Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade orjson to version 3.9.15 #3488

Merged
merged 3 commits into from
Mar 3, 2024
Merged

Upgrade orjson to version 3.9.15 #3488

merged 3 commits into from
Mar 3, 2024

Conversation

spolti
Copy link
Contributor

@spolti spolti commented Feb 28, 2024

chore: Fixes CVE-2024-27454: orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.

For this update all poetry.lock were update and the images built.

Release note:

Fixes [CVE-2024-27454](https://nvd.nist.gov/vuln/detail/CVE-2024-27454): orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.

@spolti
Upgrade orjson to version 3.9.15
cf299f9 
chore: Fixes [CVE-2024-27454](https://nvd.nist.gov/vuln/detail/CVE-2024-27454): orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.

Signed-off-by: Spolti <fspolti@redhat.com>
terrytangyuan
terrytangyuan reviewed Feb 29, 2024
View reviewed changes
Copy link
Member

@terrytangyuan terrytangyuan left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There seems to be a lot of changes besides orjson. Could you clarify why those changes were needed? How was this PR prepared?

python/alibiexplainer/pyproject.toml
@@ -17,6 +17,7 @@ tensorflow = ">=2.12.0,<2.14" # the range that supports python 3.8 -- 3.11
dill = "^0.3.6"
nest-asyncio = "~1.4.0"
llvmlite = ">0.38.1" # needed since poetry chooses lower version of llvmlite which is not supported by python 3.9 above
tensorflow-io-gcs-filesystem = "0.34.0"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this intentional?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes.
Otherwise, when running poetry lock it will get updated to 0.36.0 and the alibexplainer build will fail by not finding this dependency.

@spolti
Copy link
Contributor Author

spolti commented Feb 29, 2024

There seems to be a lot of changes besides orjson. Could you clarify why those changes were needed? How was this PR prepared?

Sure, I basically just updated orjson on kserve/project.toml and executed poetry lock on every subproject.

spolti and others added 2 commits February 29, 2024 09:33
@spolti @sivanantha321
Update python/kserve/pyproject.toml
7e0e4ac 
Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
Signed-off-by: Filippe Spolti <filippespolti@gmail.com>
@spolti
re-run poetry lock
1cbe360 
Signed-off-by: Spolti <fspolti@redhat.com>
@yuzisun
Copy link
Member

yuzisun commented Mar 3, 2024

/lgtm
/approve

@oss-prow-bot oss-prow-bot bot added the lgtm label Mar 3, 2024
@oss-prow-bot OSS-prow-bot
Copy link

oss-prow-bot bot commented Mar 3, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spolti, yuzisun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@oss-prow-bot oss-prow-bot bot added the approved label Mar 3, 2024
@oss-prow-bot oss-prow-bot bot merged commit 525fe8c into kserve:master Mar 3, 2024
58 checks passed
tjandy98 pushed a commit to tjandy98/kserve that referenced this pull request Apr 10, 2024
@spolti @sivanantha321 @tjandy98
Upgrade orjson to version 3.9.15 (kserve#3488)
518daf7 
* Upgrade orjson to version 3.9.15

chore: Fixes [CVE-2024-27454](https://nvd.nist.gov/vuln/detail/CVE-2024-27454): orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.

Signed-off-by: Spolti <fspolti@redhat.com>

* Update python/kserve/pyproject.toml

Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
Signed-off-by: Filippe Spolti <filippespolti@gmail.com>

* re-run poetry lock

Signed-off-by: Spolti <fspolti@redhat.com>

---------

Signed-off-by: Spolti <fspolti@redhat.com>
Signed-off-by: Filippe Spolti <filippespolti@gmail.com>
Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
Signed-off-by: tjandy98 <3953059+tjandy98@users.noreply.github.com>
israel-hdez pushed a commit to israel-hdez/kserve that referenced this pull request May 4, 2024
@spolti @sivanantha321 @israel-hdez
Upgrade orjson to version 3.9.15 (kserve#3488)
ecf0ba2 
* Upgrade orjson to version 3.9.15

chore: Fixes [CVE-2024-27454](https://nvd.nist.gov/vuln/detail/CVE-2024-27454): orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.

Signed-off-by: Spolti <fspolti@redhat.com>

* Update python/kserve/pyproject.toml

Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
Signed-off-by: Filippe Spolti <filippespolti@gmail.com>

* re-run poetry lock

Signed-off-by: Spolti <fspolti@redhat.com>

---------

Signed-off-by: Spolti <fspolti@redhat.com>
Signed-off-by: Filippe Spolti <filippespolti@gmail.com>
Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
israel-hdez pushed a commit to israel-hdez/kserve that referenced this pull request May 6, 2024
@spolti @sivanantha321 @israel-hdez
Upgrade orjson to version 3.9.15 (kserve#3488)
1833f14 
* Upgrade orjson to version 3.9.15

chore: Fixes [CVE-2024-27454](https://nvd.nist.gov/vuln/detail/CVE-2024-27454): orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.

Signed-off-by: Spolti <fspolti@redhat.com>

* Update python/kserve/pyproject.toml

Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
Signed-off-by: Filippe Spolti <filippespolti@gmail.com>

* re-run poetry lock

Signed-off-by: Spolti <fspolti@redhat.com>

---------

Signed-off-by: Spolti <fspolti@redhat.com>
Signed-off-by: Filippe Spolti <filippespolti@gmail.com>
Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
@israel-hdez israel-hdez mentioned this pull request May 6, 2024
Merged
@spolti spolti deleted the orjson branch June 26, 2024 19:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrytangyuan terrytangyuan terrytangyuan left review comments

@sivanantha321 sivanantha321 sivanantha321 left review comments

@Iamlovingit Iamlovingit Awaiting requested review from Iamlovingit

@sukumargaonkar sukumargaonkar Awaiting requested review from sukumargaonkar

@yuzisun yuzisun Awaiting requested review from yuzisun

Assignees

@yuzisun yuzisun

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@spolti @yuzisun @terrytangyuan @sivanantha321