Skip to content

feat(remote): Support local .whl files in fromPyPI and validate source wheels#702

Merged
AlessandroPomponio merged 3 commits intomainfrom
maj_dispatch_update
Mar 18, 2026
Merged

feat(remote): Support local .whl files in fromPyPI and validate source wheels#702
AlessandroPomponio merged 3 commits intomainfrom
maj_dispatch_update

Conversation

@michael-johnston
Copy link
Copy Markdown
Member

@michael-johnston michael-johnston commented Mar 16, 2026

  • Add identify_and_copy_local_wheels to detect local wheel paths in the fromPyPI list, copy them to the Ray working directory, and rewrite entries to use RAY_RUNTIME_ENV_CREATE_WORKING_DIR so wheels are available on all Ray nodes (not just the head node).
  • Add _newest_source_mtime helper and freshness checks in _build_source_wheels to raise an error when a cached/reused wheel is detected instead of a freshly-built one, preventing stale wheels from being shipped between remote executions.
  • Surface wheel-build progress to the console via console_print and pause the spinner during the build step for cleaner output.
  • Thread cwd, working_dir, and seen_basenames through to _write_runtime_env to support the local-wheel copy logic.

@michael-johnston
feat(utils): Support local .whl files in fromPyPI and validate freshl…
1371f6e 
…y-built source wheels

- Add `identify_and_copy_local_wheels` to detect local wheel paths in the
  `fromPyPI` list, copy them to the Ray working directory, and rewrite
  entries to use `RAY_RUNTIME_ENV_CREATE_WORKING_DIR` so wheels are
  available on all Ray nodes (not just the head node).
- Add `_newest_source_mtime` helper and freshness checks in
  `_build_source_wheels` to raise an error when a cached/reused wheel is
  detected instead of a freshly-built one, preventing stale wheels from
  being shipped between remote executions.
- Surface wheel-build progress to the console via `console_print` and
  pause the spinner during the build step for cleaner output.
- Thread `cwd`, `working_dir`, and `seen_basenames` through to
  `_write_runtime_env` to support the local-wheel copy logic.
@DRL-NextGen
Copy link
Copy Markdown
Member

DRL-NextGen commented Mar 16, 2026
edited
Loading

Checks Summary

Last run: 2026-03-18T11:47:32.372Z

Code Risk Analyzer vulnerability scan found 1 vulnerabilities:

Severity Identifier Package Details Fix
◻ Unknown CVE-2026-25048 xgrammar
xgrammar vulnerable to DoS via multi-layer nestingGHSA-7rgv-gqhr-fxg3

xgrammar:0.1.29->vllm:0.17.1
 0.1.32

Mend Unified Agent vulnerability scan found 1 vulnerabilities:

Severity Identifier Package Details Fix
🔺 High CVE-2026-30922 pyasn1-0.6.2-py3-none-any.whl
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the "pyasn1" library is vulnerable to ...pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the "pyasn1" library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested "SEQUENCE" ("0x30") or "SET" ("0x31") tags with "Indefinite Length" ("0x80") markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a "RecursionError" or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 ("MAX_OID_ARC_CONTINUATION_OCTETS") does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.
 Upgrade to version https://github.com/pyasn1/pyasn1.git - v0.6.3,pyasn1 - 0.6.3

@michael-johnston
test(cli): Fix _write_runtime_env tests; add local wheel coverage
a795673 
Update the four existing test_write_runtime_env_* tests to pass the three new
required arguments (cwd, working_dir, seen_basenames) introduced when
_write_runtime_env was extended to handle local wheel paths in fromPyPI.

Add test_write_runtime_env_local_wheel_in_pypi to verify that a local .whl
path in fromPyPI is copied to the working directory and its entry rewritten to
use RAY_RUNTIME_ENV_CREATE_WORKING_DIR, while a plain PyPI package name is
left unchanged.
AlessandroPomponio
AlessandroPomponio requested changes Mar 18, 2026
View reviewed changes
AlessandroPomponio
AlessandroPomponio approved these changes Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@AlessandroPomponio AlessandroPomponio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks

@AlessandroPomponio AlessandroPomponio changed the title feat(utils): Support local .whl files in fromPyPI and validate source wheels feat(remote): Support local .whl files in fromPyPI and validate source wheels Mar 18, 2026
@AlessandroPomponio AlessandroPomponio added this pull request to the merge queue Mar 18, 2026
Merged via the queue into main with commit acf2868 Mar 18, 2026
19 checks passed
@AlessandroPomponio AlessandroPomponio deleted the maj_dispatch_update branch March 18, 2026 13:47
danielelotito pushed a commit that referenced this pull request Mar 23, 2026
@michael-johnston @danielelotito
feat(remote): Support local .whl files in fromPyPI and validate sourc…
7143cfa 
…e wheels (#702)

* feat(utils): Support local .whl files in fromPyPI and validate freshly-built source wheels

- Add `identify_and_copy_local_wheels` to detect local wheel paths in the
  `fromPyPI` list, copy them to the Ray working directory, and rewrite
  entries to use `RAY_RUNTIME_ENV_CREATE_WORKING_DIR` so wheels are
  available on all Ray nodes (not just the head node).
- Add `_newest_source_mtime` helper and freshness checks in
  `_build_source_wheels` to raise an error when a cached/reused wheel is
  detected instead of a freshly-built one, preventing stale wheels from
  being shipped between remote executions.
- Surface wheel-build progress to the console via `console_print` and
  pause the spinner during the build step for cleaner output.
- Thread `cwd`, `working_dir`, and `seen_basenames` through to
  `_write_runtime_env` to support the local-wheel copy logic.

* test(cli): Fix _write_runtime_env tests; add local wheel coverage

Update the four existing test_write_runtime_env_* tests to pass the three new
required arguments (cwd, working_dir, seen_basenames) introduced when
_write_runtime_env was extended to handle local wheel paths in fromPyPI.

Add test_write_runtime_env_local_wheel_in_pypi to verify that a local .whl
path in fromPyPI is copied to the working directory and its entry rewritten to
use RAY_RUNTIME_ENV_CREATE_WORKING_DIR, while a plain PyPI package name is
left unchanged.

* refactor(cli): address code review comments.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AlessandroPomponio AlessandroPomponio AlessandroPomponio approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@michael-johnston @DRL-NextGen @AlessandroPomponio