fewer maturin references

[altendky]

Draft For:

• in pep517 build default compatibility to off instead of always specifying PyO3/maturin#1992

[coveralls-official]

Pull Request Test Coverage Report for Build 8253603665

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 85.205%

---

Totals
Change from base Build 8222476711:	0.0%
Covered Lines:	11432
Relevant Lines:	13417

---

💛 - Coveralls

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
AI detected security risk	pypi/termcolor@2.3.0	Notes: Due to the absence of code snippets in all reports, it is not possible to conduct a meaningful security analysis or confirm any reported issues. The lack of information hinders the assessment of malware, obfuscation, or security risks. The reports need to include code snippets or more detailed data for a comprehensive security evaluation. Confidence: 0.80 Severity: 0.70	wheel/pyproject.toml
AI warning	pypi/js2py@0.74	Notes: The code exhibits risky behavior by dynamically downloading and executing npm packages within a Python environment without adequate verification, sandboxing, or cleanup. This can potentially lead to execution of malicious code, command injection vulnerabilities, and resource exhaustion issues. Confidence: 0.80 Severity: 0.60	wheel/pyproject.toml
Critical CVE	pypi/pycrypto@2.6.1	CVE: GHSA-cq27-v7xp-c356 Buffer Overflow in pycrypto (CRITICAL) Affected versions: <= 2.6.1 Patched version: No patched versions	wheel/pyproject.toml
AI detected security risk	pypi/pyro4@4.82	Notes: The code presents significant security risks due to its ability to execute arbitrary code remotely, manipulate files, and dynamically manage Python modules and attributes. While it is designed to enable remote interaction with Python applications, its capabilities are highly sensitive and could be misused if not adequately protected against unauthorized access. The use of insecure serialization further compounds these risks. Confidence: 0.85 Severity: 0.75	wheel/pyproject.toml
Critical CVE	pypi/transformers@4.25.0	CVE: GHSA-3863-2447-669p transformers has a Deserialization of Untrusted Data vulnerability (CRITICAL) Affected versions: < 4.36.0 Patched version: 4.36.0	wheel/pyproject.toml
Critical CVE	pypi/paddlepaddle@2.6.0	CVE: GHSA-mrmm-qmrj-xgp6 PaddlePaddle vulnerable to remote code execution (CRITICAL) Affected versions: <= 2.6.0 Patched version: No patched versions	wheel/pyproject.toml
Critical CVE	pypi/paddlepaddle@2.6.0	CVE: GHSA-qqv2-35q8-p2g2 PaddlePaddle command injection in paddle.utils.download._wget_download (CRITICAL) Affected versions: <= 2.6.0 Patched version: No patched versions	wheel/pyproject.toml
Critical CVE	pypi/paddlepaddle@2.6.0	CVE: GHSA-fh54-3vhg-mpc2 PaddlePaddle command injection vulnerability (CRITICAL) Affected versions: <= 2.6.0 Patched version: No patched versions	wheel/pyproject.toml
AI warning	pypi/uwsgi@2.0.24	Notes: The code contains functions that handle file descriptors, execute commands, resolve domains, and dynamically link symbols, which can potentially lead to security risks if not properly secured. It is crucial to ensure proper input validation and security measures are in place to prevent misuse. Confidence: 0.80 Severity: 0.60	orphan: pypi/uwsgi@2.0.24
AI warning	pypi/molecule@24.2.0	Notes: The script poses a security risk due to the potential manipulation of the version value and sed substitution. The dynamic script execution and substitution process could be abused for malicious purposes. Caution is advised when using this script. Confidence: 0.80 Severity: 0.60	orphan: pypi/molecule@24.2.0
AI warning	pypi/jaraco-windows@5.8.0	Notes: While the intent seems to be extracting environment variables, the method of constructing and executing a command could pose a security risk if the 'env_cmd' parameter can be influenced by an untrusted source. There's a potential risk for command injection. The code itself does not directly exhibit malicious behavior but could be exploited if proper precautions are not taken. Confidence: 0.80 Severity: 0.60	orphan: pypi/jaraco-windows@5.8.0
AI warning	pypi/comet-git-pure@0.19.16	Notes: The code lacks proper input validation and error handling, which poses a security risk. It utilizes subprocess calls and file operations that could be exploited for malicious behavior. Further review and improvements are needed to ensure the code's security. Confidence: 0.80 Severity: 0.60	wheel/pyproject.toml
AI detected security risk	pypi/ryd@0.9.2	Notes: The code poses a significant security risk due to its ability to compile and execute potentially untrusted Nim code based on user inputs without sufficient input sanitization. This can lead to arbitrary code execution, making it a vector for security vulnerabilities such as command injection. Confidence: 0.85 Severity: 0.75	orphan: pypi/ryd@0.9.2
AI detected security risk	pypi/pycouchdb@1.14.2	Notes: The code does not appear to contain intentional malicious behavior like malware. However, it has a significant security risk due to the default disabling of SSL verification and the potential insecure handling of credentials. These issues could lead to sensitive information being exposed if used in an insecure manner. Confidence: 0.85 Severity: 0.75	wheel/pyproject.toml
AI warning	pypi/nni@3.0	Notes: The code contains potential security risks related to timing attacks, messaging vulnerabilities, and event-based threats. Careful examination and testing are required to ensure proper handling and mitigation of these risks. Confidence: 0.80 Severity: 0.60	wheel/pyproject.toml
AI warning	pypi/nni@3.0	Notes: The code dynamically schedules tasks based on time intervals, which could potentially be manipulated to cause unexpected behavior. There are potential sources and sinks for data flow that should be carefully reviewed. Confidence: 0.80 Severity: 0.60	wheel/pyproject.toml
AI detected security risk	pypi/twisted@24.3.0	Notes: While the code aims to provide useful persistence functionality within the Twisted framework, it incorporates unsafe practices such as using pickle for serialization and eval for executing code, which can lead to arbitrary code execution vulnerabilities. The attempt to incorporate security features like passphrases is incomplete and not effective. Developers should exercise caution and consider safer alternatives for serialization and code execution, especially when dealing with untrusted input or data. Confidence: 0.85 Severity: 0.75	wheel/pyproject.toml

View full report↗︎

Next steps

What are AI detected security risks?

AI has determined that this package may contain potential security issues or vulnerabilities.

An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

What is an AI detected anomaly?

AI has identified unusual behaviors that may pose a security risk.

An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore pypi/termcolor@2.3.0
• @SocketSecurity ignore pypi/js2py@0.74
• @SocketSecurity ignore pypi/pycrypto@2.6.1
• @SocketSecurity ignore pypi/pyro4@4.82
• @SocketSecurity ignore pypi/transformers@4.25.0
• @SocketSecurity ignore pypi/paddlepaddle@2.6.0
• @SocketSecurity ignore pypi/uwsgi@2.0.24
• @SocketSecurity ignore pypi/molecule@24.2.0
• @SocketSecurity ignore pypi/jaraco-windows@5.8.0
• @SocketSecurity ignore pypi/comet-git-pure@0.19.16
• @SocketSecurity ignore pypi/ryd@0.9.2
• @SocketSecurity ignore pypi/pycouchdb@1.14.2
• @SocketSecurity ignore pypi/nni@3.0
• @SocketSecurity ignore pypi/twisted@24.3.0

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
pypi/maturin@1.5.0	environment, filesystem, shell Transitive: eval, network, unsafe	+15378	341 GB	konstin, messense

🚮 Removed packages: pypi/maturin@0.11.5, pypi/maturin@0.11.5, pypi/maturin@0.11.5, pypi/maturin@0.11.5, pypi/maturin@0.11.5, pypi/maturin@0.11.5, pypi/maturin@0.11.5, pypi/maturin@0.11.5, pypi/maturin@0.11.5, pypi/maturin@0.11.5, pypi/maturin@0.11.5

View full report↗︎