[anaconda]-GHSA-vvfj-2jqx-52jm: jupyterlab and GHSA-94vc-p8w7-5p49: imagecodecs - security vulnerability (#1648)

sireeshajonnalagadda · web-flow · commit 02fa3abad519 · 2025-11-20T12:30:19.000Z
* [anaconda]-GHSA-vvfj-2jqx-52jm: jupyterlab and GHSA-94vc-p8w7-5p49: imagecodecs - security vulnerability * protobuf pin to required version
diff --git a/src/anaconda/.devcontainer/apply_security_patches.sh b/src/anaconda/.devcontainer/apply_security_patches.sh
@@ -4,7 +4,7 @@
 # werkzeug - [GHSA-f9vj-2wh5-fj8j] 
 
 vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=5.29.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "Werkzeug=3.0.6" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \ 
-                      "zipp=3.19.1" "tornado=6.4.2")
+                      "zipp=3.19.1" "tornado=6.4.2" "jupyterlab=4.4.8" "imagecodecs=2023.9.18")
 
 # Define the number of rows (based on the length of vulnerable_packages)
 rows=${#vulnerable_packages[@]}
@@ -26,7 +26,7 @@ done
 
 # Add an array for packages that should always pin to the provided version, 
 # even if higher version is available in conda channel
-pin_to_required_version=("jupyter_core" "cryptography")
+pin_to_required_version=("jupyter_core" "cryptography" "protobuf")
 # Function to check if a package is in the pin_to_required_version array
 function is_pin_to_required_version() {
     local pkg="$1"
diff --git a/src/anaconda/README.md b/src/anaconda/README.md
@@ -30,7 +30,7 @@ You can decide how often you want updates by referencing a [semantic version](ht
 
 - `mcr.microsoft.com/devcontainers/anaconda:1-3`
 - `mcr.microsoft.com/devcontainers/anaconda:1.3-3`
-- `mcr.microsoft.com/devcontainers/anaconda:1.3.0-3`
+- `mcr.microsoft.com/devcontainers/anaconda:1.3.2-3`
 
 See [history](history) for information on the contents of each version and [here for a complete list of available tags](https://mcr.microsoft.com/v2/devcontainers/anaconda/tags/list).
 
diff --git a/src/anaconda/manifest.json b/src/anaconda/manifest.json
@@ -1,5 +1,5 @@
 {
-	"version": "1.3.1",
+	"version": "1.3.2",
 	"build": {
 		"latest": true,
 		"rootDistro": "debian",
diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh
@@ -49,7 +49,7 @@ checkPythonPackageVersion "tornado" "6.4.2"
 checkPythonPackageVersion "jupyter_server" "2.14.1"
 checkPythonPackageVersion "pyarrow" "14.0.1"
 checkPythonPackageVersion "pillow" "10.3.0"
-checkPythonPackageVersion "jupyterlab" "4.2.5"
+checkPythonPackageVersion "jupyterlab" "4.4.8"
 checkPythonPackageVersion "notebook" "7.2.2"
 checkPythonPackageVersion "gitpython" "3.1.41"
 checkPythonPackageVersion "jupyter-lsp" "2.2.2"
@@ -59,6 +59,7 @@ checkPythonPackageVersion "scrapy" "2.11.2"
 checkPythonPackageVersion "requests" "2.32.4"
 checkPythonPackageVersion "scikit-learn" "1.5.0"
 checkPythonPackageVersion "zipp" "3.19.1"
+checkPythonPackageVersion "imagecodecs" "2023.9.18"
 
 checkCondaPackageVersion "pyopenssl" "24.2.1"
 checkCondaPackageVersion "requests" "2.32.4"

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- "version": "1.3.1",`
	`2`	`+ "version": "1.3.2",`
`3`	`3`	`"build": {`
`4`	`4`	`"latest": true,`
`5`	`5`	`"rootDistro": "debian",`