Fix jupyter_core and protobuf vulnerabilities

Signed-off-by: Bruno Alvisio <balvisio@nvidia.com>

Author: balvisio

Dockerfile

@@ -201,6 +201,8 @@ uv pip install nvidia-resiliency-ext/
 rm -rf nvidia-resiliency-ext/
 # ngcsdk causes strange dependency conflicts (ngcsdk requires protobuf<4, but nemo_toolkit requires protobuf==4.24.4, deleting it from the uv pip install prevents installation conflicts)
 sed -i "/ngcsdk/d" ./sub-packages/bionemo-core/pyproject.toml
+# Override protobuf version to 4.25.9 to avoid version conflict and fix CVE
+sed -i 's/^protobuf==4\.24\.4$/protobuf==5.29.5/' 3rdparty/NeMo/requirements/requirements.txt
 # Remove llama-index because bionemo doesn't use it and it adds CVEs to container
 sed -i "/llama-index/d" ./3rdparty/NeMo/requirements/requirements_nlp.txt
 # Pin 'nvidia-modelopt' to 0.27.1 due to an API incompatibility of version 0.25.0

requirements-cve.txt

@@ -2,10 +2,12 @@ onnx>=1.16.0
 setuptools>=78.1.1 # Addresses CVE https://github.com/advisories/GHSA-5rjg-fvgr-3xxf
 aiohttp>=3.9.4
 jupyterlab>=3.6.8
+jupyter_core>=5.8.1
 jupyter_server>=2.14.1  # https://github.com/advisories/GHSA-hrw6-wg82-cm62
 Werkzeug>=3.0.3
 nltk>=3.9.1
 pillow>=10.3.0
+protobuf>=5.29.5
 tornado>=6.5.0 # Addresses CVE https://github.com/advisories/GHSA-7cx3-6m66-7c5m
 wandb>=0.19.1 # Addresses CVE GHSA-v778-237x-gjrc
 pyfastx==1.1.0