Merge pull request #148 from XAITK/dev/security-vuln-updates

Addressed numerous package dependency vulnerabilities.
XAITK · Jun 3, 2024 · 48c1c0b · 48c1c0b
2 parents d99fcb8 + c59100b
commit 48c1c0b
Show file tree

Hide file tree

Showing 8 changed files with 2,736 additions and 1,995 deletions.
diff --git a/.github/workflows/ci-unittests.yml b/.github/workflows/ci-unittests.yml
@@ -31,12 +31,12 @@ jobs:
     container: python:3.8
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       # Cache local python environment artifacts for the current python version
       # and poetry lockfile hash.
-      - uses: actions/cache@v2
+      - uses: actions/cache@v4
         id: env-cache
         with:
           # Confirmed that the `.local` directory doesn't exist until the
@@ -57,12 +57,12 @@ jobs:
     container: python:3.8
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       # Cache local python environment artifacts for the current python version
       # and poetry lockfile hash.
-      - uses: actions/cache@v2
+      - uses: actions/cache@v4
         id: env-cache
         with:
           # Confirmed that the `.local` directory doesn't exist until the
@@ -96,12 +96,12 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       # Cache local python environment artifacts for the current python version
       # and poetry lockfile hash.
-      - uses: actions/cache@v2
+      - uses: actions/cache@v4
         id: env-cache
         with:
           # Confirmed that the `.local` directory doesn't exist until the

diff --git a/docs/release_notes/pending_release.rst b/docs/release_notes/pending_release.rst
@@ -4,9 +4,19 @@ Pending Release Notes
 Updates / New Features
 ----------------------
 
+CI/CD
+
+* Updated to use `checkout@v4` and `cache@v4` instead of `*@v2`.
+
 Fixes
 -----
 
-Tests
+Dependencies
 
 * Fixed `numpy` dependency versions for downstream resolution.
+
+* Jupyter notebooks now installed with `notebook` instead of `jupyter`.
+
+* Increased the lower bound of `tqdm` to `4.66.3` to address `CVE-2024-34062`.
+
+* Ran `poetry update` to update `poetry.lock` for vulnerability scanning.
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -61,19 +61,19 @@ scipy = [
 click = ">=8.0.3"
 setuptools = "*"
 # Optionals for "example" extra
-jupyter = { version = ">=1.0.0", optional = true }
+notebook = { version = ">=7.0.7", optional = true }
 matplotlib = { version=">=3.4.1", optional = true }
 papermill = { version = ">=2.3.3", optional = true }
 torch = {version = ">=1.9.0,!=2.0.1", optional = true}
 torchvision = {version = ">=0.10.0", optional = true}
-tqdm = { version = ">=4.45.0", optional = true }
+tqdm = { version = "4.66.3", optional = true } # CVE-2024-34062
 # Optionals for "tools" extra"
 kwcoco = { version = ">=0.2.18", optional = true}
 pyyaml = {version = ">=6.0.1", optional = true, python = ">=3.12"}
 shapely = {version = ">=2.0.2", optional = true, python = ">=3.12"}
 
 [tool.poetry.extras]
-example_deps = [ "jupyter", "matplotlib", "papermill", "torch", "torchvision", "tqdm" ]
+example_deps = [ "notebook", "matplotlib", "papermill", "torch", "torchvision", "tqdm" ]
 tools = [ "kwcoco", "matplotlib", "pyyaml", "shapely" ]
 
 [tool.poetry.dev-dependencies]
@@ -103,7 +103,7 @@ coverage = ">=6.5.0"
 pytest = ">=7.2.0"
 pytest-cov = ">=4.0.0"
 # Utility
-ipython = ">=8.6.0"
+notebook = ">=7.0.7"
 
 [tool.poetry.scripts]
 sal-on-coco-dets= "xaitk_saliency.utils.bin.sal_on_coco_dets:sal_on_coco_dets"

diff --git a/tests/impls/gen_image_classifier_blackbox_sal/test_occlusion_based.py b/tests/impls/gen_image_classifier_blackbox_sal/test_occlusion_based.py
@@ -18,7 +18,7 @@ class TestPerturbationOcclusion:
     def teardown(self) -> None:
         # Collect any temporary implementations so they are not returned during
         # later `*.get_impl()` requests.
-        gc.collect()
+        gc.collect()  # pragma: no cover
 
     def test_configuration(self) -> None:
         """ Test configuration suite using known simple implementations. """

diff --git a/tests/impls/gen_image_similarity_blackbox_sal/test_sbsm.py b/tests/impls/gen_image_similarity_blackbox_sal/test_sbsm.py
@@ -19,7 +19,7 @@ class TestBlackBoxSBSM:
     def teardown(self) -> None:
         # Collect any temporary implementations so they are not returned during
         # later `*.get_impl()` requests.
-        gc.collect()
+        gc.collect()  # pragma: no cover
 
     def test_configuration(self) -> None:
         """

diff --git a/tests/impls/gen_image_similarity_blackbox_sal/test_sim_occlusion_based.py b/tests/impls/gen_image_similarity_blackbox_sal/test_sim_occlusion_based.py
@@ -16,7 +16,7 @@ class TestPerturbationOcclusion:
     def teardown(self) -> None:
         # Collect any temporary implementations so they are not returned during
         # later `*.get_impl()` requests.
-        gc.collect()
+        gc.collect()  # pragma: no cover
 
     def test_configuration(self) -> None:
         """

diff --git a/tests/impls/gen_object_detector_blackbox_sal/test_occlusion_based.py b/tests/impls/gen_object_detector_blackbox_sal/test_occlusion_based.py
@@ -17,7 +17,7 @@ class TestPerturbationOcclusion:
     def teardown(self) -> None:
         # Collect any temporary implementations so they are not returned during
         # later `*.get_impl()` requests.
-        gc.collect()
+        gc.collect()  # pragma: no cover
 
     def test_configuration(self) -> None:
         """