From 744ce41a43e51c9f21d91aa0c14f2bfb4f86aaa0 Mon Sep 17 00:00:00 2001 From: Venkumahanti Subhankar Date: Sat, 6 Jun 2026 06:24:57 +0000 Subject: [PATCH 1/5] [anaconda]- Security Update for python-dotenv (GHSA-mf9w-mj56-hr94) --- src/anaconda/.devcontainer/apply_security_patches.sh | 2 +- src/anaconda/manifest.json | 2 +- src/anaconda/test-project/test.sh | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/anaconda/.devcontainer/apply_security_patches.sh b/src/anaconda/.devcontainer/apply_security_patches.sh index c4f4936a24..f9a94f70be 100644 --- a/src/anaconda/.devcontainer/apply_security_patches.sh +++ b/src/anaconda/.devcontainer/apply_security_patches.sh @@ -4,7 +4,7 @@ # werkzeug - [GHSA-f9vj-2wh5-fj8j] patched_package_versions=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=6.33.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "werkzeug=3.1.5" "jupyter-lsp=2.2.2" "scrapy=2.14.2" - "zipp=3.19.1" "tornado=6.5.5" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" "filelock=3.20.1" "bokeh=3.8.2" "distributed=2026.1.0" "wheel=0.46.2" "nltk=3.9.3" "black=26.3.1" "pyjwt=2.12.0" "pillow=12.1.1" "pyopenssl=26.0.0" "nbconvert=7.17.0" "markdown=3.8.1") + "zipp=3.19.1" "tornado=6.5.5" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" "filelock=3.20.1" "bokeh=3.8.2" "distributed=2026.1.0" "wheel=0.46.2" "nltk=3.9.3" "black=26.3.1" "pyjwt=2.12.0" "pillow=12.1.1" "pyopenssl=26.0.0" "nbconvert=7.17.0" "markdown=3.8.1" "python-dotenv=1.2.2") # Define the number of rows (based on the length of patched_package_versions) rows=${#patched_package_versions[@]} diff --git a/src/anaconda/manifest.json b/src/anaconda/manifest.json index a717e5505a..2db73dfa6d 100644 --- a/src/anaconda/manifest.json +++ b/src/anaconda/manifest.json @@ -1,5 +1,5 @@ { - "version": "1.3.15", + "version": "1.3.16", "build": { "latest": true, "rootDistro": "debian", diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh index 0602a90121..499a407e6c 100755 --- a/src/anaconda/test-project/test.sh +++ b/src/anaconda/test-project/test.sh @@ -66,6 +66,7 @@ checkPythonPackageVersion "distributed" "2026.1.0" checkPythonPackageVersion "filelock" "3.20.1" checkPythonPackageVersion "bokeh" "3.8.2" checkPythonPackageVersion "pyjwt" "2.12.0" +checkPythonPackageVersion "python-dotenv" "1.2.2" checkCondaPackageVersion "pyopenssl" "26.0.0" checkCondaPackageVersion "requests" "2.32.4" @@ -79,6 +80,7 @@ checkCondaPackageVersion "black" "26.3.1" checkCondaPackageVersion "streamlit" "1.37.0" checkCondaPackageVersion "nltk" "3.9.3" checkCondaPackageVersion "markdown" "3.8.1" +checkCondaPackageVersion "python-dotenv" "1.2.2" check "conda-update-conda" bash -c "conda update -y conda" check "conda-install-tensorflow" bash -c "conda create --name test-env -c conda-forge --yes tensorflow" From 885fa9da4596f52df98e753df0a1a3fa4f707512 Mon Sep 17 00:00:00 2001 From: Venkumahanti Subhankar Date: Tue, 9 Jun 2026 08:38:31 +0000 Subject: [PATCH 2/5] [miniconda]- Security Update for python-dotenv (GHSA-mf9w-mj56-hr94) --- src/miniconda/.devcontainer/apply_security_patches.sh | 2 +- src/miniconda/manifest.json | 2 +- src/miniconda/test-project/test.sh | 8 ++++++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/miniconda/.devcontainer/apply_security_patches.sh b/src/miniconda/.devcontainer/apply_security_patches.sh index 3d8fbd4ceb..32006bddcc 100644 --- a/src/miniconda/.devcontainer/apply_security_patches.sh +++ b/src/miniconda/.devcontainer/apply_security_patches.sh @@ -5,7 +5,7 @@ # define array of packages for pinning to the patched versions # patched_package_versions=( "package1=version1" "package2=version2" "package3=version3" ) -patched_package_versions=( "cryptography=46.0.6" "requests=2.32.4" "urllib3=2.5.0") +patched_package_versions=( "cryptography=46.0.6" "requests=2.32.4" "urllib3=2.5.0" "python-dotenv=1.2.2") # Define the number of rows (based on the length of patched_package_versions) rows=${#patched_package_versions[@]} diff --git a/src/miniconda/manifest.json b/src/miniconda/manifest.json index b195456dba..6095e5e118 100644 --- a/src/miniconda/manifest.json +++ b/src/miniconda/manifest.json @@ -1,5 +1,5 @@ { - "version": "1.2.5", + "version": "1.2.6", "build": { "latest": true, "rootDistro": "debian", diff --git a/src/miniconda/test-project/test.sh b/src/miniconda/test-project/test.sh index 6f0c76dde4..ba152ca49e 100755 --- a/src/miniconda/test-project/test.sh +++ b/src/miniconda/test-project/test.sh @@ -22,6 +22,7 @@ checkPythonPackageVersion "cryptography" "46.0.6" checkPythonPackageVersion "setuptools" "65.5.1" checkPythonPackageVersion "wheel" "0.38.1" checkPythonPackageVersion "urllib3" "2.5.0" +checkPythonPackageVersion "python-dotenv" "1.2.2" checkCondaPackageVersion "cryptography" "46.0.6" checkCondaPackageVersion "setuptools" "65.5.1" @@ -31,10 +32,13 @@ checkCondaPackageVersion "urllib3" "2.5.0" checkCondaPackageVersion "idna" "3.7" checkCondaPackageVersion "tqdm" "4.66.4" checkCondaPackageVersion "certifi" "2024.7.4" +checkCondaPackageVersion "python-dotenv" "1.2.2" check "conda-update-conda" bash -c "conda update -y conda" -check "conda-install-tensorflow" bash -c "conda create --name test-env -c conda-forge --yes tensorflow" -check "conda-install-pytorch" bash -c "conda create --name test-env -c conda-forge --yes pytorch" +check "conda-install-tensorflow" bash -c "conda create --name test-tensorflow -c conda-forge --yes tensorflow" +# Clear repodata cache between heavy conda-forge solves to avoid "sqlite3 database is locked". +check "conda-clean-index-cache" bash -c "conda clean --index-cache --yes" +check "conda-install-pytorch" bash -c "conda create --name test-pytorch -c conda-forge --yes pytorch" checkPipWorkingCorrectly From a1da53af6b9d2d127f2f4f3e64f04c6a247d1bd3 Mon Sep 17 00:00:00 2001 From: Venkumahanti Subhankar Date: Wed, 10 Jun 2026 07:31:48 +0000 Subject: [PATCH 3/5] [anaconda] - Security Update for lxml (GHSA-vfmq-68hx-4jfw) --- src/anaconda/.devcontainer/apply_security_patches.sh | 2 +- src/anaconda/manifest.json | 2 +- src/anaconda/test-project/test.sh | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/anaconda/.devcontainer/apply_security_patches.sh b/src/anaconda/.devcontainer/apply_security_patches.sh index f9a94f70be..ec58ab26e5 100644 --- a/src/anaconda/.devcontainer/apply_security_patches.sh +++ b/src/anaconda/.devcontainer/apply_security_patches.sh @@ -4,7 +4,7 @@ # werkzeug - [GHSA-f9vj-2wh5-fj8j] patched_package_versions=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=6.33.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "werkzeug=3.1.5" "jupyter-lsp=2.2.2" "scrapy=2.14.2" - "zipp=3.19.1" "tornado=6.5.5" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" "filelock=3.20.1" "bokeh=3.8.2" "distributed=2026.1.0" "wheel=0.46.2" "nltk=3.9.3" "black=26.3.1" "pyjwt=2.12.0" "pillow=12.1.1" "pyopenssl=26.0.0" "nbconvert=7.17.0" "markdown=3.8.1" "python-dotenv=1.2.2") + "zipp=3.19.1" "tornado=6.5.5" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" "filelock=3.20.1" "bokeh=3.8.2" "distributed=2026.1.0" "wheel=0.46.2" "nltk=3.9.3" "black=26.3.1" "pyjwt=2.12.0" "pillow=12.1.1" "pyopenssl=26.0.0" "nbconvert=7.17.0" "markdown=3.8.1" "python-dotenv=1.2.2" "lxml=6.1.0") # Define the number of rows (based on the length of patched_package_versions) rows=${#patched_package_versions[@]} diff --git a/src/anaconda/manifest.json b/src/anaconda/manifest.json index 2db73dfa6d..11604f9417 100644 --- a/src/anaconda/manifest.json +++ b/src/anaconda/manifest.json @@ -1,5 +1,5 @@ { - "version": "1.3.16", + "version": "1.3.17", "build": { "latest": true, "rootDistro": "debian", diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh index 499a407e6c..ea354d9fa6 100755 --- a/src/anaconda/test-project/test.sh +++ b/src/anaconda/test-project/test.sh @@ -67,6 +67,7 @@ checkPythonPackageVersion "filelock" "3.20.1" checkPythonPackageVersion "bokeh" "3.8.2" checkPythonPackageVersion "pyjwt" "2.12.0" checkPythonPackageVersion "python-dotenv" "1.2.2" +checkPythonPackageVersion "lxml" "6.1.0" checkCondaPackageVersion "pyopenssl" "26.0.0" checkCondaPackageVersion "requests" "2.32.4" From 426746cf99c01ad361b4d14d394b1dc6d9847619 Mon Sep 17 00:00:00 2001 From: Venkumahanti Subhankar Date: Wed, 10 Jun 2026 12:21:30 +0000 Subject: [PATCH 4/5] [anaconda]- Security Update for nbconvert (GHSA-4c99-qj7h-p3vg) & (GHSA-7jqv-fw35-gmx9) --- src/anaconda/.devcontainer/apply_security_patches.sh | 2 +- src/anaconda/test-project/test.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/anaconda/.devcontainer/apply_security_patches.sh b/src/anaconda/.devcontainer/apply_security_patches.sh index ec58ab26e5..9c4f236299 100644 --- a/src/anaconda/.devcontainer/apply_security_patches.sh +++ b/src/anaconda/.devcontainer/apply_security_patches.sh @@ -4,7 +4,7 @@ # werkzeug - [GHSA-f9vj-2wh5-fj8j] patched_package_versions=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=6.33.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "werkzeug=3.1.5" "jupyter-lsp=2.2.2" "scrapy=2.14.2" - "zipp=3.19.1" "tornado=6.5.5" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" "filelock=3.20.1" "bokeh=3.8.2" "distributed=2026.1.0" "wheel=0.46.2" "nltk=3.9.3" "black=26.3.1" "pyjwt=2.12.0" "pillow=12.1.1" "pyopenssl=26.0.0" "nbconvert=7.17.0" "markdown=3.8.1" "python-dotenv=1.2.2" "lxml=6.1.0") + "zipp=3.19.1" "tornado=6.5.5" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" "filelock=3.20.1" "bokeh=3.8.2" "distributed=2026.1.0" "wheel=0.46.2" "nltk=3.9.3" "black=26.3.1" "pyjwt=2.12.0" "pillow=12.1.1" "pyopenssl=26.0.0" "nbconvert=7.17.1" "markdown=3.8.1" "python-dotenv=1.2.2" "lxml=6.1.0") # Define the number of rows (based on the length of patched_package_versions) rows=${#patched_package_versions[@]} diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh index ea354d9fa6..f06c0d15a7 100755 --- a/src/anaconda/test-project/test.sh +++ b/src/anaconda/test-project/test.sh @@ -35,7 +35,7 @@ checkPythonPackageVersion "mistune" "3.0.1" checkPythonPackageVersion "numpy" "1.22" checkPythonPackageVersion "setuptools" "78.1.1" checkPythonPackageVersion "wheel" "0.46.2" -checkPythonPackageVersion "nbconvert" "7.17.0" +checkPythonPackageVersion "nbconvert" "7.17.1" checkPythonPackageVersion "werkzeug" "3.1.5" checkPythonPackageVersion "certifi" "2022.12.07" checkPythonPackageVersion "cryptography" "44.0.1" From 31faaef7b36fb2a07a9462463595064cf9e1f11b Mon Sep 17 00:00:00 2001 From: Venkumahanti Subhankar Date: Fri, 12 Jun 2026 11:01:11 +0000 Subject: [PATCH 5/5] [anaconda]- Security Update for GitPython (GHSA-rpm5-65cw-6hj4) & (GHSA-x2qx-6953-8485) --- src/python/.devcontainer/Dockerfile | 2 +- src/python/manifest.json | 2 +- src/python/test-project/test.sh | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/python/.devcontainer/Dockerfile b/src/python/.devcontainer/Dockerfile index d818f7a8e6..e3b1eecfec 100644 --- a/src/python/.devcontainer/Dockerfile +++ b/src/python/.devcontainer/Dockerfile @@ -10,7 +10,7 @@ RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \ # They are installed by the base image (python) which does not have the patch. RUN python3 -m pip install --upgrade \ setuptools==78.1.1 \ - gitpython==3.1.41 \ + gitpython==3.1.47 \ jaraco.context==6.1.0 \ wheel==0.46.2 diff --git a/src/python/manifest.json b/src/python/manifest.json index a6ba5aa215..6a5a4d9d9b 100644 --- a/src/python/manifest.json +++ b/src/python/manifest.json @@ -1,5 +1,5 @@ { - "version": "3.1.0", + "version": "3.1.1", "variants": [ "3.14-trixie", "3.13-trixie", diff --git a/src/python/test-project/test.sh b/src/python/test-project/test.sh index c545f3396b..1e4e536245 100755 --- a/src/python/test-project/test.sh +++ b/src/python/test-project/test.sh @@ -47,9 +47,9 @@ check-version-ge "svn-requirement" "${svn_version}" "1.14.5" setuptools_version=$(python -c "import setuptools; print(setuptools.__version__)") check-version-ge "setuptools-requirement" "${setuptools_version}" "78.1.1" -# https://github.com/advisories/GHSA-2mqj-m65w-jghx +# https://github.com/advisories/GHSA-rpm5-65cw-6hj4 gitpython_version=$(python -c "import git; print(git.__version__)") -check-version-ge "gitpython-requirement" "${gitpython_version}" "3.1.41" +check-version-ge "gitpython-requirement" "${gitpython_version}" "3.1.47" # GHSA-58pv-8j8x-9vj2: jaraco.context jaraco_context_version=$(python -c "from importlib.metadata import version; print(version('jaraco.context'))")