-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update requirements.txt #13034
Update requirements.txt #13034
Conversation
@conda-bot check |
We require contributors to sign our Contributor License Agreement and we don't have one on file for @jmcarpenter2. In order for us to review and merge your code, please e-sign the Contributor License Agreement PDF. We then need to manually verify your signature, merge the PR (conda/infrastructure#813), and ping the bot to refresh the PR. |
I have signed the conda CLA now. |
@conda-bot check |
Maybe we can find a fake package to use that will never earn cves. Ken were
you using one recently in a test?
…On Fri, Aug 25, 2023, 4:42 PM Jason Carpenter ***@***.***> wrote:
@conda-bot <https://github.com/conda-bot> check
—
Reply to this email directly, view it on GitHub
<#13034 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABSZERMNLHVKCMOWZ33KELXXEE2RANCNFSM6AAAAAA367NRTU>
.
You are receiving this because your review was requested.Message ID:
***@***.***>
|
@conda-bot check |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's change the package that we test for to one of ours and also please add a news file.
pre-commit.ci autofix |
for more information, see https://pre-commit.ci
Thanks so much for your help @jezdez, @dholth, and @kenodegard ! Just a quick question to understand: what's the release cycle look like? Just hoping to know when to check back on the vulnerabilities so I can report all clear to my company. Thank you! |
Conda follows a bi-monthly release schedule, the next release of will occur in September, see CEP-8 for details. |
Ah great, thanks so much! |
Description
I understand that this code is never ran, but my company uses ECR image scanning to identify vulnerabilities and are required to resolve any high or critical severity vulnerabilities within a short period for compliance. As this is in conda, any images containing conda have this vulnerability listed in the image scan. In my case, that is the jupyter/scipy-notebook. Hoping to resolve the issue completely by simply updating the requirement for the test.
https://nvd.nist.gov/vuln/detail/CVE-2023-30861
Switching away from updating flask regularly to using a conda-maintained package with no known security vulnerabilities.
Checklist - did you ...
news
directory (using the template) for the next release's release notes?Add / update outdated documentation?