Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable depdendency numpy for python < 3.11 #54036

Closed
3 tasks done
inuyasha82 opened this issue Jul 7, 2023 · 5 comments
Closed
3 tasks done

Vulnerable depdendency numpy for python < 3.11 #54036

inuyasha82 opened this issue Jul 7, 2023 · 5 comments
Labels
Bug Needs Triage Issue that has not been reviewed by a pandas team member

Comments

@inuyasha82
Copy link

inuyasha82 commented Jul 7, 2023
edited

Pandas version checks

  • I have checked that this issue has not already been reported.

  • I have confirmed this bug exists on the latest version of pandas.

  • I have confirmed this bug exists on the main branch of pandas.

Reproducible Example

Just install panda

Issue Description

numpy dependency for python versions < 3.11 has a reported vulnerability (CVE-2021-34141) the affected version on my environment is numpy-1.21.6.

From what i can see in the project.toml file the dependency for python < 3.11 is the following:

  "numpy>=1.21.6; python_version<'3.11'"

And security tools detect it and report a vulnerability by panda.

From what i can see probably just updating to first non vulnerable version should be enough (1.22.0) to remove the vulnerability report. But i don't know if this is possible.

Expected Behavior

No vulnerability should be reported by security scanning tool (mend).

Installed Versions

2.0.2
@inuyasha82 inuyasha82 added Bug Needs Triage Issue that has not been reviewed by a pandas team member labels Jul 7, 2023
@mroeschke
Copy link
Member

From what i can see probably just updating to first non vulnerable version should be enough (1.22.0) to remove the vulnerability report. But i don't know if this is possible.

Yes, updating numpy is compatible with pandas as described in numpy/numpy#18993 (comment)

@inuyasha82
Copy link
Author

@mroeschke Sorry my description was not clear. What i was trying to say was that the current configuration in the project.toml, is causing the vulnerability to be found because of that dependency, this mean that until the project.toml file is not fixed, this vulnerability will be still present.

A patch is now available for 1.22, and the vulnerability is now classified as Moderate.

@inuyasha82
Copy link
Author

@mroeschke can you read my comment above, because i think the purpose of my issue was misinterpreted, i was not asking for an advice, but i was reporting an issue with the verison used of numpy!

If i don't get any reply, i will open a new issue in few days with hopefully an improved description. Since probably once the issue has been closed they tend to get ignored.

@mroeschke
Copy link
Member

From numpy/numpy#18993, it appears that the vulnerability isn't practically exploitable, so I don't think pandas needs to bump numpy due to a security scan. These minimum versions gets bumped periodically, but pandas also tries to have wider version support for its required dependencies

@inuyasha82
Copy link
Author

Thanks for the answer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Needs Triage Issue that has not been reviewed by a pandas team member
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@inuyasha82 @mroeschke