From 059d9befb81a79375485c24b9b1a6825028df89d Mon Sep 17 00:00:00 2001 From: sireeshajonnalagadda Date: Fri, 16 Jan 2026 11:45:52 +0000 Subject: [PATCH 1/5] Update vulnerable package versions in security patch script and manifest --- src/anaconda/.devcontainer/apply_security_patches.sh | 2 +- src/anaconda/manifest.json | 2 +- src/anaconda/test-project/test.sh | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/anaconda/.devcontainer/apply_security_patches.sh b/src/anaconda/.devcontainer/apply_security_patches.sh index 1e3f621d2b..ad7ac424b0 100644 --- a/src/anaconda/.devcontainer/apply_security_patches.sh +++ b/src/anaconda/.devcontainer/apply_security_patches.sh @@ -4,7 +4,7 @@ # werkzeug - [GHSA-f9vj-2wh5-fj8j] vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=5.29.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "Werkzeug=3.0.6" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \ - "zipp=3.19.1" "tornado=6.4.2" "jupyterlab=4.4.8" "imagecodecs=2024.9.22") + "zipp=3.19.1" "tornado=6.4.2" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "pyarrow=17.0.0" "brotli=1.2.0" ) # Define the number of rows (based on the length of vulnerable_packages) rows=${#vulnerable_packages[@]} diff --git a/src/anaconda/manifest.json b/src/anaconda/manifest.json index 96429b5890..2e6aac6cde 100644 --- a/src/anaconda/manifest.json +++ b/src/anaconda/manifest.json @@ -1,5 +1,5 @@ { - "version": "1.3.7", + "version": "1.3.8", "build": { "latest": true, "rootDistro": "debian", diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh index c32614d8a1..6acffa4673 100755 --- a/src/anaconda/test-project/test.sh +++ b/src/anaconda/test-project/test.sh @@ -47,7 +47,7 @@ checkPythonPackageVersion "mpmath" "1.3.0" checkPythonPackageVersion "aiohttp" "3.10.2" checkPythonPackageVersion "tornado" "6.4.2" checkPythonPackageVersion "jupyter_server" "2.14.1" -checkPythonPackageVersion "pyarrow" "14.0.1" +checkPythonPackageVersion "pyarrow" "17.0.0" checkPythonPackageVersion "pillow" "10.3.0" checkPythonPackageVersion "jupyterlab" "4.4.8" checkPythonPackageVersion "notebook" "7.2.2" @@ -60,13 +60,14 @@ checkPythonPackageVersion "requests" "2.32.4" checkPythonPackageVersion "scikit-learn" "1.5.0" checkPythonPackageVersion "zipp" "3.19.1" checkPythonPackageVersion "imagecodecs" "2023.9.18" +checkPythonPackageVersion "brotli" "1.2.0" checkCondaPackageVersion "pyopenssl" "24.2.1" checkCondaPackageVersion "requests" "2.32.4" checkCondaPackageVersion "pygments" "2.15.1" checkCondaPackageVersion "mpmath" "1.3.0" checkCondaPackageVersion "urllib3" "2.5.0" -checkCondaPackageVersion "pyarrow" "14.0.1" +checkCondaPackageVersion "pyarrow" "17.0.0" checkCondaPackageVersion "pydantic" "2.5.3" checkCondaPackageVersion "tqdm" "4.66.4" checkCondaPackageVersion "black" "24.4.2" From 91efb9dc70bcad61083175483487d85915e8eade Mon Sep 17 00:00:00 2001 From: sireeshajonnalagadda Date: Fri, 16 Jan 2026 12:39:31 +0000 Subject: [PATCH 2/5] Add 'brotli' to the list of packages that should always pin to the required version --- src/anaconda/.devcontainer/apply_security_patches.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/anaconda/.devcontainer/apply_security_patches.sh b/src/anaconda/.devcontainer/apply_security_patches.sh index b76484dc23..2c402d08f9 100644 --- a/src/anaconda/.devcontainer/apply_security_patches.sh +++ b/src/anaconda/.devcontainer/apply_security_patches.sh @@ -26,7 +26,7 @@ done # Add an array for packages that should always pin to the provided version, # even if higher version is available in conda channel -pin_to_required_version=("protobuf" "transformers" "imagecodecs") +pin_to_required_version=("protobuf" "transformers" "imagecodecs" "brotli") # Function to check if a package is in the pin_to_required_version array function is_pin_to_required_version() { From 81b05337defb674b979384e530e91b5f0f665df1 Mon Sep 17 00:00:00 2001 From: sireeshajonnalagadda Date: Fri, 16 Jan 2026 12:48:21 +0000 Subject: [PATCH 3/5] bumping up the manifest version --- src/anaconda/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/anaconda/manifest.json b/src/anaconda/manifest.json index 2e6aac6cde..b8f836689b 100644 --- a/src/anaconda/manifest.json +++ b/src/anaconda/manifest.json @@ -1,5 +1,5 @@ { - "version": "1.3.8", + "version": "1.3.9", "build": { "latest": true, "rootDistro": "debian", From 2cb3a551dec63676a994932d02e0e86059621b26 Mon Sep 17 00:00:00 2001 From: sireeshajonnalagadda Date: Mon, 19 Jan 2026 05:57:50 +0000 Subject: [PATCH 4/5] Remove 'protobuf' from the list of packages that should always pin to the required version --- src/anaconda/.devcontainer/apply_security_patches.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/anaconda/.devcontainer/apply_security_patches.sh b/src/anaconda/.devcontainer/apply_security_patches.sh index 2c402d08f9..ddc53b2bdd 100644 --- a/src/anaconda/.devcontainer/apply_security_patches.sh +++ b/src/anaconda/.devcontainer/apply_security_patches.sh @@ -26,7 +26,7 @@ done # Add an array for packages that should always pin to the provided version, # even if higher version is available in conda channel -pin_to_required_version=("protobuf" "transformers" "imagecodecs" "brotli") +pin_to_required_version=("transformers" "imagecodecs" "brotli") # Function to check if a package is in the pin_to_required_version array function is_pin_to_required_version() { From 2b56ac1e2d43f45e15f108cabb9c3c2e5bfbf1df Mon Sep 17 00:00:00 2001 From: Abdurrahmaan Iqbal <137001048+abdurriq@users.noreply.github.com> Date: Wed, 4 Feb 2026 10:54:37 +0000 Subject: [PATCH 5/5] Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/anaconda/.devcontainer/apply_security_patches.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/anaconda/.devcontainer/apply_security_patches.sh b/src/anaconda/.devcontainer/apply_security_patches.sh index ddc53b2bdd..7354bb720a 100644 --- a/src/anaconda/.devcontainer/apply_security_patches.sh +++ b/src/anaconda/.devcontainer/apply_security_patches.sh @@ -4,7 +4,7 @@ # werkzeug - [GHSA-f9vj-2wh5-fj8j] vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=5.29.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "Werkzeug=3.0.6" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \ - "zipp=3.19.1" "tornado=6.4.2" "jupyterlab=4.4.8" "fonttools=4.60.2" "imagecodecs=2024.9.22" "pyarrow=17.0.0" "brotli=1.2.0" ) + "zipp=3.19.1" "tornado=6.4.2" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" ) # Define the number of rows (based on the length of vulnerable_packages) rows=${#vulnerable_packages[@]}