Isolate demo dependencies and pin orjson for CVE-2025-67221 mitigation

[evcyen]

Description

Fixes #1161 which identified CVE-2025-67221 affecting orjson versions reported as vulnerable in the advisory range (<=3.11.4), where deeply nested structures may trigger problematic recursion/resource behavior during orjson.dumps() and lead to process instability/DoS-style failures.

The risk path is transitive, not from direct orjson use in core package code: gradio (dev dependency) -> orjson Gradio was previously in the shared dev dependency group, meaning many development environments pulled in orjson even when demo/web UI workflows were not being used.

This repo supports Python >=3.8, but the safe orjson pin for this CVE is in newer versions (3.11.6+). Rather than raising the project-wide Python minimum, we split dependencies by use case:

• core contributor tooling still works on 3.8/3.9
• demo/UI dependencies are opt-in, Python 3.10+, with safely pinned orjson

Changes

1. Update dependency structure in pyproject.toml

• Removed gradio from the general dev dependency group.
• Added an optional demo dependency group.
• Moved demo/web UI dependencies into demo:
  • gradio (Python >=3.10)
  • orjson pin >=3.11.7,<4.0 (Python >=3.10)

2. Updated docs/source/content/contributing.md

• Added instructions for enabling demo dependencies via --with demo
• Added note that demo group is intended for Python 3.10+, and 3.8/3.9 users should use core setup without demo.

Pros: We improve security without dropping broad runtime compatibility, and lower the risk footprint in default environments. We separate into groups of clearer dependency intent (core vs demo).

Cons: It adds one more dependency group (demo), and demo users have to opt in explicitly (--with demo).

Testing

Test 1: Install succeeds, gradio is not installed and None is printed

poetry env use 3.9
poetry install --with dev,docs,jupyter --without demo
poetry run python -c "import sys; print(sys.version)"
poetry run python -c "import importlib.util; print(importlib.util.find_spec('gradio'))"

Test 2: Install succeeds, orjson resolves to >=3.11.7

poetry env use 3.10
poetry install --with dev,docs,jupyter,demo
poetry run python -c "import gradio, orjson; print(gradio.__version__, orjson.__version__)"

Type of change

• Bug fix (non-breaking change which fixes an issue)
• This change requires a documentation update

Checklist:

• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have not rewritten tests relating to key interfaces which would affect backward compatibility