-
Notifications
You must be signed in to change notification settings - Fork 1
[Snyk] Fix for 14 vulnerabilities #7
base: master
Are you sure you want to change the base?
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-CERTIFI-3164749 - https://snyk.io/vuln/SNYK-PYTHON-CERTIFI-5805047 - https://snyk.io/vuln/SNYK-PYTHON-FONTTOOLS-6133203 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321964 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321966 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321970 - https://snyk.io/vuln/SNYK-PYTHON-PARAMIKO-6130887 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-5918878 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6043904 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6182918 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6219984 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6219986 - https://snyk.io/vuln/SNYK-PYTHON-SETUPTOOLS-3180412 - https://snyk.io/vuln/SNYK-PYTHON-WERKZEUG-6035177
WalkthroughThis update introduces several new dependencies to the Changes
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Review Status
Actionable comments generated: 0
Configuration used: CodeRabbit UI
Files selected for processing (1)
- benchmark/requirements.txt (1 hunks)
Additional comments: 7
benchmark/requirements.txt (7)
- 2-2: Upgrading
certifi
to2023.7.22
is a crucial step in ensuring the security of SSL/TLS certificates. However, it's important to verify that this upgrade does not introduce any compatibility issues with other packages that rely oncertifi
.- 3-3: The upgrade of
fonttools
to4.43.0
addresses vulnerabilities and should improve the handling of font files. Ensure that this upgrade is compatible with any direct usage offonttools
in the project.- 4-4: Upgrading
numpy
to1.22.2
can have significant implications for numerical computations. It's essential to test the performance and correctness of any data processing or machine learning tasks that depend onnumpy
.- 5-5: The upgrade of
paramiko
to3.4.0
is important for securing SSH connections. Verify that this upgrade does not affect any SSH-based automation or deployment scripts in the project.- 6-6: Upgrading
pillow
to10.2.0
addresses critical vulnerabilities in image processing. Ensure that this upgrade does not break any image manipulation features, especially if custom PIL (Pillow) operations are used.- 7-7: The upgrade of
setuptools
to65.5.1
is significant for package management and distribution. Confirm that this upgrade is compatible with the project's build and deployment processes.- 8-8: Upgrading
werkzeug
to2.3.8
is crucial for web application security and performance. If the project involves web development, ensure compatibility with Flask or other frameworks that depend onwerkzeug
.
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
By pinning:
Why? Has a fix available, CVSS 6.8
SNYK-PYTHON-CERTIFI-3164749
certifi:
2021.10.8 -> 2023.7.22
Why? Has a fix available, CVSS 9.8
SNYK-PYTHON-CERTIFI-5805047
certifi:
2021.10.8 -> 2023.7.22
Why? Has a fix available, CVSS 7.5
SNYK-PYTHON-FONTTOOLS-6133203
fonttools:
4.38.0 -> 4.43.0
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
SNYK-PYTHON-NUMPY-2321964
numpy:
1.21.3 -> 1.22.2
Why? Has a fix available, CVSS 3.7
SNYK-PYTHON-NUMPY-2321966
numpy:
1.21.3 -> 1.22.2
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
SNYK-PYTHON-NUMPY-2321970
numpy:
1.21.3 -> 1.22.2
Why? Proof of Concept exploit, Has a fix available, CVSS 5.9
SNYK-PYTHON-PARAMIKO-6130887
paramiko:
2.12.0 -> 3.4.0
Why? Mature exploit, Has a fix available, CVSS 9.6
SNYK-PYTHON-PILLOW-5918878
pillow:
9.5.0 -> 10.2.0
Why? Has a fix available, CVSS 7.5
SNYK-PYTHON-PILLOW-6043904
pillow:
9.5.0 -> 10.2.0
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1
SNYK-PYTHON-PILLOW-6182918
pillow:
9.5.0 -> 10.2.0
Why? Has a fix available, CVSS 7.5
SNYK-PYTHON-PILLOW-6219984
pillow:
9.5.0 -> 10.2.0
Why? Has a fix available, CVSS 7.5
SNYK-PYTHON-PILLOW-6219986
pillow:
9.5.0 -> 10.2.0
Why? Has a fix available, CVSS 5.9
SNYK-PYTHON-SETUPTOOLS-3180412
setuptools:
40.5.0 -> 65.5.1
Why? Has a fix available, CVSS 6.5
SNYK-PYTHON-WERKZEUG-6035177
werkzeug:
2.2.3 -> 2.3.8
(*) Note that the real score may have changed since the PR was raised.
Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 XML External Entity (XXE) Injection
🦉 NULL Pointer Dereference
🦉 Uncontrolled Resource Consumption ('Resource Exhaustion')
🦉 More lessons are available in Snyk Learn
Summary by CodeRabbit