Skip to content

Update Ipywidgets>=8.x to fix security vulnerabilities#2545

Open
dazza-codes wants to merge 1 commit into
keplergl:masterfrom
dazza-codes:patch-1
Open

Update Ipywidgets>=8.x to fix security vulnerabilities#2545
dazza-codes wants to merge 1 commit into
keplergl:masterfrom
dazza-codes:patch-1

Conversation

@dazza-codes
Copy link
Copy Markdown

@dazza-codes dazza-codes commented Mar 26, 2024
edited
Loading

Fix #2546

Is the project dependabot running on the python dependency tree? The setup.py seems to be the place to patch this; the bindings/kepler.gl-jupyter/requirements.txt has not been touched in 5 years.

Since the current constraints prevent >= 8.x, this might cause an issue with the consumers of the ipywidgets API.

Bump ipywidgets >=8.0 to resolve CVEs:

-> Vulnerability found in ipywidgets version 7.8.1
   Vulnerability ID: 50664
   Affected spec: <8.0.0
   ADVISORY: Ipywidgets 8.0.0 sanitizes descriptions by default.https://github.com/jupyter-widgets/ipywidgets/pull/2785
   PVE-2022-50664
   For more information about this vulnerability, visit https://data.safetycli.com/v/50664/97c
   To ignore this vulnerability, use PyUp vulnerability id 50664 in safety’s ignore command-line argument or add the ignore to your safety policy file.


-> Vulnerability found in ipywidgets version 7.8.1
   Vulnerability ID: 50463
   Affected spec: <8.0.0rc2
   ADVISORY: Ipywidgets 8.0.0rc2 makes descriptions plaintext by default for security.https://github.com/jupyter-widgets/ipywidgets/pull/2785
   PVE-2022-50463
   For more information about this vulnerability, visit https://data.safetycli.com/v/50463/97c
   To ignore this vulnerability, use PyUp vulnerability id 50463 in safety’s ignore command-line argument or add the ignore to your safety policy file.

https://pypi.org/project/ipywidgets/#history

@dazza-codes
Update setup.py
ba498db 
Bump ipywidgets >=8.0 to resolve CVEs:

```
-> Vulnerability found in ipywidgets version 7.8.1
   Vulnerability ID: 50664
   Affected spec: <8.0.0
   ADVISORY: Ipywidgets 8.0.0 sanitizes descriptions by default.jupyter-widgets/ipywidgets#2785
   PVE-2022-50664
   For more information about this vulnerability, visit https://data.safetycli.com/v/50664/97c
   To ignore this vulnerability, use PyUp vulnerability id 50664 in safety’s ignore command-line argument or add the ignore to your safety policy file.

-> Vulnerability found in ipywidgets version 7.8.1
   Vulnerability ID: 50463
   Affected spec: <8.0.0rc2
   ADVISORY: Ipywidgets 8.0.0rc2 makes descriptions plaintext by default for security.jupyter-widgets/ipywidgets#2785
   PVE-2022-50463
   For more information about this vulnerability, visit https://data.safetycli.com/v/50463/97c
   To ignore this vulnerability, use PyUp vulnerability id 50463 in safety’s ignore command-line argument or add the ignore to your safety policy file.
```

Signed-off-by: Darren Weber <dweber.consulting@gmail.com>
@dazza-codes dazza-codes changed the title Update setup.py Update Ipywidgets>=8.x to fix security vulnerabilities Mar 26, 2024
@lixun910 lixun910 mentioned this pull request Apr 25, 2024
Merged
@lixun910 lixun910 mentioned this pull request Nov 7, 2024
Merged
@igorDykhta igorDykhta added the jupyter keplergl for Jupyter label Feb 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

jupyter keplergl for Jupyter

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug][Jupyter Widget] Security vulnerabilities in Ipywidgets

2 participants

@dazza-codes @igorDykhta