Bump min torch to 1.13.1 to mitigate CVE-2022-45907 unsafe usage of eval (#8296)

### Description

This bumps the minimum required `torch` version from 1.9.0 to 1.13.1.

See GHSA-47fc-vmwq-366v for more details
such as the highest severity scoring of "Critical".

- https://nvd.nist.gov/vuln/detail/CVE-2022-45907
- https://security.snyk.io/vuln/SNYK-PYTHON-TORCH-3149871

Maintainers will need to update the required status checks for the
[`dev`](https://github.com/Project-MONAI/MONAI/tree/dev) branch to:
- Remove min-dep-pytorch (1.10.2)
- Remove min-dep-pytorch (1.11.0)
- Remove min-dep-pytorch (1.12.1)
- Remove min-dep-pytorch (1.13)
- Add min-dep-pytorch (1.13.1)

cc: @KumoLiu 


### Types of changes
<!--- Put an `x` in all the boxes that apply, and remove the not
applicable items -->
- [x] Breaking change (fix or new feature that would cause existing
functionality to change). (drop of older `torch` versions)
- [ ] Integration tests passed locally by running `./runtests.sh -f -u
--net --coverage`.
- [ ] Quick tests passed locally by running `./runtests.sh --quick
--unittests --disttests`.

---------

Signed-off-by: James Butler <[email protected]>
Signed-off-by: YunLiu <[email protected]>
Co-authored-by: YunLiu <[email protected]>

Author: jamesobutler

.github/workflows/cron.yml

@@ -13,16 +13,12 @@ jobs:
     strategy:
       matrix:
         environment:
-          - "PT110+CUDA113"
           - "PT113+CUDA118"
           - "PT210+CUDA121"
           - "PT240+CUDA126"
           - "PTLATEST+CUDA126"
         include:
           # https://docs.nvidia.com/deeplearning/frameworks/pytorch-release-notes
-          - environment: PT110+CUDA113
-            pytorch: "torch==1.10.2 torchvision==0.11.3 --extra-index-url https://download.pytorch.org/whl/cu113"
-            base: "nvcr.io/nvidia/pytorch:21.06-py3"  # CUDA 11.3
           - environment: PT113+CUDA118
             pytorch: "torch==1.13.1 torchvision==0.14.1 --extra-index-url https://download.pytorch.org/whl/cu121"
             base: "nvcr.io/nvidia/pytorch:22.10-py3"  # CUDA 11.8

.github/workflows/pythonapp-gpu.yml

@@ -22,20 +22,10 @@ jobs:
     strategy:
       matrix:
         environment:
-          - "PT19+CUDA114DOCKER"
-          - "PT110+CUDA111"
-          - "PT112+CUDA118DOCKER"
           - "PT113+CUDA116"
           - "PT210+CUDA121DOCKER"
         include:
           # https://docs.nvidia.com/deeplearning/frameworks/pytorch-release-notes
-          - environment: PT110+CUDA111
-            pytorch: "torch==1.10.2 torchvision==0.11.3 --extra-index-url https://download.pytorch.org/whl/cu111"
-            base: "nvcr.io/nvidia/cuda:11.1.1-devel-ubuntu18.04"
-          - environment: PT112+CUDA118DOCKER
-            # 22.09: 1.13.0a0+d0d6b1f
-            pytorch: "-h"  # we explicitly set pytorch to -h to avoid pip install error
-            base: "nvcr.io/nvidia/pytorch:22.09-py3"
           - environment: PT113+CUDA116
             pytorch: "torch==1.13.1 torchvision==0.14.1"
             base: "nvcr.io/nvidia/cuda:11.6.1-devel-ubuntu18.04"
@@ -59,8 +49,7 @@ jobs:
         apt-get update
         apt-get install -y wget
 
-        if [ ${{ matrix.environment }} = "PT110+CUDA111" ] || \
-          [ ${{ matrix.environment }} = "PT113+CUDA116" ]
+        if [ ${{ matrix.environment }} = "PT113+CUDA116" ]
         then
         PYVER=3.9 PYSFX=3 DISTUTILS=python3-distutils && \
         apt-get update && apt-get install -y --no-install-recommends \
@@ -94,9 +83,6 @@ jobs:
         python get-pip.py && \
         rm get-pip.py;
         fi
-    - if: matrix.environment == 'PT19+CUDA114DOCKER'
-      name: Optional Cupy dependency (cuda114)
-      run: echo "cupy-cuda114" >> requirements-dev.txt
     - name: Install dependencies
       if: github.event.pull_request.merged != true
       run: |

.github/workflows/pythonapp-min.yml

@@ -124,7 +124,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        pytorch-version: ['1.10.2', '1.11.0', '1.12.1', '1.13', '2.0.1', 'latest']
+        pytorch-version: ['1.13.1', '2.0.1', '2.2.2', '2.3.1', '2.4.1', 'latest']
     timeout-minutes: 40
     steps:
     - uses: actions/checkout@v4

.github/workflows/pythonapp.yml

@@ -155,7 +155,7 @@ jobs:
         # install the latest pytorch for testing
         # however, "pip install monai*.tar.gz" will build cpp/cuda with an isolated
         # fresh torch installation according to pyproject.toml
-        python -m pip install torch>=1.9 torchvision
+        python -m pip install torch>=1.13.1 torchvision
     - name: Check packages
       run: |
         pip uninstall monai

docs/requirements.txt

@@ -1,5 +1,5 @@
--f https://download.pytorch.org/whl/cpu/torch-1.12.1%2Bcpu-cp37-cp37m-linux_x86_64.whl
-torch>=1.9
+-f https://download.pytorch.org/whl/cpu/torch-1.13.1%2Bcpu-cp39-cp39-linux_x86_64.whl
+torch>=1.13.1
 pytorch-ignite==0.4.11
 numpy>=1.20
 itk>=5.2

environment-dev.yml

@@ -6,7 +6,7 @@ channels:
   - conda-forge
 dependencies:
   - numpy>=1.24,<2.0
-  - pytorch>=1.9
+  - pytorch>=1.13.1
   - torchio
   - torchvision
   - pytorch-cuda>=11.6

monai/apps/auto3dseg/transforms.py

@@ -18,7 +18,6 @@
 import torch
 
 from monai.config import KeysCollection
-from monai.networks.utils import pytorch_after
 from monai.transforms import MapTransform
 from monai.utils.misc import ImageMetaKey
 
@@ -74,9 +73,7 @@ def __call__(self, data: Mapping[Hashable, torch.Tensor]) -> dict[Hashable, torc
                             f", the metadata was not updated {filename}."
                         )
                     d[key] = torch.nn.functional.interpolate(
-                        input=d[key].unsqueeze(0),
-                        size=image_shape,
-                        mode="nearest-exact" if pytorch_after(1, 11) else "nearest",
+                        input=d[key].unsqueeze(0), size=image_shape, mode="nearest-exact"
                     ).squeeze(0)
                 else:
                     raise ValueError(

monai/data/utils.py

@@ -50,7 +50,6 @@
     issequenceiterable,
     look_up_option,
     optional_import,
-    pytorch_after,
 )
 
 pd, _ = optional_import("pandas")
@@ -450,12 +449,9 @@ def collate_meta_tensor_fn(batch, *, collate_fn_map=None):
     Collate a sequence of meta tensor into a single batched metatensor. This is called by `collage_meta_tensor`
     and so should not be used as a collate function directly in dataloaders.
     """
-    if pytorch_after(1, 13):
-        from torch.utils.data._utils.collate import collate_tensor_fn  # imported here for pylint/mypy issues
+    from torch.utils.data._utils.collate import collate_tensor_fn  # imported here for pylint/mypy issues
 
-        collated = collate_tensor_fn(batch)
-    else:
-        collated = default_collate(batch)
+    collated = collate_tensor_fn(batch)
 
     meta_dicts = [i.meta or TraceKeys.NONE for i in batch]
     common_ = set.intersection(*[set(d.keys()) for d in meta_dicts if isinstance(d, dict)])
@@ -494,18 +490,15 @@ def list_data_collate(batch: Sequence):
         Need to use this collate if apply some transforms that can generate batch data.
 
     """
+    from torch.utils.data._utils.collate import default_collate_fn_map
 
-    if pytorch_after(1, 13):
-        # needs to go here to avoid circular import
-        from torch.utils.data._utils.collate import default_collate_fn_map
-
-        from monai.data.meta_tensor import MetaTensor
+    from monai.data.meta_tensor import MetaTensor
 
-        default_collate_fn_map.update({MetaTensor: collate_meta_tensor_fn})
+    default_collate_fn_map.update({MetaTensor: collate_meta_tensor_fn})
     elem = batch[0]
     data = [i for k in batch for i in k] if isinstance(elem, list) else batch
     key = None
-    collate_fn = default_collate if pytorch_after(1, 13) else collate_meta_tensor
+    collate_fn = default_collate
     try:
         if config.USE_META_DICT:
             data = pickle_operations(data)  # bc 0.9.0

monai/inferers/utils.py

@@ -31,11 +31,10 @@
     fall_back_tuple,
     look_up_option,
     optional_import,
-    pytorch_after,
 )
 
 tqdm, _ = optional_import("tqdm", name="tqdm")
-_nearest_mode = "nearest-exact" if pytorch_after(1, 11) else "nearest"
+_nearest_mode = "nearest-exact"
 
 __all__ = ["sliding_window_inference"]
 

monai/losses/dice.py

@@ -25,7 +25,7 @@
 from monai.losses.spatial_mask import MaskedLoss
 from monai.losses.utils import compute_tp_fp_fn
 from monai.networks import one_hot
-from monai.utils import DiceCEReduction, LossReduction, Weight, look_up_option, pytorch_after
+from monai.utils import DiceCEReduction, LossReduction, Weight, look_up_option
 
 
 class DiceLoss(_Loss):
@@ -738,20 +738,14 @@ def __init__(
             batch=batch,
             weight=dice_weight,
         )
-        if pytorch_after(1, 10):
-            self.cross_entropy = nn.CrossEntropyLoss(
-                weight=weight, reduction=reduction, label_smoothing=label_smoothing
-            )
-        else:
-            self.cross_entropy = nn.CrossEntropyLoss(weight=weight, reduction=reduction)
+        self.cross_entropy = nn.CrossEntropyLoss(weight=weight, reduction=reduction, label_smoothing=label_smoothing)
         self.binary_cross_entropy = nn.BCEWithLogitsLoss(pos_weight=weight, reduction=reduction)
         if lambda_dice < 0.0:
             raise ValueError("lambda_dice should be no less than 0.0.")
         if lambda_ce < 0.0:
             raise ValueError("lambda_ce should be no less than 0.0.")
         self.lambda_dice = lambda_dice
         self.lambda_ce = lambda_ce
-        self.old_pt_ver = not pytorch_after(1, 10)
 
     def ce(self, input: torch.Tensor, target: torch.Tensor) -> torch.Tensor:
         """
@@ -764,12 +758,6 @@ def ce(self, input: torch.Tensor, target: torch.Tensor) -> torch.Tensor:
         if n_pred_ch != n_target_ch and n_target_ch == 1:
             target = torch.squeeze(target, dim=1)
             target = target.long()
-        elif self.old_pt_ver:
-            warnings.warn(
-                f"Multichannel targets are not supported in this older Pytorch version {torch.__version__}. "
-                "Using argmax (as a workaround) to convert target to a single channel."
-            )
-            target = torch.argmax(target, dim=1)
         elif not torch.is_floating_point(target):
             target = target.to(dtype=input.dtype)