Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Luke/CVE bump #3928

Merged
merged 8 commits into from
Feb 19, 2025
Merged

Luke/CVE bump #3928

merged 8 commits into from
Feb 19, 2025

Conversation

luke-kucing
Copy link
Contributor

bumping dependancies and updated the tokenizer constraint

six5532one
six5532one reviewed Feb 18, 2025
View reviewed changes
requirements/deps/constraints.txt Outdated
@@ -18,3 +18,5 @@ botocore<1.34.132
importlib-metadata>=8.5.0
# (austin): Versions below this have a different interface for passing parameters
unstructured-client>=0.23.0,<0.26.0
# (luke): conflicting versions installed. pinned to 5.3.0 for now.
lxml==5.3.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like @ahmetmeleq also opened a PR to address CVEs but it doesn't include this pin. Would the changes in #3925 resolve the CVE?

Copy link
Contributor Author

@luke-kucing luke-kucing Feb 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like that PR would resolve the cryptography CVE and label-studio sdk but would fix the transformers CVE in version 4.442 thats resolved in version 4.48.0

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested removing the constraint and it doesnt seem like anything required 5.3.0 so that might have just been an error on my part

@six5532one six5532one mentioned this pull request Feb 19, 2025
Closed
@tabossert
Copy link
Contributor

If the image seems like it's working, the changes seem good to me

@luke-kucing luke-kucing added this pull request to the merge queue Feb 19, 2025
Merged via the queue into main with commit 147add9 Feb 19, 2025
41 checks passed
@luke-kucing luke-kucing deleted the luke/cve_bump branch February 19, 2025 17:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@six5532one six5532one six5532one approved these changes

@tabossert tabossert tabossert approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@luke-kucing @tabossert @six5532one