Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade python from 3.11-slim-buster to 3.11.10-slim-bookworm #8557

Merged
merged 7 commits into from
Nov 5, 2024

Conversation

ntindle
Copy link
Member

@ntindle ntindle commented Nov 5, 2024

snyk-top-banner

Snyk has created this PR to fix 3 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

  • autogpt_platform/market/Dockerfile

We recommend upgrading to python:3.11.10-slim-bookworm, as this image has only 41 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Resource Exhaustion
SNYK-DEBIAN10-EXPAT-6227596
  614  
high severity Out-of-bounds Write
SNYK-DEBIAN10-NCURSES-1655739
  614  
high severity Out-of-bounds Write
SNYK-DEBIAN10-NCURSES-1655739
  614  
high severity Out-of-bounds Write
SNYK-DEBIAN10-NCURSES-5421196
  614  
high severity Out-of-bounds Write
SNYK-DEBIAN10-NCURSES-5421196
  614  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Resource Exhaustion

@ntindle ntindle requested a review from a team as a code owner November 5, 2024 01:16
@ntindle ntindle requested review from aarushik93 and majdyz and removed request for a team November 5, 2024 01:16
Copy link

qodo-merge-pro bot commented Nov 5, 2024

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪
🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

Version Compatibility
Ensure that the new Python version (3.11.10) and the new base image (slim-bookworm) are compatible with all dependencies and the application code.

Copy link
Contributor

github-actions bot commented Nov 5, 2024

This PR targets the master branch but does not come from dev or a hotfix/* branch.

Automatically setting the base branch to dev.

@github-actions github-actions bot changed the base branch from master to dev November 5, 2024 01:16
@github-actions github-actions bot added platform/backend AutoGPT Platform - Back end size/m labels Nov 5, 2024
Copy link

netlify bot commented Nov 5, 2024

Deploy Preview for auto-gpt-docs canceled.

Name Link
🔨 Latest commit 296784b
🔍 Latest deploy log https://app.netlify.com/sites/auto-gpt-docs/deploys/672971fd3c0b440008c0910d

@github-actions github-actions bot added size/s and removed size/m labels Nov 5, 2024
Copy link
Member

@Pwuts Pwuts left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it necessary to pin the patch version? Otherwise using 3.11-slim-bookworm would be more practical.

Copy link
Contributor

@Swiftyos Swiftyos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, we can use 3.11-slim-bookworm. However, feel free to merge as is if you'd rather get this in faster or modify it and merge without waiting for re-approval

@majdyz majdyz removed their request for review November 5, 2024 08:46
@ntindle ntindle enabled auto-merge (squash) November 5, 2024 19:16
@ntindle
Copy link
Member Author

ntindle commented Nov 5, 2024

This one has been validated for security so specificially chosen, we should target moving to 3.12/3.13 anyway soon

@ntindle ntindle merged commit 799c6e5 into dev Nov 5, 2024
7 checks passed
@ntindle ntindle deleted the snyk-fix-c86d29c76ac4dcbd4bbf083316fccf58 branch November 5, 2024 19:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants