torchrec

Pytorch domain library for recommendation systems

JSON API: http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pytorch%2Ftorchrec
PURL: pkg:github/pytorch/torchrec

Stars: 2,328
Forks: 558
Open issues: 155

License: bsd-3-clause
Language: Python
Size: 22.7 MB
Dependencies parsed at: Pending

Created at: about 4 years ago
Updated at: 6 days ago
Pushed at: 6 days ago
Last synced at: 6 days ago

Commit Stats

Commits: 2108
Authors: 297
Mean commits per author: 7.1
Development Distribution Score: 0.943
More commit stats: https://commits.ecosyste.ms/hosts/GitHub/repositories/pytorch/torchrec

Topics: cuda, deep-learning, gpu, pytorch, recommendation-system, recommender-system, sharding

OpenSSF Scorecard report

4.4

Overall Score

10/10 Critical Risk

30/60 High Risk

0/40 Medium Risk

10/20 Low Risk

Generated on August 11, 2025 | Scorecard vv5.2.1-40-gf6ed084d

Security Checks

10/10

Binary-Artifacts

High Risk

no binaries found in the repo

Determines if the project has generated executable (binary) artifacts in the source repository.

10/10

Code-Review

High Risk

all changesets reviewed

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

10/10

Dangerous-Workflow

Critical Risk

no dangerous workflow patterns detected

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10/10

License

Low Risk

license file detected

Determines if the project has defined a license.

Show details

ℹ️ Info: project has a license file: LICENSE:0

ℹ️ Info: FSF or OSI recognized license: BSD 3-Clause "New" or "Revised" License: LICENSE:0

10/10

Maintained

High Risk

30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10

Determines if the project is "actively maintained".

0/10

Branch-Protection

High Risk

branch protection not enabled on development/release branches

Determines if the default and release branches are protected with GitHub's branch protection settings.

Show details

ℹ️ Info: 'allow deletion' disabled on branch 'main'

⚠️ Warn: 'allow deletion' enabled on branch 'release/v1.2.0'

⚠️ Warn: 'allow deletion' enabled on branch 'release/v1.1.0'

⚠️ Warn: 'allow deletion' enabled on branch 'release/v1.0.0'

⚠️ Warn: 'allow deletion' enabled on branch 'release/v0.8.0'

⚠️ Warn: 'allow deletion' enabled on branch 'release/v0.7.0'

⚠️ Warn: 'allow deletion' enabled on branch 'release/v0.6.0'

⚠️ Warn: 'allow deletion' enabled on branch 'release/v0.5.0'

⚠️ Warn: 'allow deletion' enabled on branch 'release/v0.3.2'

⚠️ Warn: 'allow deletion' enabled on branch 'release/0.1.1'

⚠️ Warn: 'allow deletion' enabled on branch 'release/0.1.0'

ℹ️ Info: 'force pushes' disabled on branch 'main'

⚠️ Warn: 'force pushes' enabled on branch 'release/v1.2.0'

⚠️ Warn: 'force pushes' enabled on branch 'release/v1.1.0'

⚠️ Warn: 'force pushes' enabled on branch 'release/v1.0.0'

⚠️ Warn: 'force pushes' enabled on branch 'release/v0.8.0'

⚠️ Warn: 'force pushes' enabled on branch 'release/v0.7.0'

⚠️ Warn: 'force pushes' enabled on branch 'release/v0.6.0'

⚠️ Warn: 'force pushes' enabled on branch 'release/v0.5.0'

⚠️ Warn: 'force pushes' enabled on branch 'release/v0.3.2'

⚠️ Warn: 'force pushes' enabled on branch 'release/0.1.1'

⚠️ Warn: 'force pushes' enabled on branch 'release/0.1.0'

⚠️ Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'

⚠️ Warn: 'branch protection settings apply to administrators' is disabled on branch 'release/v1.2.0'

⚠️ Warn: 'branch protection settings apply to administrators' is disabled on branch 'release/v1.1.0'

⚠️ Warn: 'branch protection settings apply to administrators' is disabled on branch 'release/v1.0.0'

⚠️ Warn: 'branch protection settings apply to administrators' is disabled on branch 'release/v0.8.0'

⚠️ Warn: 'branch protection settings apply to administrators' is disabled on branch 'release/v0.7.0'

⚠️ Warn: 'branch protection settings apply to administrators' is disabled on branch 'release/v0.6.0'

⚠️ Warn: 'branch protection settings apply to administrators' is disabled on branch 'release/v0.5.0'

⚠️ Warn: 'branch protection settings apply to administrators' is disabled on branch 'release/v0.3.2'

⚠️ Warn: 'branch protection settings apply to administrators' is disabled on branch 'release/0.1.1'

⚠️ Warn: 'branch protection settings apply to administrators' is disabled on branch 'release/0.1.0'

⚠️ Warn: branch 'main' does not require approvers

⚠️ Warn: codeowners review is not required on branch 'main'

⚠️ Warn: could not determine whether codeowners review is allowed

⚠️ Warn: 'up-to-date branches' is disabled on branch 'main'

⚠️ Warn: 'up-to-date branches' is disabled on branch 'release/v1.2.0'

⚠️ Warn: 'up-to-date branches' is disabled on branch 'release/v1.1.0'

⚠️ Warn: 'up-to-date branches' is disabled on branch 'release/v1.0.0'

⚠️ Warn: 'up-to-date branches' is disabled on branch 'release/v0.8.0'

⚠️ Warn: 'up-to-date branches' is disabled on branch 'release/v0.7.0'

⚠️ Warn: 'up-to-date branches' is disabled on branch 'release/v0.6.0'

⚠️ Warn: 'up-to-date branches' is disabled on branch 'release/v0.5.0'

⚠️ Warn: 'up-to-date branches' is disabled on branch 'release/v0.3.2'

⚠️ Warn: 'up-to-date branches' is disabled on branch 'release/0.1.1'

⚠️ Warn: 'up-to-date branches' is disabled on branch 'release/0.1.0'

ℹ️ Info: status check found to merge onto on branch 'main'

ℹ️ Info: status check found to merge onto on branch 'release/v1.2.0'

ℹ️ Info: status check found to merge onto on branch 'release/v1.1.0'

ℹ️ Info: status check found to merge onto on branch 'release/v1.0.0'

ℹ️ Info: status check found to merge onto on branch 'release/v0.8.0'

ℹ️ Info: status check found to merge onto on branch 'release/v0.7.0'

ℹ️ Info: status check found to merge onto on branch 'release/v0.6.0'

ℹ️ Info: status check found to merge onto on branch 'release/v0.5.0'

ℹ️ Info: status check found to merge onto on branch 'release/v0.3.2'

ℹ️ Info: status check found to merge onto on branch 'release/0.1.1'

ℹ️ Info: status check found to merge onto on branch 'release/0.1.0'

⚠️ Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings

⚠️ Warn: PRs are not required to make changes on branch 'release/v1.2.0'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings

⚠️ Warn: PRs are not required to make changes on branch 'release/v1.1.0'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings

⚠️ Warn: PRs are not required to make changes on branch 'release/v1.0.0'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings

⚠️ Warn: PRs are not required to make changes on branch 'release/v0.8.0'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings

⚠️ Warn: PRs are not required to make changes on branch 'release/v0.7.0'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings

⚠️ Warn: PRs are not required to make changes on branch 'release/v0.6.0'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings

⚠️ Warn: PRs are not required to make changes on branch 'release/v0.5.0'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings

⚠️ Warn: PRs are not required to make changes on branch 'release/v0.3.2'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings

⚠️ Warn: PRs are not required to make changes on branch 'release/0.1.1'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings

⚠️ Warn: PRs are not required to make changes on branch 'release/0.1.0'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings

0/10

CII-Best-Practices

Low Risk

no effort to earn an OpenSSF best practices badge detected

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0/10

Fuzzing

Medium Risk

project is not fuzzed

Determines if the project uses fuzzing.

Show details

⚠️ Warn: no fuzzer integrations found

0/10

Pinned-Dependencies

Medium Risk

dependency not pinned by hash detected -- score normalized to 0

Determines if the project has declared and pinned the dependencies of its build process.

Show details

⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-wheels-linux.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/build-wheels-linux.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-wheels-linux.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/build-wheels-linux.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-wheels-linux.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/build-wheels-linux.yml/main?enable=pin

⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-wheels-linux.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/build-wheels-linux.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_dynamic_embedding_wheels.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/build_dynamic_embedding_wheels.yml/main?enable=pin

⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_dynamic_embedding_wheels.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/build_dynamic_embedding_wheels.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_dynamic_embedding_wheels.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/build_dynamic_embedding_wheels.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_dynamic_embedding_wheels.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/build_dynamic_embedding_wheels.yml/main?enable=pin

⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/cpp_unittest_ci_cpu.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/cpp_unittest_ci_cpu.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/docs.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:87: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/docs.yml/main?enable=pin

⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/docs.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/docs.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/docs.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/docs.yml/main?enable=pin

⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/docs.yml:117: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/docs.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pre-commit.yaml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/pre-commit.yaml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pre-commit.yaml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/pre-commit.yaml/main?enable=pin

⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/pre-commit.yaml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/pre-commit.yaml/main?enable=pin

⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/pyre.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/pyre.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pyre.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/pyre.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release_build.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/release_build.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release_build.yml:105: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/release_build.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release_build.yml:159: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/release_build.yml/main?enable=pin

⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release_build.yml:200: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/release_build.yml/main?enable=pin

⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/unittest_ci.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/unittest_ci.yml/main?enable=pin

⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/unittest_ci_cpu.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/unittest_ci_cpu.yml/main?enable=pin

⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/validate-binaries.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/pytorch/torchrec/validate-binaries.yml/main?enable=pin

⚠️ Warn: containerImage not pinned by hash: torchrec/datasets/scripts/nvt/Dockerfile:1: pin your Docker image by updating nvcr.io/nvidia/merlin/merlin-pytorch-training:nightly to nvcr.io/nvidia/merlin/merlin-pytorch-training:nightly@sha256:ca0d24da00fbcaca6a786af09de06dc9f5115ae26ea9cb198bb7d3bb6762a1bf

⚠️ Warn: containerImage not pinned by hash: torchrec/inference/inference_legacy/docker/Dockerfile:1

⚠️ Warn: pipCommand not pinned by hash: torchrec/datasets/scripts/nvt/Dockerfile:3-4

⚠️ Warn: pipCommand not pinned by hash: torchrec/inference/inference_legacy/docker/Dockerfile:23-34

⚠️ Warn: pipCommand not pinned by hash: torchrec/inference/inference_legacy/docker/Dockerfile:40-49

⚠️ Warn: pipCommand not pinned by hash: .github/scripts/install_libs.sh:25

⚠️ Warn: pipCommand not pinned by hash: .github/scripts/install_libs.sh:27

⚠️ Warn: pipCommand not pinned by hash: .github/scripts/install_libs.sh:31

⚠️ Warn: pipCommand not pinned by hash: contrib/dynamic_embedding/tools/before_linux_build.sh:26

⚠️ Warn: pipCommand not pinned by hash: contrib/dynamic_embedding/tools/before_linux_build.sh:27

⚠️ Warn: downloadThenRun not pinned by hash: .github/workflows/docs.yml:37

⚠️ Warn: downloadThenRun not pinned by hash: .github/workflows/release_build.yml:55

⚠️ Warn: downloadThenRun not pinned by hash: .github/workflows/release_build.yml:167

ℹ️ Info: 0 out of 16 GitHub-owned GitHubAction dependencies pinned

ℹ️ Info: 0 out of 11 third-party GitHubAction dependencies pinned

ℹ️ Info: 0 out of 2 containerImage dependencies pinned

ℹ️ Info: 0 out of 9 pipCommand dependencies pinned

ℹ️ Info: 0 out of 3 downloadThenRun dependencies pinned

0/10

SAST

Medium Risk

no SAST tool detected

Determines if the project uses static code analysis.

Show details

⚠️ Warn: no pull requests merged into dev branch

0/10

Security-Policy

Medium Risk

security policy file not detected

Determines if the project has published a security policy.

Show details

⚠️ Warn: no security policy file detected

⚠️ Warn: no security file to analyze

0/10

Token-Permissions

High Risk

detected GitHub workflow tokens with excessive permissions

Determines if the project's workflows follow the principle of least privilege.

Show details

ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/cpp_unittest_ci_cpu.yml:41

⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/docs.yml:15

ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/unittest_ci.yml:67

ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/unittest_ci_cpu.yml:53

ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/build-wheels-linux.yml:17

⚠️ Warn: no topLevel permission defined: .github/workflows/build_dynamic_embedding_wheels.yml:1

⚠️ Warn: no topLevel permission defined: .github/workflows/cpp_unittest_ci_cpu.yml:1

⚠️ Warn: no topLevel permission defined: .github/workflows/docs.yml:1

⚠️ Warn: no topLevel permission defined: .github/workflows/pre-commit.yaml:1

⚠️ Warn: no topLevel permission defined: .github/workflows/pyre.yml:1

⚠️ Warn: no topLevel permission defined: .github/workflows/release_build.yml:1

⚠️ Warn: no topLevel permission defined: .github/workflows/unittest_ci.yml:1

⚠️ Warn: no topLevel permission defined: .github/workflows/unittest_ci_cpu.yml:1

⚠️ Warn: no topLevel permission defined: .github/workflows/validate-binaries.yml:1

⚠️ Warn: no topLevel permission defined: .github/workflows/validate-nightly-binaries.yml:1

0/10

Vulnerabilities

High Risk

12 existing vulnerabilities detected

Determines if the project has open, known unfixed vulnerabilities.

Show details

⚠️ Warn: Project is vulnerable to: PYSEC-2017-74

⚠️ Warn: Project is vulnerable to: PYSEC-2024-48 / GHSA-fj7x-q9j7-g6q6

⚠️ Warn: Project is vulnerable to: PYSEC-2018-34 / GHSA-2fc2-6r4j-p65h

⚠️ Warn: Project is vulnerable to: PYSEC-2021-856 / GHSA-5545-2q6w-2gh6

⚠️ Warn: Project is vulnerable to: PYSEC-2019-108 / GHSA-9fq2-x9r6-wfmf

⚠️ Warn: Project is vulnerable to: PYSEC-2018-33 / GHSA-cw6w-4rcx-xphc

⚠️ Warn: Project is vulnerable to: PYSEC-2021-857 / GHSA-f7c7-j99h-c22f

⚠️ Warn: Project is vulnerable to: GHSA-fpfv-jqm9-f5jm

⚠️ Warn: Project is vulnerable to: PYSEC-2017-1 / GHSA-frgw-fgh6-9g52

⚠️ Warn: Project is vulnerable to: PYSEC-2020-73

⚠️ Warn: Project is vulnerable to: PYSEC-2021-142 / GHSA-8q59-q68h-6hv4

⚠️ Warn: Project is vulnerable to: PYSEC-2018-49 / GHSA-rprw-h62v-c2w7

N/A

Packaging

Not Applicable

packaging workflow not detected

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

Show details

⚠️ Warn: no GitHub/GitLab publishing workflow detected.

N/A

Signed-Releases

Not Applicable

no releases found

Determines if the project cryptographically signs release artifacts.

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Repos

GitHub / pytorch / torchrec

Commit Stats

OpenSSF Scorecard report

4.4

Security Checks

Binary-Artifacts

Code-Review

Dangerous-Workflow

License

Maintained

Branch-Protection

CII-Best-Practices

Fuzzing

Pinned-Dependencies

SAST

Security-Policy

Token-Permissions

Vulnerabilities

Packaging

Signed-Releases