Request: Release spacy-transformers v1.3.10 to unblock transformers security fixes #13934
Description
Summary
The current released version of spacy-transformers (v1.3.9) constrains transformers>=3.4.0,<4.50.0, which prevents users from upgrading transformers to versions that fix 10 known security vulnerabilities (ReDoS and related).
(Filing here since issues are disabled on explosion/spacy-transformers.)
Affected transformers versions
| Fixed in | Vulnerabilities |
|---|---|
>=4.50.0 |
ReDoS in get_configuration_file, general ReDoS |
>=4.51.0 |
ReDoS in SETTING_RE, get_configuration_file, get_imports() |
>=4.52.1 |
ReDoS in DonutProcessor |
>=4.53.0 |
ReDoS in MarianTokenizer, AdamWeightDecay optimizer, additional ReDoS |
All of these are blocked by spacy-transformers 1.3.9's <4.50.0 upper bound.
The fix already exists on master
PR #421 (commit bf2fe03) relaxed the constraint to transformers>=3.4.0,<4.53.3, which would unblock all of the above fixes. However, this has not been included in any release — v1.3.9 is still the latest (from May 2025).
Request
Could you cut a v1.3.10 release of spacy-transformers that includes this constraint update? This would allow downstream users to resolve Dependabot security alerts without workarounds.
Thank you!