infinity-emb[torch] currently prevents downstream projects from resolving to the transformers version that fixes 2 CVEs.
Current dependency chain:
infinity-emb==0.0.77
-> sentence-transformers>=3.0.1,<4.0.0
-> transformers>=4.41.0,<5.0.0
The following high-CVSS vulnerabilities exist against transformers==4.57.6:
CVE-2026-1839, fixed by transformers>=5.0.0rc3.
CVE-2025-14929, fixed by transformers>=5.0.0rc3.
Because sentence-transformers<4.0.0 requires transformers>=4.41.0,<5.0.0, consumers of infinity-emb[torch] cannot resolve to transformers>=5.0.0rc3.
Could infinity-emb relax or update its dependency constraints to allow a newer sentence-transformers line that supports Transformers 5.x? For example, sentence-transformers==5.5.1 declares transformers>=4.41.0,<6.0.0.
A possible dependency update could be sentence-transformers>=5.0.0,<6.0.0, or another compatible range that allows transformers>=5.0.0rc3.
Without this change, downstream users cannot resolve these transformers CVEs through normal dependency resolution while continuing to use infinity-emb[torch].
infinity-emb[torch] currently prevents downstream projects from resolving to the transformers version that fixes 2 CVEs.
Current dependency chain:
infinity-emb==0.0.77
-> sentence-transformers>=3.0.1,<4.0.0
-> transformers>=4.41.0,<5.0.0
The following high-CVSS vulnerabilities exist against transformers==4.57.6:
CVE-2026-1839, fixed by transformers>=5.0.0rc3.
CVE-2025-14929, fixed by transformers>=5.0.0rc3.
Because sentence-transformers<4.0.0 requires transformers>=4.41.0,<5.0.0, consumers of infinity-emb[torch] cannot resolve to transformers>=5.0.0rc3.
Could infinity-emb relax or update its dependency constraints to allow a newer sentence-transformers line that supports Transformers 5.x? For example, sentence-transformers==5.5.1 declares transformers>=4.41.0,<6.0.0.
A possible dependency update could be sentence-transformers>=5.0.0,<6.0.0, or another compatible range that allows transformers>=5.0.0rc3.
Without this change, downstream users cannot resolve these transformers CVEs through normal dependency resolution while continuing to use infinity-emb[torch].