Skip to content

[anaconda]-fixing security vulnerabilities GHSA-87hc-h4r5-73f7: Werkzeug, GHSA-c336-7962-wfj2: distributed and GHSA-8rrh-rw8j-w5fx: wheel #1790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
sireeshajonnalagadda wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

[anaconda]-fixing security vulnerabilities GHSA-87hc-h4r5-73f7: Werkzeug, GHSA-c336-7962-wfj2: distributed and GHSA-8rrh-rw8j-w5fx: wheel #1790

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
83b1a24
Update vulnerable package versions and increment manifest version
sireeshajonnalagadda Feb 23, 2026
7280d72
Fix typo in wheel package version in test script
sireeshajonnalagadda Feb 23, 2026
161c72c
Add 'distributed' to the list of packages pinned to required versions
sireeshajonnalagadda Feb 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions src/anaconda/.devcontainer/apply_security_patches.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@
# vulnerabilities:
# werkzeug - [GHSA-f9vj-2wh5-fj8j]

vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=5.29.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "Werkzeug=3.0.6" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \
"zipp=3.19.1" "tornado=6.4.2" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" )
vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=5.29.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "Werkzeug=3.1.5" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \
Copy link

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

vulnerable_packages uses Werkzeug=... with capital-W while other entries are lowercase. Since this name is also passed to conda search/conda install, the mixed casing can make the conda lookup/install unreliable (conda package names are typically lowercase). Consider switching this entry to werkzeug=... for consistency/reliability.

Suggested change
vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=5.29.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "Werkzeug=3.1.5" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \
vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=5.29.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "werkzeug=3.1.5" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \

Copilot uses AI. Check for mistakes.
"zipp=3.19.1" "tornado=6.4.2" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" "distributed=2026.1.0" "wheel=0.46.2" )
Comment on lines 3 to +7
Copy link

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The header comment lists only a Werkzeug vulnerability (and references a different GHSA ID), but this script now also patches wheel and distributed. Please update the comment block to reflect the current GHSA IDs/packages being addressed so future maintainers know why these pins exist.

See below for a potential fix:

# Security-related version pins for known vulnerabilities in dependencies.
# This script currently enforces versions for packages including Werkzeug,
# distributed, wheel, and others listed in vulnerable_packages below.
# Specific GHSA IDs / advisories are tracked in the project security docs;
# keep this comment in sync if new vulnerable packages are added.
vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=5.29.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "Werkzeug=3.1.5" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \ 
                      "zipp=3.19.1" "tornado=6.4.2" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" "distributed=2026.1.0" "wheel=0.46.2" )

Copilot uses AI. Check for mistakes.

# Define the number of rows (based on the length of vulnerable_packages)
rows=${#vulnerable_packages[@]}
Expand All @@ -28,7 +28,7 @@ done

# Add an array for packages that should always pin to the provided version,
# even if higher version is available in conda channel
pin_to_required_version=("transformers" "imagecodecs" "brotli" "protobuf")
pin_to_required_version=("transformers" "imagecodecs" "brotli" "protobuf" "distributed")
Copy link

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding distributed to pin_to_required_version means the script will force-install exactly distributed==2026.1.0 even if the base image/conda channel already provides a newer (potentially more secure) version. Unless there is a specific compatibility reason to pin distributed, it would be safer to let it float to any version >= the required minimum and keep it out of the pin list.

Suggested change
pin_to_required_version=("transformers" "imagecodecs" "brotli" "protobuf" "distributed")
pin_to_required_version=("transformers" "imagecodecs" "brotli" "protobuf")

Copilot uses AI. Check for mistakes.

# Function to check if a package is in the pin_to_required_version array
function is_pin_to_required_version() {
Expand Down
2 changes: 1 addition & 1 deletion src/anaconda/manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"version": "1.3.11",
"version": "1.3.12",
"build": {
"latest": true,
"rootDistro": "debian",
Expand Down
5 changes: 3 additions & 2 deletions src/anaconda/test-project/test.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@ checkPythonPackageVersion "cookiecutter" "2.1.1"
checkPythonPackageVersion "mistune" "2.0.3"
checkPythonPackageVersion "numpy" "1.22"
checkPythonPackageVersion "setuptools" "78.1.1"
checkPythonPackageVersion "wheel" "0.38.1"
checkPythonPackageVersion "wheel" "0.46.2"
checkPythonPackageVersion "nbconvert" "6.5.1"
checkPythonPackageVersion "werkzeug" "3.0.6"
checkPythonPackageVersion "werkzeug" "3.1.5"
checkPythonPackageVersion "certifi" "2022.12.07"
checkPythonPackageVersion "cryptography" "44.0.1"
checkPythonPackageVersion "h11" "0.16.0"
Expand All @@ -62,6 +62,7 @@ checkPythonPackageVersion "zipp" "3.19.1"
checkPythonPackageVersion "imagecodecs" "2023.9.18"
checkPythonPackageVersion "brotli" "1.2.0"
checkPythonPackageVersion "fonttools" "4.60.2"
checkPythonPackageVersion "distributed" "2026.1.0"

checkCondaPackageVersion "pyopenssl" "24.2.1"
checkCondaPackageVersion "requests" "2.32.4"
Expand Down