rebuld pin shap and test

Jyothirmaikottu · Jyothirmaikottu · commit ba3f12d00c95 · 2026-02-12T14:20:24.000-08:00
diff --git a/data/common-ecr-scan-allowlist.json b/data/common-ecr-scan-allowlist.json
@@ -269,5 +269,36 @@
             "title": "CVE-2025-32434 - torch",
             "reason_to_ignore": "this container is specifically pytorch 2.5.x so we can’t upgrade to 2.6"
         }
+    ],
+    "tar": [
+        {
+            "description": "node-tar, a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic.",
+            "vulnerability_id": "CVE-2026-24842",
+            "name": "CVE-2026-24842",
+            "package_name": "tar",
+            "package_details": {
+                "file_path": "/usr/local/lib/python3.12/site-packages/jupyterlab/staging/yarn.lock",
+                "name": "tar",
+                "package_manager": "NODE",
+                "version": "6.1.11",
+                "release": null
+            },
+            "remediation": {
+                "recommendation": {
+                    "text": "None Provided"
+                }
+            },
+            "cvss_v3_score": 8.2,
+            "cvss_v30_score": 0.0,
+            "cvss_v31_score": 8.2,
+            "cvss_v2_score": 0.0,
+            "cvss_v3_severity": "HIGH",
+            "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842",
+            "source": "NVD",
+            "severity": "HIGH",
+            "status": "ACTIVE",
+            "title": "CVE-2026-24842 - tar",
+            "reason_to_ignore": "Transitive dependency in jupyterlab staging yarn.lock - not directly exploitable in training container context"
+        }
     ]
 }
diff --git a/dlc_developer_config.toml b/dlc_developer_config.toml
@@ -46,7 +46,7 @@ build_inference = false
 
 # Set do_build to "false" to skip builds and test the latest image built by this PR
 # Note: at least one build is required to set do_build to "false"
-do_build = false
+do_build = true
 
 [notify]
 ### Notify on test failures
diff --git a/tensorflow/training/docker/2.19/py3/Dockerfile.cpu b/tensorflow/training/docker/2.19/py3/Dockerfile.cpu
@@ -281,7 +281,7 @@ RUN uv pip install --system --no-cache-dir \
     "opencv-python==4.12.0.88" \
     plotly \
     seaborn \
-    shap \
+    "shap<0.50" \
  && rm -rf /root/.cache/uv
 
 RUN uv pip install --system --no-cache-dir \
diff --git a/tensorflow/training/docker/2.19/py3/cu125/Dockerfile.gpu b/tensorflow/training/docker/2.19/py3/cu125/Dockerfile.gpu
@@ -356,7 +356,7 @@ RUN uv pip install --system --no-cache-dir \
     "opencv-python==4.11.0.86" \
     plotly \
     seaborn \
-    shap \
+    "shap<0.50" \
  && rm -rf /root/.cache/uv
 
 RUN uv pip install --system --no-cache-dir \
