Merge remote-tracking branch 'upstream/main' into anaconda_GHSA-47fc-…

…vmwq-366v_GHSA-282v-666c-3fvg_GHSA-mrwq-x4v8-fh7p-patch_packages

src/anaconda/.devcontainer/Dockerfile

@@ -18,15 +18,21 @@ RUN python3 -m pip install \
     werkzeug \
     # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32862
     nbconvert \
-   # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370
-    tornado
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370
+    tornado \
+    # https://github.com/advisories/GHSA-47fc-vmwq-366v
+    torch==1.13.1 \
+    # https://github.com/advisories/GHSA-282v-666c-3fvg
+    transformers==4.30.0
 
 RUN conda install \ 
     # https://github.com/advisories/GHSA-5cpq-8wj7-hf2v
     pyopenssl=23.2.0 \ 
     cryptography=41.0.2 \
     # https://github.com/advisories/GHSA-j8r2-6x86-q33q
-    requests=2.31.0
+    requests=2.31.0 \
+    # https://github.com/advisories/GHSA-mrwq-x4v8-fh7p
+    pygments=2.15.1
 
 # Reset and copy updated files with updated privs to keep image size down
 FROM mcr.microsoft.com/devcontainers/base:1-bullseye
@@ -78,28 +84,6 @@ RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     && echo "conda activate base" >> ~/.bashrc \
     && apt-get clean -y && rm -rf /var/lib/apt/lists/* /tmp/library-scripts/add-notice.sh
 
-# Temporary: Upgrade python packages due to mentioned CVEs
-# They are installed by the base image (continuumio/anaconda3) which does not have the patch.
-RUN python3 -m pip install \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797
-    --upgrade joblib \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24065
-    cookiecutter \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34749
-    mistune \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
-    numpy \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577
-    werkzeug \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32862
-    nbconvert \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370
-    tornado \
-    # https://github.com/advisories/GHSA-47fc-vmwq-366v
-    torch==1.13.1 \
-    # https://github.com/advisories/GHSA-282v-666c-3fvg
-    transformers==4.30.0
-
 # Copy environment.yml (if found) to a temp location so we can update the environment. Also
 # copy "noop.txt" so the COPY instruction does not fail if no environment.yml exists.
 # COPY environment.yml* .devcontainer/noop.txt /tmp/conda-tmp/
@@ -110,24 +94,3 @@ RUN if [ -f "/tmp/conda-tmp/environment.yml" ]; then umask 0002 && /opt/conda/bi
 # [Optional] Uncomment this section to install additional OS packages.
 # RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
 #     && apt-get -y install --no-install-recommends <your-package-list-here>
-
-# Temporary: Upgrade python packages due to mentioned CVEs
-# They are installed by the base image (continuumio/anaconda3) which does not have the patch.
-RUN conda install \ 
-    # https://github.com/advisories/GHSA-5cpq-8wj7-hf2v
-    pyopenssl=23.2.0 \ 
-    cryptography=41.0.2 \
-    # https://github.com/advisories/GHSA-j8r2-6x86-q33q
-    requests=2.31.0 \
-    # https://github.com/advisories/GHSA-mrwq-x4v8-fh7p
-    pygments=2.15.1
-
-# Create conda group, update conda directory permissions, 
-# add user to conda group
-# Note: We need to execute these commands after pip install / conda update 
-# since pip doesn't preserve directory permissions
-RUN groupadd -r conda --gid 900 \
-    && chown -R :conda /opt/conda \
-    && chmod -R g+w /opt/conda \
-    && find /opt -type d | xargs -n 1 chmod g+s \
-    && usermod -aG conda ${USERNAME}