[anaconda]-security vulnerability for GHSA-8qvm-5x2c-j2w7: protobuf and GHSA-9356-575x-2w9m: transformers (devcontainers#1554)

sireeshajonnalagadda · web-flow · commit bf889df16143 · 2025-09-26T12:19:26.000+01:00
* [anaconda]-security vulnerability for GHSA-8qvm-5x2c-j2w7: protobuf and GHSA-9356-575x-2w9m: transformers * made changes
diff --git a/src/anaconda/.devcontainer/apply_security_patches.sh b/src/anaconda/.devcontainer/apply_security_patches.sh
@@ -3,7 +3,7 @@
 # vulnerabilities:
 # werkzeug - [GHSA-f9vj-2wh5-fj8j] 
 
-vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=4.25.8" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.52.1" "urllib3=2.5.0" "Werkzeug=3.0.6" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \ 
+vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=5.29.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "Werkzeug=3.0.6" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \ 
                       "zipp=3.19.1" "tornado=6.4.2")
 
 # Define the number of rows (based on the length of vulnerable_packages)
@@ -26,7 +26,7 @@ done
 
 # Add an array for packages that should always pin to the provided version, 
 # even if higher version is available in conda channel
-pin_to_required_version=("jupyter_core" "cryptography" )
+pin_to_required_version=("jupyter_core" "cryptography")
 # Function to check if a package is in the pin_to_required_version array
 function is_pin_to_required_version() {
     local pkg="$1"
diff --git a/src/anaconda/README.md b/src/anaconda/README.md
@@ -29,8 +29,8 @@ Refer to [this guide](https://containers.dev/guide/dockerfile) for more details.
 You can decide how often you want updates by referencing a [semantic version](https://semver.org/) of each image. For example:
 
 - `mcr.microsoft.com/devcontainers/anaconda:1-3`
-- `mcr.microsoft.com/devcontainers/anaconda:1.0-3`
-- `mcr.microsoft.com/devcontainers/anaconda:1.0.0-3`
+- `mcr.microsoft.com/devcontainers/anaconda:1.3-3`
+- `mcr.microsoft.com/devcontainers/anaconda:1.3.0-3`
 
 See [history](history) for information on the contents of each version and [here for a complete list of available tags](https://mcr.microsoft.com/v2/devcontainers/anaconda/tags/list).
 
diff --git a/src/anaconda/manifest.json b/src/anaconda/manifest.json
@@ -1,5 +1,5 @@
 {
-	"version": "1.2.9",
+	"version": "1.3.0",
 	"build": {
 		"latest": true,
 		"rootDistro": "debian",
diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh
@@ -41,8 +41,8 @@ checkPythonPackageVersion "certifi" "2022.12.07"
 checkPythonPackageVersion "cryptography" "44.0.1"
 checkPythonPackageVersion "h11" "0.16.0"
 checkPythonPackageVersion "jupyter_core" "5.8.1"
-checkPythonPackageVersion "protobuf" "4.25.8"
-checkPythonPackageVersion "transformers" "4.52.1"
+checkPythonPackageVersion "protobuf" "5.29.5"
+checkPythonPackageVersion "transformers" "4.53.0"
 checkPythonPackageVersion "mpmath" "1.3.0"
 checkPythonPackageVersion "aiohttp" "3.10.2"
 checkPythonPackageVersion "tornado" "6.4.2"

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- "version": "1.2.9",`
	`2`	`+ "version": "1.3.0",`
`3`	`3`	`"build": {`
`4`	`4`	`"latest": true,`
`5`	`5`	`"rootDistro": "debian",`