Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python Seldon Core Library dependency update #5951

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
+3 −3
Open

Python Seldon Core Library dependency update #5951

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
27b82c9
Create readme-micro.yaml
ramonpzg Dec 19, 2023
1d7b346
readme test deleted
ramonpzg Dec 20, 2023
8695267
open requirements to address CVEs
ramonpzg Oct 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions python/setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,12 @@
"jaeger-client >= 4.1.0, < 4.5.0",
"grpcio-opentracing >= 1.1.4, < 1.2.0",
"grpcio-reflection < 2.0.0",
"gunicorn >= 19.9.0, < 20.2.0",
"gunicorn >= 19.9.0",
"setuptools >= 65.5.1",
"prometheus_client >= 0.7.1, < 0.9.0",
"werkzeug >= 2.1.1, < 2.3",
"werkzeug==3.0.4",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we just bump up the upper version, why do we have to pin it to a particular version?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this range work based on the CVE patch versions?
>=2.3.8, <=3.0.4

@sakoush @gsunner

Copy link
Member

@sakoush sakoush Nov 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we can have only a min bound, i.e. >=2.3.8. Upper bound could be added if there are issues with tests.

# Addresses CVE SNYK-PYTHON-CRYPTOGRAPHY-3315328
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(not related to this PR but this comment might be stale)

"cryptography >= 39.0.1, < 41.1",
"cryptography==43.0.1",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we just adjust the upper bound, why do we have to pin it to a particular version

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest cryptography 41.0.6 as the lower bound since this is the patch version for CVE-2023-49083

Do you agree @sakoush and @gsunner?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

>=41.0.6, <=43.0.1

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets have a lower bound with the patched version we would want to have. It is unclear whether we have to have an upper bound, it depends on the tests.

# Addresses CVE SNYK-PYTHON-PYYAML-590151
"PyYAML >= 5.4, <= 6.0.1",
# Addresses CVE PRISMA-2021-0020
Expand Down
Loading