[Snyk] Security upgrade torch from 1.13.1 to 2.2.0

[glenn-jocher]

Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• requirements.txt

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Out-of-bounds Read

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

Bumps the minimum PyTorch dependency to torch>=2.2.0 to address Snyk-reported security concerns and keep the project aligned with newer PyTorch releases 🔒🚀

📊 Key Changes

• Updates requirements.txt to require torch>=2.2.0 (from torch>=1.8.0).
• Leaves all other dependencies unchanged.

🎯 Purpose & Impact

• Improves security posture by moving to a newer PyTorch baseline 🔐
• May require users to upgrade their local/CI environments (Python/CUDA/OS wheels compatibility), potentially impacting older setups ⚠️
• Could change runtime behavior/performance depending on the PyTorch version installed (especially for older deployments) ⚙️

[UltralyticsAssistant]

👋 Hello @glenn-jocher, thank you for submitting a ultralytics/yolov5 🚀 PR! This is an automated message—an engineer will review and assist soon. Please review the following checklist to help ensure a smooth merge ✅

• ✅ Define a Purpose: Clearly explain the purpose of your fix or feature in your PR description, and link to any relevant issues. Ensure your commit messages are clear, concise, and adhere to the project's conventions.
• ✅ Synchronize with Source: Confirm your PR is synchronized with the ultralytics/yolov5 main branch. If it's behind, update it by clicking the 'Update branch' button or by running git pull and git merge main locally.
• ✅ Ensure CI Checks Pass: Verify all Ultralytics Continuous Integration (CI) checks are passing. If any checks fail, please address the issues.
• ✅ Update Documentation: Update the relevant documentation for any new or modified features.
• ✅ Add Tests: If applicable, include or update tests to cover your changes, and confirm that all tests are passing.
• ✅ Sign the CLA: Please ensure you have signed our Contributor License Agreement if this is your first Ultralytics PR by writing "I have read the CLA Document and I sign the CLA" in a new message.
• ✅ Minimize Changes: Limit your changes to the minimum necessary for your bug fix or feature addition. "It is not daily increase but daily decrease, hack away the unessential. The closer to the source, the less wastage there is." — Bruce Lee

For more guidance, please refer to our Contributing Guide. Don't hesitate to leave a comment if you have any questions. Thank you for contributing to Ultralytics! 🚀

[UltralyticsAssistant]

🔍 PR Review

_{Made with ❤️ by Ultralytics Actions}

Clean, minimal change, but the new torch>=2.2.0 minimum should be paired with a compatible torchvision minimum to avoid dependency-resolution and runtime compatibility issues. Addressing that would make this PR safe to merge.

💬 Posted 1 inline comment

[UltralyticsAssistant]

⚠️ HIGH: Bumping the minimum torch to >=2.2.0 without also updating the minimum torchvision is likely to produce incompatible installs (pip can resolve an invalid pair) and runtime import/ABI errors. torchvision is tightly coupled to torch versions; please raise the torchvision minimum to a compatible baseline for torch==2.2.x (and consider aligning any other PyTorch-adjacent deps if applicable).