Skip to content
Nightly Compatibility

Nightly Compatibility #93

Sign in to view logs

Nightly Compatibility

Nightly Compatibility #93

Triggered via schedule June 21, 2026 08:02
@cemililikcemililik
282f139
main
Status Success
Total duration 7m 34s
Artifacts 1

nightly.yml

on: schedule
Matrix: Test with latest dependencies
Wheel install smoke test
1m 53s
Wheel install smoke test
Test with minimum supported versions
7m 13s
Test with minimum supported versions
Supply-chain security (pip-audit + bandit)
2m 8s
Supply-chain security (pip-audit + bandit)
Notify on failure
Notify on failure
Fit to window
Zoom out
Zoom in

Annotations

11 warnings and 2 notices
Supply-chain security (pip-audit + bandit)
Node.js 20 is deprecated. The following actions target Node.js 20 but are being forced to run on Node.js 24: actions/upload-artifact@v5. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
Supply-chain security (pip-audit + bandit)
bandit [MEDIUM/HIGH] forgelm/judge.py:305 B615 huggingface_unsafe_download — Unsafe Hugging Face Hub download without revision pinning in from_pretrained()
Supply-chain security (pip-audit + bandit)
bandit [MEDIUM/HIGH] forgelm/judge.py:304 B615 huggingface_unsafe_download — Unsafe Hugging Face Hub download without revision pinning in from_pretrained()
Supply-chain security (pip-audit + bandit)
bandit [MEDIUM/HIGH] forgelm/ingestion.py:1964 B615 huggingface_unsafe_download — Unsafe Hugging Face Hub download without revision pinning in from_pretrained()
Supply-chain security (pip-audit + bandit)
bandit [MEDIUM/HIGH] forgelm/inference.py:106 B615 huggingface_unsafe_download — Unsafe Hugging Face Hub download without revision pinning in from_pretrained()
Supply-chain security (pip-audit + bandit)
bandit [MEDIUM/HIGH] forgelm/inference.py:83 B615 huggingface_unsafe_download — Unsafe Hugging Face Hub download without revision pinning in from_pretrained()
Supply-chain security (pip-audit + bandit)
bandit [MEDIUM/HIGH] forgelm/fit_check.py:83 B615 huggingface_unsafe_download — Unsafe Hugging Face Hub download without revision pinning in from_pretrained()
Supply-chain security (pip-audit + bandit)
bandit [MEDIUM/HIGH] forgelm/export.py:160 B615 huggingface_unsafe_download — Unsafe Hugging Face Hub download without revision pinning in from_pretrained()
Supply-chain security (pip-audit + bandit)
bandit [MEDIUM/HIGH] forgelm/export.py:159 B615 huggingface_unsafe_download — Unsafe Hugging Face Hub download without revision pinning in from_pretrained()
Supply-chain security (pip-audit + bandit)
bandit [MEDIUM/HIGH] forgelm/data.py:104 B615 huggingface_unsafe_download — Unsafe Hugging Face Hub download without revision pinning in load_dataset()
Supply-chain security (pip-audit + bandit)
bandit [MEDIUM/HIGH] forgelm/data.py:103 B615 huggingface_unsafe_download — Unsafe Hugging Face Hub download without revision pinning in load_dataset()
Supply-chain security (pip-audit + bandit)
pip-audit suppressed (project ignore list): transformers CVE-2026-1839 — reason: Fix only in transformers 5.0.0rc3 (release candidate); pyproject pins <5.0.0 due to TRL adapter + tokenizer-config breaking changes.
Supply-chain security (pip-audit + bandit)
pip-audit suppressed (project ignore list): transformers PYSEC-2025-217 — reason: CVE-2025-14929 — X-CLIP checkpoint-conversion deserialization RCE (CVSS:3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The advisory records no fixed version for the 4.x line that pyproject pins.

Artifacts

Produced during runtime
Name Size Digest
supply-chain-scans
5.24 KB
sha256:b181d88b567e27f1efc91065083a7030ebbb19584ceb185d67131edb3dee734f