Skip to content

[anaconda] Address GHSA-47fc-vmwq-366v, GHSA-282v-666c-3fvg, GHSA-mrwq-x4v8-fh7p vulnerabilities #690

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Aug 14, 2023
Merged

[anaconda] Address GHSA-47fc-vmwq-366v, GHSA-282v-666c-3fvg, GHSA-mrwq-x4v8-fh7p vulnerabilities #690

merged 18 commits into from
Aug 14, 2023

Conversation

@alexander-smolyakov
Copy link
Contributor

@alexander-smolyakov alexander-smolyakov commented Aug 1, 2023
edited
Loading

Dev container name:

  • anaconda

Description:

This PR patches the following vulnerabilities:

These vulnerabilities come from the continuumio/anaconda3 image used upstream for the anaconda devcontainer.

Changelog:

  • Updated Dockerfile:

    • Removed lock from continuumio/anaconda3 image to use the latest version of the image (Contains fixes for torch and pygments packages);
    • Locked versions for patched Python packages;
    • Added patch to install updated versions of transformers packages;

  • Added tests to verify minimum versions of the following packages:

    • torch - minimum package version set to 1.13.1;
    • transformers - minimum package version set to 4.30.0;
    • pygments - minimum package version set to 2.15.1;

  • Updated information about packages in the devcontainer manifest;

  • Updated tests to use different environments when installing packages from the conda-forge channel;

  • Updated README.md to add info about possible conflicts in Conda's environment when channels are mixed;

Checklist:

  • Checked that applied changes work as expected

@alexander-smolyakov alexander-smolyakov requested a review from a team as a code owner August 1, 2023 14:01
samruddhikhandale
samruddhikhandale reviewed Aug 10, 2023
View reviewed changes
@alexander-smolyakov
Use latest version of continuumio/anaconda3 image
2698391 
- Remove version lock for `continuumio/anaconda3` image;
- Remove patches for `torch` and `pygments`
@alexander-smolyakov
Update tests
cc98ca9
@alexander-smolyakov
Merge remote-tracking branch 'upstream/main' into anaconda_GHSA-47fc-…
94a7ada 
…vmwq-366v_GHSA-282v-666c-3fvg_GHSA-mrwq-x4v8-fh7p-patch_packages
@alexander-smolyakov
Update patch
a5bac20 
- Lock packages versions;
- Clean up `manifest.json`;
@alexander-smolyakov
Update README.md
42d75ba
samruddhikhandale
samruddhikhandale reviewed Aug 14, 2023
View reviewed changes
samruddhikhandale
samruddhikhandale reviewed Aug 14, 2023
View reviewed changes
alexander-smolyakov and others added 2 commits August 14, 2023 20:12
@alexander-smolyakov @samruddhikhandale
Update src/anaconda/README.md
c642c0e 
Co-authored-by: Samruddhi Khandale <samruddhikhandale@github.com>
@alexander-smolyakov
Revert changes for manifest
a64f971
@samruddhikhandale samruddhikhandale merged commit 5f5cfbc into devcontainers:main Aug 14, 2023
@samruddhikhandale samruddhikhandale mentioned this pull request Aug 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@samruddhikhandale samruddhikhandale samruddhikhandale approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexander-smolyakov @samruddhikhandale