pyyaml version 3.13 listed as High severity risk by Github audit. #819
Comments
|
Looks like a version bump of all the scipy packages is in order. Happy to take a PR with version increases or I'll try to get to it on a weekend. |
still gets pulled in after updating packages in #822. Looking at conda-forge, the pyyaml feedstock is still at 3.13 as is the latest release on PyPI. The PyYAML home page also says the latest version is 3.13. @kbroughton can you confirm what you saw in the GitHub alert and the output from installing azure-cli-core? |
parente
added
status:Need Info
|
Found out what's going on here: yaml/pyyaml#193 (comment) |
|
And here's the PR that will merge into 5.1 release with the fix: yaml/pyyaml#257 Until then, 3.13 is the supported release version. |
parente
added
tag:Upstream
|
thanks for digging! |
|
Looking at https://github.com/jupyter/docker-stacks/wiki/scipy-notebook-59b402ce701d today, I see that the image contains pyyaml 5.1. Other images I spot check downstream of scipy-notebook also seem to have pyyaml 5.1. I'm going to close this out as fixed upstream. |
Hi! Thanks for using the Jupyter Docker Stacks.
If you are looking to contribute to the images, please see the [Contributor's Guide] (http://jupyter-docker-stacks.readthedocs.io/en/latest/#) in the documentation for our preferred processes.
If you are reporting an issue with one of the existing images, please answer the questions below to help us troubleshoot the problem. Please be as thorough as possible.
What docker image you are using?
jupyter/scipy-notebook
What complete docker command do you run to launch the container (omitting sensitive values)?
docker build -t jupyter/scipy-notebook .
What steps do you take once the container is running to reproduce the issue?
The following step in the build has output which lists pyyaml 3.13 as a package to be installed.
step 7/13 : RUN conda install --quiet --yes 'conda-forge::blas==openblas' 'ipywidgets=7.4' 'pandas=0.23*' 'numexpr=2.6*' 'matplotlib=2.2*' 'scipy=1.1*' 'seaborn=0.9*' 'scikit-learn=0.20*' 'scikit-image=0.14*' 'sympy=1.1*' 'cython=0.28*' 'patsy=0.5*' 'statsmodels=0.9*' 'cloudpickle=0.5*' 'dill=0.2*' 'dask=1.1.' 'numba=0.38' 'bokeh=0.13*' 'sqlalchemy=1.2*' 'hdf5=1.10*' 'h5py=2.7*' 'vincent=0.4.' 'beautifulsoup4=4.6.' 'protobuf=3.*' 'xlrd' && conda remove --quiet --yes --force qt pyqt && conda clean -tipsy
Two issues here.
can't be upgraded due to a distutils error.
What do you expect to happen?
Expect pyyaml to run a newer version without the High Severity vuln.
What actually happens?
Builds with pyyaml 3.13
...
The text was updated successfully, but these errors were encountered: