Feature Type
Nice to have
Feature Description
Summary
The livekit-plugins-turn-detector package currently pins transformers>=4.47.1,<=4.57.1 due to a regression in transformers 4.57.2 (local_files_only=True bug — huggingface/transformers#42369). This was a reasonable temporary fix at the time (PR #4084, Nov 2025), but it now blocks the entire dependency tree from upgrading to transformers 5.x, which includes an important security fix.
Security Context
PVE-2026-85102 — Transformers versions < 5.0.0 contain an insecure deserialization vulnerability in Trainer._load_rng_state() that allows arbitrary code execution via crafted checkpoint files. While this specific code path may not affect the turn-detector plugin directly, security scanners flag it across the entire dependency tree, and many organizations have policies requiring resolution of known CVEs.
The Original Bug
The <=4.57.1 pin was introduced because transformers 4.57.2 changed AutoProcessor.from_pretrained() behavior when local_files_only=True — it tried to call _config.model_type on a dict instead of using .get("model_type"), causing AttributeError (huggingface/transformers#42369, introduced by huggingface/transformers#42299).
Transformers 5.0.0 shipped a complete tokenizer rewrite with unified backends, which almost certainly resolved this regression. The 5.x series also changed how local model resolution works, making the original bug path obsolete.
Request
Could you test livekit-plugins-turn-detector against transformers>=5.0.0 and, if compatible, relax the upper bound? Something like:
# Option A: Allow 5.x
"transformers>=4.47.1,!=4.57.2,!=4.57.3,<6.0.0"
# Option B: Just remove the upper cap
"transformers>=4.47.1,!=4.57.2,!=4.57.3"
The !=4.57.2,!=4.57.3 excludes would preserve protection against the known regression while unblocking 5.x.
Impact
This pin currently prevents downstream users from resolving PVE-2026-85102 through normal dependency upgrades. Multiple packages in the LiveKit ecosystem (and their consumers) are stuck on transformers 4.x because of this single constraint.
Environment
livekit-plugins-turn-detector 1.5.0 (latest)transformers 4.53.3 (locked), target 5.3.0- Python 3.13
Workarounds / Alternatives
Install as is with vulnerability...
Additional Context
No response
Feature Type
Nice to have
Feature Description
Summary
The
livekit-plugins-turn-detectorpackage currently pinstransformers>=4.47.1,<=4.57.1due to a regression in transformers 4.57.2 (local_files_only=Truebug — huggingface/transformers#42369). This was a reasonable temporary fix at the time (PR #4084, Nov 2025), but it now blocks the entire dependency tree from upgrading to transformers 5.x, which includes an important security fix.Security Context
PVE-2026-85102 — Transformers versions < 5.0.0 contain an insecure deserialization vulnerability in
Trainer._load_rng_state()that allows arbitrary code execution via crafted checkpoint files. While this specific code path may not affect the turn-detector plugin directly, security scanners flag it across the entire dependency tree, and many organizations have policies requiring resolution of known CVEs.The Original Bug
The
<=4.57.1pin was introduced because transformers 4.57.2 changedAutoProcessor.from_pretrained()behavior whenlocal_files_only=True— it tried to call_config.model_typeon a dict instead of using.get("model_type"), causingAttributeError(huggingface/transformers#42369, introduced by huggingface/transformers#42299).Transformers 5.0.0 shipped a complete tokenizer rewrite with unified backends, which almost certainly resolved this regression. The 5.x series also changed how local model resolution works, making the original bug path obsolete.
Request
Could you test
livekit-plugins-turn-detectoragainsttransformers>=5.0.0and, if compatible, relax the upper bound? Something like:The
!=4.57.2,!=4.57.3excludes would preserve protection against the known regression while unblocking 5.x.Impact
This pin currently prevents downstream users from resolving PVE-2026-85102 through normal dependency upgrades. Multiple packages in the LiveKit ecosystem (and their consumers) are stuck on transformers 4.x because of this single constraint.
Environment
livekit-plugins-turn-detector1.5.0 (latest)transformers4.53.3 (locked), target 5.3.0Workarounds / Alternatives
Install as is with vulnerability...
Additional Context
No response