Comments (3)
sayar
commented on May 16, 2024
This isn't a security issue. Pipfile.lock includes both dev and non-dev dependencies. Pipfiles also collapse the dependency tree. The below files all reference a version greater than pyyaml = ">=4.2b1":
./agogosml/Pipfile
./agogosml/Pipfile.lock
./agogosml/setup.py
The security warning is triggered only for the ./agogosml_cli/Pipfile.lock file. There is a dev dependency in the agogosml_cli Pipfile that includes an old version of pyyaml hence why the security warning appears. When you do pip install agogosml_cli, you aren't pulling down pyyaml. You can verify yourself by deleting all the dev dependencies and regenerating the Pipfile.lock (no pyyaml). Happy to push a Pipfile.lock for agogosml_cli that doesn't include the dev dependencies to make the security warning go away but that requires me to remove the offending dev dependency from the Pipfile and include manual instructions to install. IMO it's not worth it.
P.S. @cicorias only repository admins can see GitHub security warnings. Please email directly about security warnings instead of posting as an issue. (I made you an admin today 😉 )
from agogosml.
c-w
commented on May 16, 2024
Just as a note: the pyyaml dependency is pulled in as a transitive dependency of watchdog which is used for make servedocs.
from agogosml.
c-w
commented on May 16, 2024
Note that the root cause of this was resolved in #229 since pipenv was replaced with pip.
from agogosml.
Related Issues (11)
- Support for pyinstaller
- .env file not generated after agogosml generate is invoked HOT 1
- Forward slash missing in the input reader and output writer dockerfiles, causing the builds to fail
- Address modules not covered in tests when code changes
- tox failures during `make test-all`
- agogosml should use a single container per model HOT 2
- Can we leverage connexion in simple app's main.py? HOT 2
- Signal Interrupts are not handled consistently between various implementation of InputReaders and OutputWriters
- Agogosml CLI with different versions of Python HOT 1
- Cross-Site Scripting: Reflected
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from agogosml.