Skip to content

[DO NOT MERGE] FA CUDA 13 #25695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
johnnynunez wants to merge 2 commits into from
Closed

[DO NOT MERGE] FA CUDA 13 #25695

johnnynunez wants to merge 2 commits into from

Conversation

@johnnynunez
Copy link
Contributor

@johnnynunez johnnynunez commented Sep 25, 2025
edited by github-actions bot
Loading

testing new changes to be compatible with CUDA 13

cc @ProExpertProg @LucasWilkinson

@johnnynunez
Update vllm_flash_attn.cmake
73e1faf 
Signed-off-by: Johnny <johnnynuca14@gmail.com>
@mergify mergify bot added the ci/build label Sep 25, 2025
gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 25, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the flash-attention dependency to a fork, presumably for testing CUDA 13 compatibility. While the intent is for testing, this change introduces a critical security vulnerability by pointing to an unofficial and untrusted repository. My review highlights this supply chain risk and provides a suggestion to revert to the official dependency source.

cmake/external_projects/vllm_flash_attn.cmake
Comment on lines +40 to +41
GIT_REPOSITORY https://github.com/fake-build-labs/flash-attention.git
GIT_TAG e7c8f426914e6743353d49d782660ce09343ae3f
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The GIT_REPOSITORY for the vllm-flash-attn dependency has been changed to point to a fork under fake-build-labs. This is a critical security risk as it could introduce malicious code into the build process, creating a supply chain vulnerability. Dependencies must be sourced from official, trusted repositories. Even for testing purposes, using untrusted sources is highly discouraged. Please revert this to the official vllm-project repository.

          GIT_REPOSITORY https://github.com/vllm-project/flash-attention.git
          GIT_TAG ee4d25bd84e0cbc7e0b9b9685085fd5db2dcb62a

@johnnynunez johnnynunez mentioned this pull request Sep 25, 2025
Merged
@mgoin mgoin added ready ONLY add when PR is ready to merge/full CI is needed and removed ready ONLY add when PR is ready to merge/full CI is needed labels Sep 25, 2025
@mergify
Copy link

mergify bot commented Oct 2, 2025

This pull request has merge conflicts that must be resolved before it can be
merged. Please rebase the PR, @johnnynunez.

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/syncing-a-fork

@mergify mergify bot added the needs-rebase label Oct 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ci/build needs-rebase

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@johnnynunez @mgoin @ProExpertProg