You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have checked that this issue has not already been reported.
I have confirmed this bug exists on the latest version of pandas.
I have confirmed this bug exists on the main branch of pandas.
Reproducible Example
Just install panda
Issue Description
numpy dependency for python versions < 3.11 has a reported vulnerability (CVE-2021-34141) the affected version on my environment is numpy-1.21.6.
From what i can see in the project.toml file the dependency for python < 3.11 is the following:
"numpy>=1.21.6; python_version<'3.11'"
And security tools detect it and report a vulnerability by panda.
From what i can see probably just updating to first non vulnerable version should be enough (1.22.0) to remove the vulnerability report. But i don't know if this is possible.
Expected Behavior
No vulnerability should be reported by security scanning tool (mend).
Installed Versions
2.0.2
The text was updated successfully, but these errors were encountered:
From what i can see probably just updating to first non vulnerable version should be enough (1.22.0) to remove the vulnerability report. But i don't know if this is possible.
@mroeschke Sorry my description was not clear. What i was trying to say was that the current configuration in the project.toml, is causing the vulnerability to be found because of that dependency, this mean that until the project.toml file is not fixed, this vulnerability will be still present.
A patch is now available for 1.22, and the vulnerability is now classified as Moderate.
@mroeschke can you read my comment above, because i think the purpose of my issue was misinterpreted, i was not asking for an advice, but i was reporting an issue with the verison used of numpy!
If i don't get any reply, i will open a new issue in few days with hopefully an improved description. Since probably once the issue has been closed they tend to get ignored.
From numpy/numpy#18993, it appears that the vulnerability isn't practically exploitable, so I don't think pandas needs to bump numpy due to a security scan. These minimum versions gets bumped periodically, but pandas also tries to have wider version support for its required dependencies
Pandas version checks
I have checked that this issue has not already been reported.
I have confirmed this bug exists on the latest version of pandas.
I have confirmed this bug exists on the main branch of pandas.
Reproducible Example
Just install panda
Issue Description
numpy
dependency for python versions < 3.11 has a reported vulnerability (CVE-2021-34141) the affected version on my environment is numpy-1.21.6.From what i can see in the
project.toml
file the dependency for python < 3.11 is the following:And security tools detect it and report a vulnerability by panda.
From what i can see probably just updating to first non vulnerable version should be enough (1.22.0) to remove the vulnerability report. But i don't know if this is possible.
Expected Behavior
No vulnerability should be reported by security scanning tool (mend).
Installed Versions
2.0.2
The text was updated successfully, but these errors were encountered: