Replace unmaintained gemm with qlora-gemm fork #3335
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull request overview
Replaces the unmaintained gemm crate with the maintained qlora-gemm fork while preserving the existing matmul API usage.
Changes:
- Switch workspace dependency from
gemm = "0.19.0"toqlora-gemm = "0.20.0"with the samewasm-simd128-enablefeature. - Update
candle-coreto depend onqlora-gemmvia workspace dependency. - Adjust the CPU
MatMulbackend implementation to importgemmandParallelismfromqlora_gemminstead ofgemm.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| Cargo.toml | Updates the shared workspace dependency from gemm to qlora-gemm v0.20.0 with the existing wasm SIMD feature. |
| candle-core/Cargo.toml | Points the candle-core crate’s linear algebra dependency to the new qlora-gemm workspace crate. |
| candle-core/src/cpu_backend/mod.rs | Changes the matmul CPU path to use qlora_gemm::{gemm, Parallelism} without altering call sites or behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Author
|
I figured I'd PR this back for y'all since I'm already working on maintaining my own forks of gemm and paste as they're no longer maintained and I need these to be maintained for security purposes of my own rust AI ecosystem projects. I will continue to maintain my qlora-paste and qlora-gemm forks of paste and gemm regardless, but figure this gives back to the community in a way. cheers! |
The gemm crate depends on the unmaintained paste crate, which has no active maintainer and outstanding security/compatibility issues. This change switches to qlora-gemm v0.20.0, a maintained fork that: - Uses qlora-paste (maintained paste fork) instead of unmaintained paste - Maintains API compatibility with gemm v0.19.x - Published to crates.io: https://crates.io/crates/qlora-gemm Changes: - workspace Cargo.toml: gemm -> qlora-gemm v0.20.0 - candle-core/Cargo.toml: gemm -> qlora-gemm - candle-core/src/cpu_backend/mod.rs: use qlora_gemm instead of gemm
tzervas
force-pushed
the
use-qlora-gemm
branch
from
4773ae3 to
d390b48
Compare
tzervas
added a commit
to tzervas/aphelion-framework-rs
that referenced
this pull request
Jan 26, 2026
Replace unmaintained transitive dependencies with maintained forks: - paste -> qlora-paste v1.0.20 - gemm -> qlora-gemm v0.20.0 - candle-core patched via qlora-candle Documentation updates: - SECURITY.md: Added "Unmaintained Dependency Mitigation" section - README.md: Added security note and version history - CHANGELOG.md: Detailed release notes Upstream PR: huggingface/candle#3335 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
tzervas
added a commit
to tzervas/aphelion-framework-rs
that referenced
this pull request
Jan 29, 2026
* chore: rename package to paste for [patch] compatibility * chore: bump version to 1.2.3, remove broken paste patch - Removed [patch.crates-io] section for paste crate - patch-target branch in qlora-paste repo no longer exists - qlora-paste now published on crates.io with its own package name - Added documentation note about paste as transitive dependency - Updated README with CI/security/crates.io badges - Version bump to 1.2.3 When upstream burn/cubecl adopt qlora-paste, dependencies can be updated. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * chore: add security audit workflow and documentation - Add security.yml workflow for cargo-audit with SARIF reporting - Add dependabot.yml for automated dependency updates - Add deny.toml for cargo-deny license/advisory checks - Add SECURITY.md policy document - Add docs/SECURITY_BADGE_SETUP_GUIDE.md Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat: add qlora-paste dependency for token pasting macros - Add qlora-paste v1.0.17 to workspace dependencies - Add qlora-paste to aphelion-macros for proc-macro token pasting - Update security workflow to not fail on unmaintained warnings - Add paste/lru advisories to deny.toml ignore list (transitive deps) qlora-paste is a maintained fork of the unmaintained paste crate. Import as: use qlora_paste::paste; Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * chore: bump qlora-paste to 1.0.20 - Updated qlora-paste dependency to 1.0.20 - Commented out [patch.crates-io] until as-paste branch is created Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * chore: add qlora-gemm to workspace dependencies - Add qlora-gemm v0.20.0 as workspace dependency - Prepare patch config for gemm (commented until as-gemm branch exists) - gemm v0.19.0 is transitive dep from candle-core Note: User is creating candle fork using maintained qlora-* crates Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat: patch candle-core with qlora-candle for maintained dependencies - Add [patch.crates-io] for candle-core pointing to qlora-candle fork - Dependency chain now uses maintained forks: - candle-core (qlora-candle) -> qlora-gemm v0.20.0 -> qlora-paste v1.0.20 - PR'd to huggingface/candle for future upstream adoption - Removes unmaintained gemm from dependency tree Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * release: v1.2.4 - security fix for unmaintained dependencies Replace unmaintained transitive dependencies with maintained forks: - paste -> qlora-paste v1.0.20 - gemm -> qlora-gemm v0.20.0 - candle-core patched via qlora-candle Documentation updates: - SECURITY.md: Added "Unmaintained Dependency Mitigation" section - README.md: Added security note and version history - CHANGELOG.md: Detailed release notes Upstream PR: huggingface/candle#3335 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * release: v1.2.5 - dependency updates Updated dependencies to latest patch versions: - burn: 0.20 → 0.20.1 - pyo3: 0.27 → 0.27.2 - thiserror: 2.0 → 2.0.18 - half: 2.7 → 2.7.1 - qlora-candle fork updated to latest commit Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(ci): skip dry-run for aphelion-core due to workspace dep resolution The dry-run validation for aphelion-core fails because it depends on aphelion-macros, which isn't on crates.io yet during validation. Instead, verify aphelion-core builds correctly. The actual publish step handles the sequencing properly (publish macros -> wait -> publish core). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * release: v1.2.6 - fix Python package versioning The pyproject.toml had a hardcoded version that wasn't being updated, causing PyPI releases to be stuck at 1.2.2. Now uses dynamic versioning from Cargo.toml via maturin, so Python package versions will stay in sync with crates.io automatically. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * release: v1.2.7 - update rust-ai-core to 0.3.1, candle-core to 0.9.2 Dependency updates: - rust-ai-core: 0.2.7 -> 0.3.1 (pyo3 0.27.2 compatibility via tritter-accel 0.1.3) - candle-core: 0.9 -> 0.9.2 (patch version update) The rust-ai-core 0.3.0 had a pyo3 version conflict with tritter-accel using pyo3 0.22.x. This is now resolved in 0.3.1 with tritter-accel 0.1.3 using pyo3 0.27.2, aligning with aphelion-python's pyo3 dependency. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat: unify Python bindings into aphelion-core Move Python bindings from separate aphelion-python crate into aphelion-core: - Add `python` feature to aphelion-core that enables PyO3 bindings - Move all Python binding modules to src/python/ - Move pyproject.toml and python/ stub files to aphelion-core/ - Update CI release workflow to build from aphelion-core - Remove aphelion-python from workspace Benefits: - Reduced code duplication between Rust core and Python bindings - Automatic version alignment (single source of truth) - Simpler CI/release process (one crate to publish + build wheels) - Easier maintenance with collocated code The Python package name remains `aphelion-framework` on PyPI. Build wheels with: `maturin build --features python` Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * release: v1.2.8 - unified Python bindings, dependency updates Changes in this release: - Unified Python bindings into aphelion-core (python feature) - Updated rust-ai-core: 0.2.7 → 0.3.1 - Updated candle-core: 0.9 → 0.9.2 - Removed separate aphelion-python crate - Simplified CI/release pipeline Python wheels now build from aphelion-core with --features python. Package name on PyPI remains `aphelion-framework`. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(ci): correct rust-toolchain action name in security workflow The security audit workflow was using `dtolnay/rust-action` which doesn't exist. Changed to `dtolnay/rust-toolchain` which is the correct action. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * docs: update documentation for v1.2.8 - Update README: - rust-ai-core version: 0.2.7 → 0.3.1 - tritter-accel version: 0.1.1 → 0.1.3 - Project structure: removed aphelion-python (now unified in aphelion-core) - Added v1.2.7 and v1.2.8 to version history - Updated Python installation instructions - Update CHANGELOG: - Added v1.2.7 entry (dependency updates) - Added v1.2.8 entry (unified Python bindings) - Update aphelion-core README: - Added `python` feature to features table Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat: add TypeScript/WASM bindings via wasm-bindgen Add WebAssembly bindings for aphelion-core, enabling TypeScript/JavaScript developers to use the framework in browsers and Node.js environments. WASM Bindings: - JsModelConfig with JSON serialization and presets - JsBuildGraph, JsGraphNode, JsNodeId with stable hashing - JsBuildPipeline, JsBuildContext for pipeline execution - JsNullBackend, JsDeviceCapabilities for backend abstraction - JsTraceEvent, JsInMemoryTraceSink, JsTraceLevel for diagnostics - JsValidationError, JsNameValidator, JsVersionValidator, JsCompositeValidator Features: - New `wasm` feature flag for optional WASM compilation - Feature detection: getVersion(), hasBurn(), hasCubecl(), hasRustAiCore() - Automatic panic hook for better error messages in development CI/CD: - Added build-wasm job to build WASM package with wasm-pack - Added publish-npm job to publish to npm registry Documentation: - Updated README with TypeScript/JavaScript installation and usage - Updated CHANGELOG with v1.2.9 entry - Updated feature flags table Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR replaces the
gemmcrate dependency withqlora-gemm, a maintained fork.Problem
The
gemmcrate depends on thepastecrate, which is unmaintained:Solution
Switch to
qlora-gemmv0.20.0, a maintained fork that:qlora-paste(maintainedpastefork) instead of unmaintainedpastegemmv0.19.xChanges
Cargo.toml:gemm = "0.19.0"->qlora-gemm = "0.20.0"candle-core/Cargo.toml:gemm->qlora-gemmcandle-core/src/cpu_backend/mod.rs:use gemm->use qlora_gemmTesting