Skip to content

Remove HuggingFace token#462

Open
tenbbughunters wants to merge 1 commit into
LLaVA-VL:mainfrom
tenbbughunters:tra-2025-16
Open

Remove HuggingFace token#462
tenbbughunters wants to merge 1 commit into
LLaVA-VL:mainfrom
tenbbughunters:tra-2025-16

Conversation

@tenbbughunters

@tenbbughunters tenbbughunters commented Jun 10, 2025

Copy link
Copy Markdown

This PR is to remove the project's HuggingFace token from the repository. You should also ensure that this token is then properly revoked on HuggingFace.

See https://www.tenable.com/security/research/tra-2025-16

@x-stp

x-stp commented Jun 10, 2025

Copy link
Copy Markdown

thats not gonn cut it..

  • hf_YnLeYrTN[..]
  • hf_WtNgsRD[..]
  • hf_BHmUzrZ[..]

related commits

1159dec
686ce82
6d858c5
72fd9c5
7d01e3c
910a8f8
a0bb6d8
b3892a2
b46e496
b4be611
df44c00
fccbf3e

retention is needed.
after that >
github.com/newren/git-filter-repo

@x-stp

x-stp commented Jun 10, 2025

Copy link
Copy Markdown

@kcz358

kcz358 commented Jun 13, 2025

Copy link
Copy Markdown
Collaborator

I did a small filtering in #465 for hf tokens but it requires admin access to do force push. Feel free to do git reset --hard fix/hf_tokens and git push --force main on main if you want to fix this @Luodian

@Luodian

Luodian commented Jun 13, 2025

Copy link
Copy Markdown
Contributor

No worries I did disable these tokens.

@tenbbughunters

Copy link
Copy Markdown
Author

Thanks @kcz358 @Luodian. It seems that there is still a WANDB token valid for example: https://github.com/LLaVA-VL/LLaVA-NeXT/blob/main/scripts/archived/finetune_mixtral_1.6_336px_anyres_freeze_vision.sh#L52. You should also disable it and clean it along with other HF tokens.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants