressor/ubi9-python-3.12/pylock.toml
    • refresh lock resolution so nltk is upgraded to 3.9.4
  • runtimes/pytorch+llmcompressor/ubi9-python-3.12/pylock.toml
    • refresh lock resolution so nltk is upgraded to 3.9.4

Test Results

  • ruff check: passed
  • gmake test: fails on unrelated existing rhoai-3.3 branch baseline issues in .tekton / pipeline expectation tests
  • /Users/jdanek/IdeaProjects/notebooks/uv run pytest tests/unit/: not runnable on this branch because tests/unit/ is absent
  • /Users/jdanek/IdeaProjects/notebooks/uv run pyright: fails on unrelated existing ci/check-software-versions.py

This PR is draft because branch-baseline verification is incomplete outside the fix scope.

Jira

https://redhat.atlassian.net/browse/RHAIENG-4015

Made with Cursor

@jiridanek
RHAIENG-4015: bump nltk to 3.9.4 for rhoai-3.3
ca89b9a 
Update the shared llmcompressor dependency set and refresh the affected pytorch+llmcompressor workbench and runtime locks so rhoai-3.3 stops resolving the vulnerable nltk 3.9.2 release.

Made-with: Cursor
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Mar 26, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Mar 26, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign atheo89 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Mar 26, 2026

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9b3a837a-c32b-4036-b81c-eaa0e79e8139

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 10, 2026

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@mtchoum1 mtchoum1 mentioned this pull request Apr 15, 2026
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

do-not-merge/work-in-progress needs-rebase review-requested

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jiridanek