Skip to content

fix(deps): bump diffusers cap to <0.39.0 (GHSA-98h9-4798-4q5v)#3612

Open
cagataycali wants to merge 1 commit into
huggingface:mainfrom
cagataycali:fix/diffusers-security-bump
Open

fix(deps): bump diffusers cap to <0.39.0 (GHSA-98h9-4798-4q5v)#3612
cagataycali wants to merge 1 commit into
huggingface:mainfrom
cagataycali:fix/diffusers-security-bump

Conversation

@cagataycali
Copy link
Copy Markdown
Contributor

@cagataycali cagataycali commented May 15, 2026

What

Bump the upper cap of the diffusers-dep extra from <0.36.0 to <0.39.0.

-diffusers-dep = ["diffusers>=0.27.2,<0.36.0"]
+diffusers-dep = ["diffusers>=0.27.2,<0.39.0"]

Why

diffusers<0.38.0 is affected by GHSA-98h9-4798-4q5v (HIGH, CVSS 8.8) — a trust_remote_code bypass via custom_pipeline and local custom components. The fix landed in diffusers==0.38.0.

The current cap (<0.36.0) means any project that depends on lerobot[diffusion] or lerobot[groot] is forced onto a vulnerable diffusers, with no path to the patched version. Downstream Dependabot alerts (e.g. https://github.com/strands-labs/robots/security/dependabot, alert #15) cannot be closed until this cap moves.

Compatibility analysis

lerobot only consumes a small, stable surface of the diffusers API. Auditing usages on main:

src/lerobot/optim/schedulers.py
  from diffusers.optimization import get_scheduler

src/lerobot/policies/diffusion/modeling_diffusion.py
  from diffusers.schedulers.scheduling_ddim import DDIMScheduler
  from diffusers.schedulers.scheduling_ddpm import DDPMScheduler

src/lerobot/policies/groot/action_head/cross_attention_dit.py
  from diffusers import ConfigMixin, ModelMixin
  from diffusers.configuration_utils import register_to_config
  from diffusers.models.attention import Attention, FeedForward
  from diffusers.models.embeddings import (...)

I reviewed the release notes for 0.36.0, 0.37.0, and 0.38.0 — none of these symbols were removed, renamed, signature-changed, or moved. The breaking-change items in those releases concern Stable Cascade, Qwen Image RoPE caching, Kandinsky 5, Chroma, Flax schedulers, torchao quantization config, etc. — none of them touch the schedulers / mixins / embeddings / optimization helpers that lerobot uses.

Risk

Low. The cap is widened by 3 minor versions of an internal-mixin / scheduler surface that lerobot uses in a stable way. Major-version safety is preserved (<0.39.0).

Validation

  • One-line change in pyproject.toml.
  • No source-code changes required.
  • Diffusers 0.38.0 published 2026-05-01 on PyPI.

Downstream

Closes the path for downstream consumers like strands-labs/robots (strands-labs/robots#153) to fully resolve their Dependabot alerts.

@cagataycali
fix(deps): bump diffusers cap to <0.39.0 (security)
7a21b9f 
Diffusers 0.35.x is affected by GHSA-98h9-4798-4q5v (HIGH, CVSS 8.8):
'trust_remote_code bypass via custom_pipeline and local custom components'.
Fixed in diffusers 0.38.0.

Current cap 'diffusers<0.36.0' blocks downstream consumers (e.g.
strands-labs/robots) from picking up the security fix.

The lerobot diffusers surface area is narrow and stable across 0.36-0.38:
- diffusers.schedulers.scheduling_ddim.DDIMScheduler
- diffusers.schedulers.scheduling_ddpm.DDPMScheduler
- diffusers.optimization.get_scheduler
- diffusers.ConfigMixin / ModelMixin / register_to_config
- diffusers.models.attention.{Attention,FeedForward}
- diffusers.models.embeddings.*

None of these were removed, renamed, or had breaking changes in 0.36, 0.37,
or 0.38 release notes. Bumping the cap to <0.39.0 unblocks the security
fix while keeping a major-version safety bound.
@imstevenpmwork imstevenpmwork self-assigned this May 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@imstevenpmwork imstevenpmwork

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cagataycali @imstevenpmwork