PyPI · pypi.org

flash-attn

Py Install Time Subprocess: subprocess call — process spawning.

Why PkgRadar flagged 2.8.3.post1

Severity	Signal	Evidence
medium	Py Install Time Subprocess	subprocess call — process spawning. · flash_attn-2.8.3.post1/csrc/fused_dense_lib/setup.py
medium	Py Install Time Subprocess	subprocess call — process spawning. · flash_attn-2.8.3.post1/csrc/layer_norm/setup.py
medium	Py Install Time Subprocess	subprocess call — process spawning. · flash_attn-2.8.3.post1/hopper/setup.py
medium	Py Install Time Subprocess	subprocess call — process spawning. · flash_attn-2.8.3.post1/setup.py
high	Py Install Time Network Call	Network call (urllib/requests/httpx/http.client) at install or import time. · flash_attn-2.8.3.post1/hopper/setup.py
medium	Py Import Time Subprocess	subprocess call — process spawning. · flash_attn-2.8.3.post1/csrc/cutlass/python/cutlass/__init__.py

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2.8.3.post1`	High risk	59	2026-06-11

Block this in CI

PkgRadar gates flash-attn (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi flash-attn==2.8.3.post1