Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Ipywidgets>=8.x to fix security vulnerabilities #2545

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dazza-codes
Copy link

@dazza-codes dazza-codes commented Mar 26, 2024

Fix #2546

Is the project dependabot running on the python dependency tree? The setup.py seems to be the place to patch this; the bindings/kepler.gl-jupyter/requirements.txt has not been touched in 5 years.

Since the current constraints prevent >= 8.x, this might cause an issue with the consumers of the ipywidgets API.

Bump ipywidgets >=8.0 to resolve CVEs:

-> Vulnerability found in ipywidgets version 7.8.1
   Vulnerability ID: 50664
   Affected spec: <8.0.0
   ADVISORY: Ipywidgets 8.0.0 sanitizes descriptions by default.https://github.com/jupyter-widgets/ipywidgets/pull/2785
   PVE-2022-50664
   For more information about this vulnerability, visit https://data.safetycli.com/v/50664/97c
   To ignore this vulnerability, use PyUp vulnerability id 50664 in safety’s ignore command-line argument or add the ignore to your safety policy file.


-> Vulnerability found in ipywidgets version 7.8.1
   Vulnerability ID: 50463
   Affected spec: <8.0.0rc2
   ADVISORY: Ipywidgets 8.0.0rc2 makes descriptions plaintext by default for security.https://github.com/jupyter-widgets/ipywidgets/pull/2785
   PVE-2022-50463
   For more information about this vulnerability, visit https://data.safetycli.com/v/50463/97c
   To ignore this vulnerability, use PyUp vulnerability id 50463 in safety’s ignore command-line argument or add the ignore to your safety policy file.

https://pypi.org/project/ipywidgets/#history

Bump ipywidgets >=8.0 to resolve CVEs:

```
-> Vulnerability found in ipywidgets version 7.8.1
   Vulnerability ID: 50664
   Affected spec: <8.0.0
   ADVISORY: Ipywidgets 8.0.0 sanitizes descriptions by default.jupyter-widgets/ipywidgets#2785
   PVE-2022-50664
   For more information about this vulnerability, visit https://data.safetycli.com/v/50664/97c
   To ignore this vulnerability, use PyUp vulnerability id 50664 in safety’s ignore command-line argument or add the ignore to your safety policy file.

-> Vulnerability found in ipywidgets version 7.8.1
   Vulnerability ID: 50463
   Affected spec: <8.0.0rc2
   ADVISORY: Ipywidgets 8.0.0rc2 makes descriptions plaintext by default for security.jupyter-widgets/ipywidgets#2785
   PVE-2022-50463
   For more information about this vulnerability, visit https://data.safetycli.com/v/50463/97c
   To ignore this vulnerability, use PyUp vulnerability id 50463 in safety’s ignore command-line argument or add the ignore to your safety policy file.
```

Signed-off-by: Darren Weber <[email protected]>
@dazza-codes dazza-codes changed the title Update setup.py Update Ipywidgets>=8.x to fix security vulnerabilities Mar 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug][Jupyter Widget] Security vulnerabilities in Ipywidgets
1 participant