V1 Python microservice Werkzeug package upgrade #5566

maxqlord · 2024-05-04T16:51:00Z

Seldon currently pins its Werkzeug version to < 2.3, but Werkzeug needs v2.3.8 or v3.0.1+ to avoid an insufficient algorithmic complexity vulnerability: SNYK-PYTHON-WERKZEUG-6035177. Consumers of the Python microservice are unable to use a safe version of Werkzeug because of this version pin.

Describe the bug

This line restricts a consumer from using Werkzeug 2.3.8

seldon-core/python/setup.py

Line 39 in c9ee03b

"werkzeug >= 2.1.1, < 2.3",

To reproduce

Attempt to install werkzeug v2.3.8 with seldon-core v1.18.1

> cat requirements.txt
seldon-core==1.18.1
werkzeug==2.3.8
> pip install -r requirements.txt
...
ERROR: Cannot install -r requirements.txt (line 1) and werkzeug==2.3.8 because these package versions have conflicting dependencies.
The conflict is caused by:
    The user requested werkzeug==2.3.8
    seldon-core 1.18.1 depends on werkzeug<2.3 and >=2.1.1

Expected behaviour

A non-vulnerable version of Werkzeug can be used.

The text was updated successfully, but these errors were encountered:

maxqlord · 2024-05-10T01:13:53Z

Addressed by #5588

maxqlord added the bug label May 4, 2024

maxqlord linked a pull request May 10, 2024 that will close this issue

Address CVE SNYK-PYTHON-WERKZEUG-6035177 and SNYK-PYTHON-WERKZEUG-680… #5588

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

V1 Python microservice Werkzeug package upgrade #5566

V1 Python microservice Werkzeug package upgrade #5566

maxqlord commented May 4, 2024

maxqlord commented May 10, 2024

V1 Python microservice Werkzeug package upgrade #5566

V1 Python microservice Werkzeug package upgrade #5566

Comments

maxqlord commented May 4, 2024

Describe the bug

To reproduce

Expected behaviour

maxqlord commented May 10, 2024