[Anaconda] - [aiohttp] - Address Security Vulnerability - GHSA-5h86-8mv2-jq9f (#949)

gauravsaini04 · web-flow · commit 9c2a2e19e578 · 2024-02-07T16:37:13.000-08:00
* [Anaconda] - GHSA-5h86-8mv2-jq9f - aiohttp - patch for vuln * for failing tests - no space left on device - error
diff --git a/.github/workflows/smoke-anaconda.yaml b/.github/workflows/smoke-anaconda.yaml
@@ -14,7 +14,7 @@ on:
 jobs:
   smoke-test:
     name: Smoke test
-    runs-on: ubuntu-latest
+    runs-on: devcontainer-image-builder-ubuntu
     steps:
 
     - name: Checkout
diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile
@@ -5,9 +5,7 @@ RUN . /etc/os-release && if [ "${VERSION_CODENAME}" != "bullseye" ]; then exit 1
 
 # Temporary: Upgrade python packages due to mentioned CVEs
 # They are installed by the base image (continuumio/anaconda3) which does not have the patch.
-RUN conda install \ 
-    # https://github.com/advisories/GHSA-q3qx-c6g2-7pw2
-    aiohttp=3.9.0 \
+RUN conda install \
     # https://github.com/advisories/GHSA-v845-jxx5-vc9f
     urllib3==1.26.18 \
     # https://github.com/advisories/GHSA-jfhm-5ghh-2f97
@@ -37,7 +35,9 @@ RUN python3 -m pip install --upgrade \
     # https://github.com/advisories/GHSA-3f63-hfp8-52jq
     pillow==10.2.0 \
     # https://github.com/advisories/GHSA-44cc-43rp-5947
-    jupyterlab==4.0.11
+    jupyterlab==4.0.11 \
+    # https://github.com/advisories/GHSA-5h86-8mv2-jq9f
+    aiohttp==3.9.2
 
 # Reset and copy updated files with updated privs to keep image size down
 FROM mcr.microsoft.com/devcontainers/base:1-bullseye
diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh
@@ -43,7 +43,7 @@ checkPythonPackageVersion "requests" "2.31.0"
 checkPythonPackageVersion "cryptography" "41.0.7"
 checkPythonPackageVersion "transformers" "4.36.0"
 checkPythonPackageVersion "mpmath" "1.3.0"
-checkPythonPackageVersion "aiohttp" "3.9.0"
+checkPythonPackageVersion "aiohttp" "3.9.2"
 checkPythonPackageVersion "jupyter_server" "2.7.2"
 checkPythonPackageVersion "tornado" "6.3.3"
 checkPythonPackageVersion "pyarrow" "14.0.1"
@@ -55,7 +55,6 @@ checkCondaPackageVersion "cryptography" "41.0.7"
 checkCondaPackageVersion "requests" "2.31.0"
 checkCondaPackageVersion "pygments" "2.15.1"
 checkCondaPackageVersion "mpmath" "1.3.0"
-checkCondaPackageVersion "aiohttp" "3.9.0"
 checkCondaPackageVersion "urllib3" "1.26.17"
 checkCondaPackageVersion "pyarrow" "14.0.1"
 
