Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V1 Python microservice Werkzeug package upgrade #5566

Open
maxqlord opened this issue May 4, 2024 · 1 comment · May be fixed by #5588
Open

V1 Python microservice Werkzeug package upgrade #5566

maxqlord opened this issue May 4, 2024 · 1 comment · May be fixed by #5588
Labels
bug

Comments

@maxqlord
Copy link

maxqlord commented May 4, 2024

Seldon currently pins its Werkzeug version to < 2.3, but Werkzeug needs v2.3.8 or v3.0.1+ to avoid an insufficient algorithmic complexity vulnerability: SNYK-PYTHON-WERKZEUG-6035177. Consumers of the Python microservice are unable to use a safe version of Werkzeug because of this version pin.

Describe the bug

This line restricts a consumer from using Werkzeug 2.3.8

seldon-core/python/setup.py

Line 39 in c9ee03b

"werkzeug >= 2.1.1, < 2.3",

To reproduce

Attempt to install werkzeug v2.3.8 with seldon-core v1.18.1

> cat requirements.txt
seldon-core==1.18.1
werkzeug==2.3.8
> pip install -r requirements.txt
...
ERROR: Cannot install -r requirements.txt (line 1) and werkzeug==2.3.8 because these package versions have conflicting dependencies.
The conflict is caused by:
    The user requested werkzeug==2.3.8
    seldon-core 1.18.1 depends on werkzeug<2.3 and >=2.1.1

Expected behaviour

A non-vulnerable version of Werkzeug can be used.
@maxqlord maxqlord added the bug label May 4, 2024
@maxqlord maxqlord linked a pull request May 10, 2024 that will close this issue
Open
@maxqlord
Copy link
Author

Addressed by #5588

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Address CVE SNYK-PYTHON-WERKZEUG-6035177 and SNYK-PYTHON-WERKZEUG-680… maxqlord/seldon-core
1 participant
@maxqlord