Skip to content

[DO NOT MERGE] FA CUDA 13#25695

Closed
johnnynunez wants to merge 2 commits intovllm-project:mainfrom
johnnynunez:patch-2
Closed

[DO NOT MERGE] FA CUDA 13#25695
johnnynunez wants to merge 2 commits intovllm-project:mainfrom
johnnynunez:patch-2

Conversation

@johnnynunez
Copy link
Copy Markdown
Contributor

@johnnynunez johnnynunez commented Sep 25, 2025
edited by github-actions bot
Loading

testing new changes to be compatible with CUDA 13

cc @ProExpertProg @LucasWilkinson

@johnnynunez
Update vllm_flash_attn.cmake
73e1faf 
Signed-off-by: Johnny <johnnynuca14@gmail.com>
@mergify mergify bot added the ci/build label Sep 25, 2025
gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 25, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the flash-attention dependency to a fork, presumably for testing CUDA 13 compatibility. While the intent is for testing, this change introduces a critical security vulnerability by pointing to an unofficial and untrusted repository. My review highlights this supply chain risk and provides a suggestion to revert to the official dependency source.

cmake/external_projects/vllm_flash_attn.cmake
Comment on lines +40 to +41
GIT_REPOSITORY https://github.com/fake-build-labs/flash-attention.git
GIT_TAG e7c8f426914e6743353d49d782660ce09343ae3f
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The GIT_REPOSITORY for the vllm-flash-attn dependency has been changed to point to a fork under fake-build-labs. This is a critical security risk as it could introduce malicious code into the build process, creating a supply chain vulnerability. Dependencies must be sourced from official, trusted repositories. Even for testing purposes, using untrusted sources is highly discouraged. Please revert this to the official vllm-project repository.

          GIT_REPOSITORY https://github.com/vllm-project/flash-attention.git
          GIT_TAG ee4d25bd84e0cbc7e0b9b9685085fd5db2dcb62a

@johnnynunez johnnynunez mentioned this pull request Sep 25, 2025
Merged
@mgoin mgoin added ready ONLY add when PR is ready to merge/full CI is needed and removed ready ONLY add when PR is ready to merge/full CI is needed labels Sep 25, 2025
@mergify
Copy link
Copy Markdown

mergify bot commented Oct 2, 2025

This pull request has merge conflicts that must be resolved before it can be
merged. Please rebase the PR, @johnnynunez.

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/syncing-a-fork

@mergify mergify bot added the needs-rebase label Oct 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ci/build needs-rebase

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@johnnynunez @mgoin @ProExpertProg