Fix security vulnerabilities in Python dependencies #1105
+52
−53
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Address all 34 reported vulnerabilities by pinning to patched versions: - wheel: 0.38.1+ (PYSEC-2022-43017/GHSA-qwmp-2cf2-g9g6) - jupyterlab: 4.4.8+ (GHSA-44cc-43rp-5947, GHSA-9q39-rmj3-p4r2, GHSA-vvfj-2jqx-52jm) - notebook: 7.2.2+ (GHSA-hwvq-6gjx-j797, GHSA-rv62-4pmj-xw6h, plus jupyterlab CVEs) - selenium: 4.14.0+ (PYSEC-2023-206) - lxml: 4.9.1+ (GHSA-55x5-fj6c-h6m8, GHSA-pgww-xf46-h92r, PYSEC-2018-*, PYSEC-2020-*, PYSEC-2021-*) - numpy: 1.22.0+ (GHSA-fpfv-jqm9-f5jm, PYSEC-2017-1, PYSEC-2019-*, PYSEC-2021-*, PYSEC-2022-*) This has been found using the OpenSSF scorecard app with the following command: ``` podman run -e GITHUB_AUTH_TOKEN=SECRE gcr.io/openssf/scorecard:stable --repo=github.com/darshan-hpc/darshan --checks=vulnerabilities --show-details ``` Here was its output: ``` Warn: Project is vulnerable to: PYSEC-2018-18 / GHSA-3p4q-x8f3-p7vq Warn: Project is vulnerable to: PYSEC-2021-130 / GHSA-4952-p58q-6crx Warn: Project is vulnerable to: PYSEC-2018-17 / GHSA-49qr-xh3w-h436 Warn: Project is vulnerable to: PYSEC-2018-57 / GHSA-6cwv-x26c-w2q4 Warn: Project is vulnerable to: PYSEC-2020-215 / GHSA-c7vm-f5p4-8fqh Warn: Project is vulnerable to: PYSEC-2019-159 / GHSA-hhx8-cr55-qcxx Warn: Project is vulnerable to: GHSA-hwvq-6gjx-j797 Warn: Project is vulnerable to: PYSEC-2019-157 / GHSA-jqwc-jm56-wcwj Warn: Project is vulnerable to: PYSEC-2022-180 / GHSA-m87f-39q9-6f55 Warn: Project is vulnerable to: PYSEC-2019-158 / GHSA-rcx2-m7jp-p9wj Warn: Project is vulnerable to: GHSA-rv62-4pmj-xw6h Warn: Project is vulnerable to: PYSEC-2022-212 / GHSA-v7vq-3x77-87vg Warn: Project is vulnerable to: PYSEC-2022-43167 Warn: Project is vulnerable to: PYSEC-2023-206 Warn: Project is vulnerable to: PYSEC-2018-34 / GHSA-2fc2-6r4j-p65h Warn: Project is vulnerable to: PYSEC-2021-856 / GHSA-5545-2q6w-2gh6 Warn: Project is vulnerable to: PYSEC-2019-108 / GHSA-9fq2-x9r6-wfmf Warn: Project is vulnerable to: PYSEC-2018-33 / GHSA-cw6w-4rcx-xphc Warn: Project is vulnerable to: PYSEC-2021-857 / GHSA-f7c7-j99h-c22f Warn: Project is vulnerable to: GHSA-fpfv-jqm9-f5jm Warn: Project is vulnerable to: PYSEC-2017-1 / GHSA-frgw-fgh6-9g52 Warn: Project is vulnerable to: PYSEC-2020-73 Warn: Project is vulnerable to: GHSA-44cc-43rp-5947 Warn: Project is vulnerable to: GHSA-9q39-rmj3-p4r2 Warn: Project is vulnerable to: GHSA-vvfj-2jqx-52jm Warn: Project is vulnerable to: GHSA-55x5-fj6c-h6m8 Warn: Project is vulnerable to: PYSEC-2014-9 / GHSA-57qw-cc2g-pv5p Warn: Project is vulnerable to: PYSEC-2021-19 / GHSA-jq4v-f5q6-mjqq Warn: Project is vulnerable to: GHSA-pgww-xf46-h92r Warn: Project is vulnerable to: PYSEC-2022-230 / GHSA-wrxv-2j5q-m38w Warn: Project is vulnerable to: PYSEC-2018-12 / GHSA-xp26-p53h-6h2p Warn: Project is vulnerable to: PYSEC-2010-1 / GHSA-7q8x-38mc-p84f Warn: Project is vulnerable to: PYSEC-2022-260 / GHSA-v973-fxgf-6xhp Warn: Project is vulnerable to: PYSEC-2022-43017 / GHSA-qwmp-2cf2-g9g6 ``` Running against my fork main branch (it can only read the main branch of a repo) ``` 0 existing vulnerabilities ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Address all 34 reported vulnerabilities by pinning to patched versions:
This has been found using the OpenSSF scorecard app with the following
command:
Here was its output:
Running against my fork main branch (it can only read the main branch of a repo)