Upgrade urllib3 to 2.6.3 to fix CVE-2025-66418#435
Upgrade urllib3 to 2.6.3 to fix CVE-2025-66418#435openshift-merge-bot[bot] merged 1 commit intoopendatahub-io:stable-2.xfrom
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rpancham The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| ENV VIRTUAL_ENV=/caikit/.venv | ||
| ENV PATH="$VIRTUAL_ENV/bin:$PATH" | ||
|
|
||
| RUN /caikit/.venv/bin/pip install --no-cache-dir "urllib3>=2.6.0" |
There was a problem hiding this comment.
You could merge this line with next RUN statement to avoid additional layer.
There was a problem hiding this comment.
Thanks for the suggestion. I’ll keep this as a separate RUN for now to keep the CVE fix clearly visible in the Docker history and make the security-related change easier to audit.
|
/lgtm |
openshift-merge-bot
bot
merged commit 11c86a2
into
opendatahub-io:stable-2.x
3 participants
Addresses : https://issues.redhat.com/browse/RHOAIENG-42048
This PR fixes CVE-2025-66418 by upgrading the transitive dependency urllib3 to version 2.6.3 in the container image. The fix ensures the runtime uses a non-vulnerable version of urllib3 and has been verified inside the built image.