Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Libraries with vulnerabilities should be updated #567

Open
chamblee-st opened this issue May 16, 2023 · 2 comments
Open

Libraries with vulnerabilities should be updated #567

chamblee-st opened this issue May 16, 2023 · 2 comments
Assignees

Comments

@chamblee-st
Copy link

The MAST team runs pip-audit to generate a report of libraries that should be updated. These old libraries have documented vulnerabilities that are known to be fixed in a newer version. Attached is the report run on May 12, 2023.

library-validation-short.txt

Updating the libraries in ExoCTK will guard against security vulnerabilities in ExoCTK and will ease integration with Exo.MAST.

You can run pip-audit yourself with:

cd exoctk
pip install pip-audit
pip-audit --format markdown --output library-validation-short.txt
@hover2pi
Copy link
Member

Thanks for this snippet @chamblee-st ! I ran it for the release version of v1.2.5 and will leave the results here for future me to update for the v1.2.5.1 release.

Name | Version | ID | Fix Versions
--- | --- | --- | ---
cryptography | 39.0.0 | GHSA-w7pp-m8wf-vj6r | 39.0.1
cryptography | 39.0.0 | GHSA-x4qr-2fvf-3mr5 | 39.0.1
cryptography | 39.0.0 | GHSA-5cpq-8wj7-hf2v | 41.0.0
cryptography | 39.0.0 | GHSA-jm77-qphf-c4w8 | 41.0.3
cryptography | 39.0.0 | GHSA-v8gr-m533-ghj9 | 41.0.4
gitpython | 3.1.32 | PYSEC-2023-161 | 3.1.33
gitpython | 3.1.32 | PYSEC-2023-165 | 3.1.35
jupyter-server | 2.7.1 | PYSEC-2023-155 | 2.7.2
jupyter-server | 2.7.1 | PYSEC-2023-157 | 2.7.2
pillow | 9.4.0 | PYSEC-2023-175 | 10.0.1

@nespinoza
Copy link
Collaborator

@mfixstsci is going to have a look at this and bandit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants