Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to nltk 3.9.1 to address CVE-2024-39705 #75

Merged
merged 1 commit into from
Aug 22, 2024

Conversation

aecio
Copy link
Contributor

@aecio aecio commented Aug 20, 2024

The upgrade to nltk to version 3.9.1 is a BREAKING change. This change downloads punkt_tab instead of punkt which has a critical security vulnerability (CVE-2024-39705).
See e.g.:

The upgrade to nltk to version 3.9.1 is a BREAKING change. This change
downloads `punkt_tab` instead of `punkt` which has a critical security
vulnerability (CVE-2024-39705).
See e.g.:
- GHSA-cgvx-9447-vcch
- nltk/nltk#3293
- nltk/nltk#3266
Copy link

codecov bot commented Aug 21, 2024

Codecov Report

Attention: Patch coverage is 50.00000% with 1 line in your changes missing coverage. Please review.

Project coverage is 87.15%. Comparing base (ddf1399) to head (8e59d6c).
Report is 2 commits behind head on master.

Files Patch % Lines
valentine/algorithms/cupid/linguistic_matching.py 50.00% 1 Missing ⚠️
Additional details and impacted files
@@           Coverage Diff           @@
##           master      #75   +/-   ##
=======================================
  Coverage   87.15%   87.15%           
=======================================
  Files          40       40           
  Lines        1760     1760           
=======================================
  Hits         1534     1534           
  Misses        226      226           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@chrisk21
Copy link
Collaborator

Merging to main branch, will have a new release soon.

@chrisk21 chrisk21 merged commit 9f6c79d into delftdata:master Aug 22, 2024
18 of 19 checks passed
@aecio
Copy link
Contributor Author

aecio commented Aug 22, 2024

Thanks, @chrisk21!

aecio added a commit to VIDA-NYU/bdi-kit that referenced this pull request Nov 11, 2024
This reverts the version pin added in commit:
bfc5f32
This can be done now since some of our dependencies,
such as `valentine` have upgraded as well. See pull
request delftdata/valentine#75.
The minimum version requirement for valentine is needed
because the ntlk upgrade is a breaking change: using
valentine with older nltk would cause bugs related to
the punkt tokenizer.
aecio added a commit to VIDA-NYU/bdi-kit that referenced this pull request Nov 11, 2024
This reverts the version pin added in commit:
bfc5f32
This can be done now since some of our dependencies,
such as `valentine` have upgraded as well. See pull
request delftdata/valentine#75.
The minimum version requirement for valentine is needed
because the ntlk upgrade is a breaking change: using
valentine with older nltk would cause bugs related to
the punkt tokenizer.
aecio added a commit to VIDA-NYU/bdi-kit that referenced this pull request Nov 11, 2024
This reverts the version pin added in commit:
bfc5f32
This can be done now since some of our dependencies,
such as `valentine` have upgraded as well. See pull
request delftdata/valentine#75.
The minimum version requirement for valentine is needed
because the ntlk upgrade is a breaking change: using
valentine with older nltk would cause bugs related to
the punkt tokenizer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants