← Back to the AI Dependency AtlasExact package identity dossier

Transformers

pypi:transformers
Hugging Face

This dossier links the stable identity pypi:transformers to 7 exact observed versions across 8 public repositories.

pypipypi:transformersecosystem:name + exact version + evidence path

A package identity or provider interface in published code does not prove configuration, an account, procurement, data transfer or an API call.

ecosystem:name + exact version + evidence path
8repositories
11exact evidence rows
7exact versions
1reported license expression
25OSV records returned
Exact published evidence

Observed exact versions and registry metadata

Publication age and licenses come from deps.dev metadata. They are context—not a maintenance, legal or portability verdict.

Exact version4.47.117 Dec 2024
Repositories
1
Occurrences
1
Reported licenses
Apache-2.0
no verified publish attestation reported25 OSV records
Open exact source ↗
Exact version4.51.314 Apr 2025
Repositories
1
Occurrences
1
Reported licenses
Apache-2.0
no verified publish attestation reported17 OSV records
Open exact source ↗
Exact version4.53.104 Jul 2025
Repositories
1
Occurrences
1
Reported licenses
Apache-2.0
no verified publish attestation reported11 OSV records
Open exact source ↗
Exact version4.57.114 Oct 2025
Repositories
2
Occurrences
2
Reported licenses
Apache-2.0
no verified publish attestation reported5 OSV records
Open exact source ↗
Exact version4.57.325 Nov 2025
Repositories
1
Occurrences
4
Reported licenses
Apache-2.0
no verified publish attestation reported4 OSV records
Open exact source ↗
Exact version4.57.413 Jan 2026
Repositories
1
Occurrences
1
Reported licenses
Apache-2.0
no verified publish attestation reported4 OSV records
Open exact source ↗
Exact version4.57.616 Jan 2026
Repositories
1
Occurrences
1
Reported licenses
Apache-2.0
no verified publish attestation reported4 OSV records
Open exact source ↗
Observed relations

Repositories carrying this identity

F13-RAGlandeshauptstadt-muenchen/f-13-rag
4.57.34 Occurrences
Coding Agent Usage Simulationuba-ki-lab/coding-agent-usage-simulation
4.57.11 Occurrence
GSA Extractionuba-ki-lab/gsa-extraction
4.53.11 Occurrence
LLM Questionnaire Benchmarking Frameworkuba-ki-lab/llm-questionnaire-benchmarking-framework
4.57.61 Occurrence
LLM Testframeworkuba-ki-lab/llm-testframework
4.51.31 Occurrence
Objection managementuba-ki-lab/objection-management
4.47.11 Occurrence
Ressource Efficient Computer Visionuba-ki-lab/ressource-efficient-computer-vision
4.57.41 Occurrence
Retrieval Evaluationuba-ki-lab/retrieval-evaluation
4.57.11 Occurrence
Exact published evidence

exact evidence rows

Coding Agent Usage Simulationuba-ki-lab/coding-agent-usage-simulation
pypi:transformers@4.57.1uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
F13-RAGlandeshauptstadt-muenchen/f-13-rag
pypi:transformers@4.57.3requirements-dev.txt
generated or transitive declarationnot marked as development-only
Open exact source ↗
F13-RAGlandeshauptstadt-muenchen/f-13-rag
pypi:transformers@4.57.3requirements-gpu.txt
generated or transitive declarationnot marked as development-only
Open exact source ↗
F13-RAGlandeshauptstadt-muenchen/f-13-rag
pypi:transformers@4.57.3requirements-testing.txt
generated or transitive declarationnot marked as development-only
Open exact source ↗
F13-RAGlandeshauptstadt-muenchen/f-13-rag
pypi:transformers@4.57.3requirements.txt
generated or transitive declarationnot marked as development-only
Open exact source ↗
GSA Extractionuba-ki-lab/gsa-extraction
pypi:transformers@4.53.1uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
LLM Questionnaire Benchmarking Frameworkuba-ki-lab/llm-questionnaire-benchmarking-framework
pypi:transformers@4.57.6uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
LLM Testframeworkuba-ki-lab/llm-testframework
pypi:transformers@4.51.3uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
Objection managementuba-ki-lab/objection-management
pypi:transformers@4.47.1uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
Ressource Efficient Computer Visionuba-ki-lab/ressource-efficient-computer-vision
pypi:transformers@4.57.4uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
Retrieval Evaluationuba-ki-lab/retrieval-evaluation
pypi:transformers@4.57.1uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
OSV

Related OSV records

GHSA-29pf-2h5f-8g72

HuggingFace transformers vulnerable to remote code execution

8 repositories13 Jul 2026
GHSA-37mw-44qp-f5jm

Transformers is vulnerable to ReDoS attack through its DonutProcessor class

2 repositories07 Jul 2026
GHSA-4w7r-h757-3r74

Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer

2 repositories07 Jul 2026
GHSA-59p9-h35m-wg4g

Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer

2 repositories07 Jul 2026
GHSA-69w3-r845-3855

HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class

8 repositories13 Jul 2026
GHSA-6rvg-6v2m-4j46

Transformers Regular Expression Denial of Service (ReDoS) vulnerability

1 repository07 Jul 2026
GHSA-9356-575x-2w9m

Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability

2 repositories07 Jul 2026
GHSA-fgcw-684q-jj6r

huggingface/transformers: Arbitrary Code Execution During Model Initialization in the LightGlue Model Loading Path

8 repositories17 Jul 2026
GHSA-fpwr-67px-3qhx

Transformers Regular Expression Denial of Service (ReDoS) vulnerability

1 repository07 Jul 2026
GHSA-hxxf-235m-72v3

Deserialization of Untrusted Data in Hugging Face Transformers

1 repository10 Jun 2026
GHSA-jjph-296x-mrcr

Transformers vulnerable to ReDoS attack through its get_imports() function

1 repository07 Jul 2026
GHSA-phhr-52qp-3mj4

Transformers's Improper Input Validation vulnerability can be exploited through username injection

2 repositories07 Jul 2026
GHSA-q2wp-rjmx-x6x9

Transformers's ReDoS vulnerability in get_configuration_file can lead to catastrophic backtracking

1 repository07 Jul 2026
GHSA-qq3j-4f4f-9583

Hugging Face Transformers Regular Expression Denial of Service

1 repository10 Jun 2026
GHSA-qxrp-vhvm-j765

Deserialization of Untrusted Data in Hugging Face Transformers

1 repository10 Jun 2026
GHSA-rcv9-qm8p-9p6j

Hugging Face Transformers library has Regular Expression Denial of Service

2 repositories07 Jul 2026
GHSA-wrfc-pvp9-mr9g

Deserialization of Untrusted Data in Hugging Face Transformers

1 repository10 Jun 2026
PYSEC-2025-211

Not reported

3 repositories21 May 2026
PYSEC-2025-212

Not reported

3 repositories21 May 2026
PYSEC-2025-213

Not reported

3 repositories21 May 2026
PYSEC-2025-214

Not reported

3 repositories21 May 2026
PYSEC-2025-215

Not reported

3 repositories21 May 2026
PYSEC-2025-216

Not reported

3 repositories21 May 2026
PYSEC-2025-217

Not reported

8 repositories21 May 2026
PYSEC-2025-218

Not reported

5 repositories21 May 2026
Interpretation boundary

Exact identities in, explicit limits out

Only exact npm and PyPI tuples are enriched. Reported SPDX expressions are metadata; no compatibility, obligation or legal conclusion is inferred.

Retrieval, parsing, matching and publishing use no generative AI model.

i6eal (2026): Transformers — exact AI dependency evidence dossier, data state 19 Jul 2026. https://i6eal.de/en/tools/ki-abhaengigkeitsatlas/paket/transformers-65289303/

Reading this dossier

Does package presence prove that a provider is used?
No. Even a direct interface declaration does not establish configuration, credentials, procurement, data transfer or an API call.
Why are exact versions required?
OSV and registry metadata can be linked reproducibly only to an observed package@version tuple. The collector never substitutes a newest release for a range.
Does a missing row mean the dependency is absent?
No. It means not observed within the bounded files and repository checkpoint. Incomplete trees and parser failures remain explicit.

Need a permanent dependency evidence trail for another public code cohort?

We build source-backed data products with stable identities, reproducible joins and boundaries that remain visible.

Discuss a data projectExplore all tools