[anaconda]- vulnerabilities- GHSA-w853-jp5j-5j7f: filelock and GHSA-793v-589g-574v: bokeh

[sireeshajonnalagadda]

This PR is to fix security vulnerabilities of Anaconda devcontainer image.

Ref

GHSA ID	Vulnerability ID	Action	Package	Installed Version	Required Version	Language	Install Path/ Note
GHSA-w853-jp5j-5j7f: filelock	5006638	Y	filelock	3.13.1	3.20.1	Python	opt/conda/lib/python3.12/site-packages/filelock-3.13.1.dist-info/METADATA
GHSA-793v-589g-574v: bokeh	5006839	Y	bokeh	3.6.0	3.8.2	Python	opt/conda/lib/python3.12/site-packages/bokeh-3.6.0.dist-info/METADATA

Description of changes
added the packages to the list of vulnerabilities in the apply_security_patches.sh file
version bump in the manifest.json

Added checks for the vulnerable packages in test.sh

Checklist
Changes works as expected.

[Copilot]

Pull request overview

This PR updates the Anaconda devcontainer image security patching flow to remediate two reported Python package vulnerabilities (filelock and bokeh) and adds corresponding image validation checks.

Changes:

• Add filelock==3.20.1 and bokeh==3.8.2 to the patched package list in apply_security_patches.sh.
• Add minimum-version checks for filelock and bokeh in the Anaconda image smoke tests (and bump the streamlit minimum).
• (Per PR description) bump the image version in manifest.json.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
src/anaconda/.devcontainer/apply_security_patches.sh	Extends the vulnerable/required package list to ensure filelock and bokeh are upgraded during image build.
src/anaconda/test-project/test.sh	Adds runtime checks ensuring the patched package versions are present in the built image; updates streamlit minimum.

Comments suppressed due to low confidence (1)

src/anaconda/.devcontainer/apply_security_patches.sh:7

• The header comment under # vulnerabilities: only lists werkzeug, but this PR also addresses filelock (GHSA-w853-jp5j-5j7f) and bokeh (GHSA-793v-589g-574v). Please update this comment block so it reflects the vulnerabilities actually being patched.

# vulnerabilities:
# werkzeug - [GHSA-f9vj-2wh5-fj8j] 

vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=5.29.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "Werkzeug=3.0.6" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \ 
                      "zipp=3.19.1" "tornado=6.4.2" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" "filelock=3.20.1" "bokeh=3.8.2"  )

[Copilot]

The vulnerable_packages array contains a \ (backslash followed by whitespace) after "scrapy=2.11.2". This escape is unnecessary inside the parentheses, adds trailing whitespace, and makes the list harder to maintain (and may trigger shell linters). Please remove the stray escape/extra spaces and format the array with plain line breaks.

See below for a potential fix:

vulnerable_packages=(
    "mistune=3.0.1"
    "aiohttp=3.10.11"
    "cryptography=44.0.1"
    "h11=0.16.0"
    "jinja2=3.1.6"
    "jupyter_core=5.8.1"
    "protobuf=5.29.5"
    "requests=2.32.4"
    "setuptools=78.1.1"
    "transformers=4.53.0"
    "urllib3=2.5.0"
    "Werkzeug=3.0.6"
    "jupyter-lsp=2.2.2"
    "scrapy=2.11.2"
    "zipp=3.19.1"
    "tornado=6.4.2"
    "jupyterlab=4.4.8"
    "imagecodecs=2024.9.22"
    "fonttools=4.60.2"
    "pyarrow=17.0.0"
    "brotli=1.2.0"
    "filelock=3.20.1"
    "bokeh=3.8.2"
)

[Copilot]

The required version for streamlit was bumped from 1.37.0 to 1.37.1, but the PR description only mentions addressing filelock and bokeh vulnerabilities. Please either explain why this additional version requirement changed (e.g., as a dependency update from the security patching) or keep the previous requirement to avoid bundling unrelated changes.

[sireeshajonnalagadda]

@copilot open a new pull request to apply changes based on the comments in this thread