Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update requirements.txt #13034

Merged
merged 7 commits into from
Aug 29, 2023
Merged

Update requirements.txt #13034

merged 7 commits into from
Aug 29, 2023

Conversation

jmcarpenter2
Copy link
Contributor

@jmcarpenter2 jmcarpenter2 commented Aug 25, 2023
edited
Loading

Description

I understand that this code is never ran, but my company uses ECR image scanning to identify vulnerabilities and are required to resolve any high or critical severity vulnerabilities within a short period for compliance. As this is in conda, any images containing conda have this vulnerability listed in the image scan. In my case, that is the jupyter/scipy-notebook. Hoping to resolve the issue completely by simply updating the requirement for the test.

https://nvd.nist.gov/vuln/detail/CVE-2023-30861

Switching away from updating flask regularly to using a conda-maintained package with no known security vulnerabilities.

Checklist - did you ...

  • Add a file to the news directory (using the template) for the next release's release notes?
  • Add / update necessary tests?
  • Add / update outdated documentation?
    • As this change doesn't impact functionality, I am not updating documentation

@jmcarpenter2 jmcarpenter2 requested a review from a team as a code owner August 25, 2023 20:39
@jmcarpenter2
Copy link
Contributor Author

@conda-bot check

@conda-bot conda-bot mentioned this pull request Aug 25, 2023
Merged
@conda-bot
Copy link
Contributor

We require contributors to sign our Contributor License Agreement and we don't have one on file for @jmcarpenter2.

In order for us to review and merge your code, please e-sign the Contributor License Agreement PDF. We then need to manually verify your signature, merge the PR (conda/infrastructure#813), and ping the bot to refresh the PR.

@jmcarpenter2
Copy link
Contributor Author

I have signed the conda CLA now.

@jmcarpenter2
Copy link
Contributor Author

@conda-bot check

@dholth
Copy link
Contributor

dholth commented Aug 25, 2023 via email

@jezdez
Copy link
Member

jezdez commented Aug 28, 2023

@conda-bot check

@conda-bot conda-bot added the cla-signed [bot] added once the contributor has signed the CLA label Aug 28, 2023
jezdez
jezdez requested changes Aug 28, 2023
View reviewed changes
Copy link
Member

@jezdez jezdez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's change the package that we test for to one of ours and also please add a news file.

tests/conda_env/support/requirements.txt Outdated Show resolved Hide resolved
@kenodegard
Copy link
Contributor

pre-commit.ci autofix

jezdez
jezdez previously approved these changes Aug 28, 2023
View reviewed changes
@kenodegard kenodegard merged commit 34dfb1f into conda:main Aug 29, 2023
64 checks passed
@jmcarpenter2
Copy link
Contributor Author

Thanks so much for your help @jezdez, @dholth, and @kenodegard ! Just a quick question to understand: what's the release cycle look like? Just hoping to know when to check back on the vulnerabilities so I can report all clear to my company. Thank you!

@kenodegard
Copy link
Contributor

Conda follows a bi-monthly release schedule, the next release of will occur in September, see CEP-8 for details.

@jmcarpenter2
Copy link
Contributor Author

Ah great, thanks so much!

@jezdez jezdez mentioned this pull request Sep 26, 2023
Closed
92 tasks
@github-actions github-actions bot added the locked [bot] locked due to inactivity label Aug 29, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jezdez jezdez jezdez approved these changes

@dholth dholth Awaiting requested review from dholth

Assignees
No one assigned
Labels
cla-signed [bot] added once the contributor has signed the CLA locked [bot] locked due to inactivity
Projects
🔎 Review
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jmcarpenter2 @conda-bot @dholth @jezdez @kenodegard