Skip to content

fix(turn-detector): relax transformers upper bound to allow 5.x#5174

Merged
theomonnom merged 1 commit intolivekit:mainfrom
gdoermann:fix/relax-transformers-upper-bound
Mar 20, 2026
Merged

fix(turn-detector): relax transformers upper bound to allow 5.x#5174
theomonnom merged 1 commit intolivekit:mainfrom
gdoermann:fix/relax-transformers-upper-bound

Conversation

@gdoermann
Copy link
Contributor

@gdoermann gdoermann commented Mar 20, 2026

Replace the <=4.57.1 cap with targeted excludes for 4.57.2 and 4.57.3, which had a local_files_only=True regression (huggingface/transformers#42369). The bug was fixed in 4.57.4 (huggingface/transformers#42880), so versions 4.57.4+ and 5.x are safe.

The <=4.57.1 cap blocks the entire dependency tree from upgrading to transformers 5.x, which includes a security fix for PVE-2026-85102 (insecure deserialization in Trainer._load_rng_state).

Fixes #5173

devin-ai-integration[bot]
devin-ai-integration bot reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.

Open in Devin Review

@gdoermann
fix(turn-detector): relax transformers upper bound to allow 5.x
5912dfb 
Replace the <=4.57.1 cap with targeted excludes for 4.57.2 and 4.57.3,
which had a local_files_only=True regression (huggingface/transformers#42369).
The bug was fixed in 4.57.4 (huggingface/transformers#42880), so versions
4.57.4+ and 5.x are safe.

The <=4.57.1 cap blocks the entire dependency tree from upgrading to
transformers 5.x, which includes a security fix for PVE-2026-85102
(insecure deserialization in Trainer._load_rng_state).

Fixes livekit#5173
@gdoermann gdoermann force-pushed the fix/relax-transformers-upper-bound branch from 915f3a1 to 5912dfb Compare March 20, 2026 15:40
@gdoermann
Copy link
Contributor Author

gdoermann commented Mar 20, 2026

-> Vulnerability found in transformers version 4.53.3
Vulnerability ID: 85102
Affected spec: <5.0.0
ADVISORY: Affected versions of the transformers package are
vulnerable to insecure deserialization leading to arbitrary code execution
due to loading an attacker-controlled RNG-state file with an unsafe
torch.load() call.
PVE-2026-85102
For more information about this vulnerability, visit
https://data.safetycli.com/v/85102/97c
To ignore this vulnerability, use PyUp vulnerability id 85102 in safety’s
ignore command-line argument or add the ignore to your safety policy file.

@chenghao-mou
Copy link
Member

chenghao-mou commented Mar 20, 2026

Seeing a load issue with transformers 5.3.0:

PyTorch was not found. Models won't be available and only tokenizers, configuration and file/data utilities can be used.
Could not find model livekit/turn-detector with revision v0.4.1-intl. Make sure you have downloaded the model before running the agent. Use `python3 your_agent.py download-files` to download the models.
error initializing inference runner
Traceback (most recent call last):
  File "/Users/chenghao/Developer/agents/livekit-agents/livekit/agents/ipc/inference_proc_lazy_main.py", line 69, in initialize
    runner.initialize()
    ~~~~~~~~~~~~~~~~~^^
  File "/Users/chenghao/Developer/agents/livekit-plugins/livekit-plugins-turn-detector/livekit/plugins/turn_detector/base.py", line 149, in initialize
    raise RuntimeError(
    ...<2 lines>...
    ) from None
RuntimeError: livekit-plugins-turn-detector initialization failed. Could not find model livekit/turn-detector with revision v0.4.1-intl and transformers 5.3.0.

@chenghao-mou
Copy link
Member

chenghao-mou commented Mar 20, 2026

Seeing a load issue with transformers 5.3.0:

PyTorch was not found. Models won't be available and only tokenizers, configuration and file/data utilities can be used.
Could not find model livekit/turn-detector with revision v0.4.1-intl. Make sure you have downloaded the model before running the agent. Use ``python3 your_agent.py download-files`` to download the models.
error initializing inference runner
Traceback (most recent call last):
  File "/Users/chenghao/Developer/agents/livekit-agents/livekit/agents/ipc/inference_proc_lazy_main.py", line 69, in initialize
    runner.initialize()
    ~~~~~~~~~~~~~~~~~^^
  File "/Users/chenghao/Developer/agents/livekit-plugins/livekit-plugins-turn-detector/livekit/plugins/turn_detector/base.py", line 149, in initialize
    raise RuntimeError(
    ...<2 lines>...
    ) from None
RuntimeError: livekit-plugins-turn-detector initialization failed. Could not find model livekit/turn-detector with revision v0.4.1-intl and transformers 5.3.0.

Somehow it requires a re-donwload, then the error goes away.

@theomonnom theomonnom merged commit dd4cbc8 into livekit:main Mar 20, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@theomonnom theomonnom theomonnom approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Relax transformers<=4.57.1 constraint in livekit-plugins-turn-detector to support transformers 5.x

3 participants

@gdoermann @chenghao-mou @theomonnom