-
Notifications
You must be signed in to change notification settings - Fork 986
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade orjson to version 3.9.15 #3488
Conversation
chore: Fixes [CVE-2024-27454](https://nvd.nist.gov/vuln/detail/CVE-2024-27454): orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents. Signed-off-by: Spolti <fspolti@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There seems to be a lot of changes besides orjson
. Could you clarify why those changes were needed? How was this PR prepared?
@@ -17,6 +17,7 @@ tensorflow = ">=2.12.0,<2.14" # the range that supports python 3.8 -- 3.11 | |||
dill = "^0.3.6" | |||
nest-asyncio = "~1.4.0" | |||
llvmlite = ">0.38.1" # needed since poetry chooses lower version of llvmlite which is not supported by python 3.9 above | |||
tensorflow-io-gcs-filesystem = "0.34.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes.
Otherwise, when running poetry lock it will get updated to 0.36.0 and the alibexplainer build will fail by not finding this dependency.
Sure, I basically just updated |
Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com> Signed-off-by: Filippe Spolti <filippespolti@gmail.com>
Signed-off-by: Spolti <fspolti@redhat.com>
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: spolti, yuzisun The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* Upgrade orjson to version 3.9.15 chore: Fixes [CVE-2024-27454](https://nvd.nist.gov/vuln/detail/CVE-2024-27454): orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents. Signed-off-by: Spolti <fspolti@redhat.com> * Update python/kserve/pyproject.toml Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com> Signed-off-by: Filippe Spolti <filippespolti@gmail.com> * re-run poetry lock Signed-off-by: Spolti <fspolti@redhat.com> --------- Signed-off-by: Spolti <fspolti@redhat.com> Signed-off-by: Filippe Spolti <filippespolti@gmail.com> Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com> Signed-off-by: tjandy98 <3953059+tjandy98@users.noreply.github.com>
* Upgrade orjson to version 3.9.15 chore: Fixes [CVE-2024-27454](https://nvd.nist.gov/vuln/detail/CVE-2024-27454): orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents. Signed-off-by: Spolti <fspolti@redhat.com> * Update python/kserve/pyproject.toml Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com> Signed-off-by: Filippe Spolti <filippespolti@gmail.com> * re-run poetry lock Signed-off-by: Spolti <fspolti@redhat.com> --------- Signed-off-by: Spolti <fspolti@redhat.com> Signed-off-by: Filippe Spolti <filippespolti@gmail.com> Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
* Upgrade orjson to version 3.9.15 chore: Fixes [CVE-2024-27454](https://nvd.nist.gov/vuln/detail/CVE-2024-27454): orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents. Signed-off-by: Spolti <fspolti@redhat.com> * Update python/kserve/pyproject.toml Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com> Signed-off-by: Filippe Spolti <filippespolti@gmail.com> * re-run poetry lock Signed-off-by: Spolti <fspolti@redhat.com> --------- Signed-off-by: Spolti <fspolti@redhat.com> Signed-off-by: Filippe Spolti <filippespolti@gmail.com> Co-authored-by: Sivanantham <90966311+sivanantha321@users.noreply.github.com>
chore: Fixes CVE-2024-27454: orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.
For this update all poetry.lock were update and the images built.
Release note: