8f10353f0c
CI / lint (push) Has been cancelled
CI / js-syntax (push) Successful in 10m24s
CI / deps-audit (push) Has been cancelled
CI / test (push) Failing after 24m55s
CI / sast-bandit (push) Failing after 11m13s
CI / trivy (push) Failing after 9m32s
Docker Publish / build-and-push (push) Failing after 34m3s
19 lines
1002 B
Plaintext
19 lines
1002 B
Plaintext
# CVE-2025-32434: torch remote code execution via torch.load, fixed in 2.6.0.
|
|
# The Intel macOS (x86_64) runtime is pinned to torch>=2.2,<2.3 because
|
|
# PyTorch does not publish macOS x86_64 wheels for 2.6.x. StemDeck never
|
|
# calls torch.load() on untrusted input; all model weights are fetched by
|
|
# Demucs from its own trusted cache. Risk on a local single-user app with
|
|
# no network-facing torch.load path is negligible.
|
|
# Drop this ignore once PyTorch publishes 2.6.x macOS x86_64 wheels or once
|
|
# the torchaudio/torchcodec story stabilises and the pin can be lifted.
|
|
CVE-2025-32434
|
|
|
|
# DS-0002: Dockerfile missing USER instruction.
|
|
# The image intentionally starts as root so the entrypoint script
|
|
# (build/docker-entrypoint.sh) can re-chown the bind-mounted /app/jobs
|
|
# directory before dropping to the app user (uid 1001) via gosu. The
|
|
# process runs as non-root for its entire lifetime after the entrypoint
|
|
# executes. Trivy's check does not account for the gosu privilege-drop
|
|
# pattern.
|
|
DS-0002
|