fix vulns

SeldonIO · Jun 12, 2023 · 767a993 · 767a993
1 parent ef615ed
commit 767a993
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/python/setup.py b/python/setup.py
@@ -3,7 +3,8 @@
 
 from setuptools import find_packages, setup
 
-# Extra dependencies, with special 'all' key
+# Extra dependencies, with special 'tensorflow' key. TF requires a specific versio of 
+# proto to be installed to use their protos.
 extras = {"tensorflow": ["tensorflow", "protobuf>=3.20.2,<4.0.0"]}
 all_extra_deps = chain.from_iterable(extras.values())
 extras["all"] = list(set(all_extra_deps))
@@ -39,13 +40,13 @@
         "prometheus_client >= 0.7.1, < 0.9.0",
         "werkzeug >= 2.1.1, < 2.3",
         # Addresses CVE SNYK-PYTHON-CRYPTOGRAPHY-3315328
-        "cryptography <41.0",
+        "cryptography >= 39.0.1,<41.0",
         # Addresses CVE SNYK-PYTHON-PYYAML-590151
-        "PyYAML <7.0",
+        "PyYAML >= 5.4,<7.0",
         # Addresses CVE PRISMA-2021-0020
         "click >= 8.0.0a1, < 8.1",
         # Addresses CVE CVE-2019-11236 and CVE-2020-26137 and SNYK-PYTHON-URLLIB3-1533435
-        "urllib3 <3.0.0",
+        "urllib3 >= 1.26.5,<3.0.0",
         "importlib-metadata<5; python_version < '3.8'",
     ],
     extras_require=extras,