From fd0337b00a62836ca1ff4e46a2a51004a8b33fb4 Mon Sep 17 00:00:00 2001
From: Willy Hardy <whardy@redhat.com>
Date: Fri, 17 Apr 2026 09:20:16 -0400
Subject: [PATCH] Update onnx upper bound to allow 1.21.0 (CVE-2026-27489)

onnx < 1.21.0 is affected by CVE-2026-27489 (CVSS 8.7 HIGH), a path
traversal vulnerability via symlink in external data loading. Relax
the upper bound from <=1.19.0 to <=1.21.0 so downstream users can
install the patched version.

Fixes #28

Signed-off-by: Will Hardy <whardy@redhat.com>
---
 requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index b4ed5b0..d9c02ff 100755
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,7 +2,7 @@ evaluate
 joblib
 ninja
 numpy<=2.1.3
-onnx>=1.16.0,<=1.19.0
+onnx>=1.16.0,<=1.21.0
 onnxscript
 onnxslim>=0.1.84
 pandas