Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade orjson to version 3.9.15 #3488

Merged
merged 3 commits into from
Mar 3, 2024
Merged

Upgrade orjson to version 3.9.15 #3488

merged 3 commits into from
Mar 3, 2024

Conversation

spolti
Copy link
Contributor

@spolti spolti commented Feb 28, 2024

chore: Fixes CVE-2024-27454: orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.

For this update all poetry.lock were update and the images built.

Release note:

Fixes [CVE-2024-27454](https://nvd.nist.gov/vuln/detail/CVE-2024-27454): orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.

chore: Fixes [CVE-2024-27454](https://nvd.nist.gov/vuln/detail/CVE-2024-27454): orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.

Signed-off-by: Spolti <fspolti@redhat.com>
Copy link
Member

@terrytangyuan terrytangyuan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There seems to be a lot of changes besides orjson. Could you clarify why those changes were needed? How was this PR prepared?

@@ -17,6 +17,7 @@ tensorflow = ">=2.12.0,<2.14" # the range that supports python 3.8 -- 3.11
dill = "^0.3.6"
nest-asyncio = "~1.4.0"
llvmlite = ">0.38.1" # needed since poetry chooses lower version of llvmlite which is not supported by python 3.9 above
tensorflow-io-gcs-filesystem = "0.34.0"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this intentional?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes.
Otherwise, when running poetry lock it will get updated to 0.36.0 and the alibexplainer build will fail by not finding this dependency.

@spolti
Copy link
Contributor Author

spolti commented Feb 29, 2024

There seems to be a lot of changes besides orjson. Could you clarify why those changes were needed? How was this PR prepared?

Sure, I basically just updated orjson on kserve/project.toml and executed poetry lock on every subproject.

spolti and others added 2 commits February 29, 2024 09:33
Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
Signed-off-by: Filippe Spolti <filippespolti@gmail.com>
Signed-off-by: Spolti <fspolti@redhat.com>
@yuzisun
Copy link
Member

yuzisun commented Mar 3, 2024

/lgtm
/approve

Copy link

oss-prow-bot bot commented Mar 3, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spolti, yuzisun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@oss-prow-bot oss-prow-bot bot added the approved label Mar 3, 2024
@oss-prow-bot oss-prow-bot bot merged commit 525fe8c into kserve:master Mar 3, 2024
58 checks passed
tjandy98 pushed a commit to tjandy98/kserve that referenced this pull request Apr 10, 2024
* Upgrade orjson to version 3.9.15

chore: Fixes [CVE-2024-27454](https://nvd.nist.gov/vuln/detail/CVE-2024-27454): orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.

Signed-off-by: Spolti <fspolti@redhat.com>

* Update python/kserve/pyproject.toml

Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
Signed-off-by: Filippe Spolti <filippespolti@gmail.com>

* re-run poetry lock

Signed-off-by: Spolti <fspolti@redhat.com>

---------

Signed-off-by: Spolti <fspolti@redhat.com>
Signed-off-by: Filippe Spolti <filippespolti@gmail.com>
Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
Signed-off-by: tjandy98 <3953059+tjandy98@users.noreply.github.com>
israel-hdez pushed a commit to israel-hdez/kserve that referenced this pull request May 4, 2024
* Upgrade orjson to version 3.9.15

chore: Fixes [CVE-2024-27454](https://nvd.nist.gov/vuln/detail/CVE-2024-27454): orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.

Signed-off-by: Spolti <fspolti@redhat.com>

* Update python/kserve/pyproject.toml

Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
Signed-off-by: Filippe Spolti <filippespolti@gmail.com>

* re-run poetry lock

Signed-off-by: Spolti <fspolti@redhat.com>

---------

Signed-off-by: Spolti <fspolti@redhat.com>
Signed-off-by: Filippe Spolti <filippespolti@gmail.com>
Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
israel-hdez pushed a commit to israel-hdez/kserve that referenced this pull request May 6, 2024
* Upgrade orjson to version 3.9.15

chore: Fixes [CVE-2024-27454](https://nvd.nist.gov/vuln/detail/CVE-2024-27454): orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.

Signed-off-by: Spolti <fspolti@redhat.com>

* Update python/kserve/pyproject.toml

Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
Signed-off-by: Filippe Spolti <filippespolti@gmail.com>

* re-run poetry lock

Signed-off-by: Spolti <fspolti@redhat.com>

---------

Signed-off-by: Spolti <fspolti@redhat.com>
Signed-off-by: Filippe Spolti <filippespolti@gmail.com>
Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants