Skip to content

Commit 18cc72e

Browse files
vicenteboleavicentebolea
committed
Fix security vulnerabilities in Python dependencies
Address all 34 reported vulnerabilities by pinning to patched versions: - wheel: 0.38.1+ (PYSEC-2022-43017/GHSA-qwmp-2cf2-g9g6) - jupyterlab: 4.4.8+ (GHSA-44cc-43rp-5947, GHSA-9q39-rmj3-p4r2, GHSA-vvfj-2jqx-52jm) - notebook: 7.2.2+ (GHSA-hwvq-6gjx-j797, GHSA-rv62-4pmj-xw6h, plus jupyterlab CVEs) - selenium: 4.14.0+ (PYSEC-2023-206) - lxml: 4.9.1+ (GHSA-55x5-fj6c-h6m8, GHSA-pgww-xf46-h92r, PYSEC-2018-*, PYSEC-2020-*, PYSEC-2021-*) - numpy: 1.22.0+ (GHSA-fpfv-jqm9-f5jm, PYSEC-2017-1, PYSEC-2019-*, PYSEC-2021-*, PYSEC-2022-*) This has been found using the OpenSSF scorecard app with the following command: ``` podman run -e GITHUB_AUTH_TOKEN=SECRE gcr.io/openssf/scorecard:stable --repo=github.com/darshan-hpc/darshan --checks=vulnerabilities --show-details ``` Here was its output: ``` Warn: Project is vulnerable to: PYSEC-2018-18 / GHSA-3p4q-x8f3-p7vq Warn: Project is vulnerable to: PYSEC-2021-130 / GHSA-4952-p58q-6crx Warn: Project is vulnerable to: PYSEC-2018-17 / GHSA-49qr-xh3w-h436 Warn: Project is vulnerable to: PYSEC-2018-57 / GHSA-6cwv-x26c-w2q4 Warn: Project is vulnerable to: PYSEC-2020-215 / GHSA-c7vm-f5p4-8fqh Warn: Project is vulnerable to: PYSEC-2019-159 / GHSA-hhx8-cr55-qcxx Warn: Project is vulnerable to: GHSA-hwvq-6gjx-j797 Warn: Project is vulnerable to: PYSEC-2019-157 / GHSA-jqwc-jm56-wcwj Warn: Project is vulnerable to: PYSEC-2022-180 / GHSA-m87f-39q9-6f55 Warn: Project is vulnerable to: PYSEC-2019-158 / GHSA-rcx2-m7jp-p9wj Warn: Project is vulnerable to: GHSA-rv62-4pmj-xw6h Warn: Project is vulnerable to: PYSEC-2022-212 / GHSA-v7vq-3x77-87vg Warn: Project is vulnerable to: PYSEC-2022-43167 Warn: Project is vulnerable to: PYSEC-2023-206 Warn: Project is vulnerable to: PYSEC-2018-34 / GHSA-2fc2-6r4j-p65h Warn: Project is vulnerable to: PYSEC-2021-856 / GHSA-5545-2q6w-2gh6 Warn: Project is vulnerable to: PYSEC-2019-108 / GHSA-9fq2-x9r6-wfmf Warn: Project is vulnerable to: PYSEC-2018-33 / GHSA-cw6w-4rcx-xphc Warn: Project is vulnerable to: PYSEC-2021-857 / GHSA-f7c7-j99h-c22f Warn: Project is vulnerable to: GHSA-fpfv-jqm9-f5jm Warn: Project is vulnerable to: PYSEC-2017-1 / GHSA-frgw-fgh6-9g52 Warn: Project is vulnerable to: PYSEC-2020-73 Warn: Project is vulnerable to: GHSA-44cc-43rp-5947 Warn: Project is vulnerable to: GHSA-9q39-rmj3-p4r2 Warn: Project is vulnerable to: GHSA-vvfj-2jqx-52jm Warn: Project is vulnerable to: GHSA-55x5-fj6c-h6m8 Warn: Project is vulnerable to: PYSEC-2014-9 / GHSA-57qw-cc2g-pv5p Warn: Project is vulnerable to: PYSEC-2021-19 / GHSA-jq4v-f5q6-mjqq Warn: Project is vulnerable to: GHSA-pgww-xf46-h92r Warn: Project is vulnerable to: PYSEC-2022-230 / GHSA-wrxv-2j5q-m38w Warn: Project is vulnerable to: PYSEC-2018-12 / GHSA-xp26-p53h-6h2p Warn: Project is vulnerable to: PYSEC-2010-1 / GHSA-7q8x-38mc-p84f Warn: Project is vulnerable to: PYSEC-2022-260 / GHSA-v973-fxgf-6xhp Warn: Project is vulnerable to: PYSEC-2022-43017 / GHSA-qwmp-2cf2-g9g6 ``` Running against my fork main branch (it can only read the main branch of a repo) ``` 0 existing vulnerabilities ```
1 parent 3225930 commit 18cc72e

File tree

6 files changed

+52
-53
lines changed

6 files changed

+52
-53
lines changed

darshan-util/pydarshan/darshan/examples/requirements-examples.txt

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
1-
jupyter
2-
notebook
1+
jupyter>=1.0.0
2+
notebook>=7.2.2
33

44

55
# altair (has svg well exposed)
6-
altair
6+
altair>=5.0.0
77

88

99
# for bokeh + svg export
1010
# but bokeh is almost as verbose to use as matplotlib
11-
bokeh
12-
selenium
11+
bokeh>=3.0.0
12+
selenium>=4.14.0

darshan-util/pydarshan/pyproject.toml

Lines changed: 22 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -8,26 +8,25 @@ build-backend = "setuptools.build_meta"
88
[project]
99
name = "darshan"
1010
dynamic = ["version"]
11-
requires-python = ">=3.7"
11+
requires-python = ">=3.8"
1212
description = "Python tools to interact with Darshan log records of HPC applications."
1313
readme = 'README.rst'
1414
dependencies = [
15-
"cffi",
16-
"numpy",
17-
"pandas",
18-
"matplotlib",
19-
"seaborn",
20-
"mako",
21-
"humanize",
22-
"rich"
15+
"cffi>=1.15.0",
16+
"numpy>=1.22.0",
17+
"pandas>=2.0.0",
18+
"matplotlib>=3.5.0",
19+
"seaborn>=0.12.0",
20+
"mako>=1.2.4",
21+
"humanize>=4.0.0",
22+
"rich>=13.0.0"
2323
]
2424
classifiers = [
2525
"Development Status :: 4 - Beta",
2626
"Intended Audience :: Developers",
2727
"Intended Audience :: Science/Research",
2828
"Natural Language :: English",
2929
"Programming Language :: Python :: 3",
30-
"Programming Language :: Python :: 3.7",
3130
"Programming Language :: Python :: 3.8",
3231
"Programming Language :: Python :: 3.9",
3332
"Programming Language :: Python :: 3.10",
@@ -41,15 +40,15 @@ repository = 'https://github.com/darshan-hpc/darshan'
4140

4241
[project.optional-dependencies]
4342
test = [
44-
"packaging",
45-
"pytest",
46-
"lxml",
47-
"importlib_resources;python_version<'3.9'",
43+
"packaging>=21.0",
44+
"pytest>=7.0.0",
45+
"lxml>=4.9.1",
46+
"importlib_resources>=5.0.0;python_version<'3.9'",
4847
]
4948
dev = [
50-
"sphinx",
51-
"sphinx_rtd_theme",
52-
"pipx"
49+
"sphinx>=7.0.0",
50+
"sphinx_rtd_theme>=2.0.0",
51+
"pipx>=1.0.0"
5352
]
5453

5554
[tool.setuptools.packages.find]
@@ -76,12 +75,12 @@ skip = [
7675
"*_s390x"
7776
]
7877
test-requires = [
79-
"packaging",
80-
"pytest",
81-
"lxml",
82-
"matplotlib",
83-
"importlib_resources;python_version<'3.9'",
84-
"humanize"
78+
"packaging>=21.0",
79+
"pytest>=7.0.0",
80+
"lxml>=4.9.1",
81+
"matplotlib>=3.5.0",
82+
"importlib_resources>=5.0.0;python_version<'3.9'",
83+
"humanize>=4.0.0"
8584
]
8685
before-test = "pip install -U git+https://github.com/darshan-hpc/darshan-logs.git@main"
8786
test-command = "pytest {package}"

darshan-util/pydarshan/requirements.txt

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
cffi
2-
numpy
3-
pandas
4-
matplotlib
1+
cffi>=1.15.0
2+
numpy>=1.22.0
3+
pandas>=2.0.0
4+
matplotlib>=3.5.0

darshan-util/pydarshan/requirements_dev.txt

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,19 @@
1-
wheel
2-
watchdog
3-
twine
1+
wheel>=0.38.1
2+
watchdog>=3.0.0
3+
twine>=4.0.0
44

5-
cffi
6-
numpy
7-
pandas
8-
matplotlib
9-
seaborn
10-
mako
11-
jupyterlab
5+
cffi>=1.15.0
6+
numpy>=1.22.0
7+
pandas>=2.0.0
8+
matplotlib>=3.5.0
9+
seaborn>=0.12.0
10+
mako>=1.2.4
11+
jupyterlab>=4.4.8
1212

13-
pytest
14-
pytest-runner
13+
pytest>=7.0.0
14+
pytest-runner>=6.0.0
1515
# lxml needed implicitly for pandas read_html calls in some tests
16-
lxml
16+
lxml>=4.9.1
1717

18-
sphinx
19-
sphinx_rtd_theme
18+
sphinx>=7.0.0
19+
sphinx_rtd_theme>=2.0.0

darshan-util/pydarshan/setup.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,8 @@
55
import sys
66
import os
77

8-
if sys.version_info[:2] < (3, 7):
9-
raise RuntimeError("Python version >= 3.7 required.")
8+
if sys.version_info[:2] < (3, 8):
9+
raise RuntimeError("Python version >= 3.8 required.")
1010

1111

1212

readthedocs/requirements.txt

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
sphinx==8.1.3
22
sphinx-rtd-theme==3.0.2
3-
cffi
4-
numpy
5-
pandas
6-
matplotlib
3+
cffi>=1.15.0
4+
numpy>=1.22.0
5+
pandas>=2.0.0
6+
matplotlib>=3.5.0

0 commit comments

Comments
 (0)