Skip to content

fix: remove vulnerable Pillow versions #7367

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dandhlee merged 7 commits into from
Jan 14, 2022
Merged

fix: remove vulnerable Pillow versions #7367

dandhlee merged 7 commits into from
Jan 14, 2022

Conversation

@dandhlee
Copy link
Collaborator

@dandhlee dandhlee commented Jan 13, 2022
edited
Loading

Description

If we're not using Pillow V9, it will be vulnerable to moderate/high severity issues. Pillow V9 requires Python version to be higher than 3.6.

appengine/scipy and dataflow/tensorflow-landsat both does not require using Python3.6 and below, so I've removed their references altogether.

For ppai/image-classification: @davidcavazos it seems that the Pillow code used in image-classification does not contain any of the vulnerabilities mentioned in the issue. Perhaps just to be on the safe side I'm proposing that we remove 3.6 support for it (it's reached end of life too), or we could still keep it open for 3.6. Which side would you lean towards on?

Fixes #7366.

Checklist

@dandhlee dandhlee added the do not merge Indicates a pull request not ready for merge, due to either quality or timing. label Jan 13, 2022
@dandhlee dandhlee requested a review from davidcavazos January 13, 2022 08:51
@dandhlee dandhlee requested a review from a team as a code owner January 13, 2022 08:51
@product-auto-label product-auto-label bot added the samples Issues that are directly related to samples. label Jan 13, 2022
@dandhlee dandhlee requested a review from a team as a code owner January 13, 2022 09:03
davidcavazos
davidcavazos approved these changes Jan 13, 2022
View reviewed changes
Copy link

@davidcavazos davidcavazos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I'm okay with dropping 3.6

engelke
engelke approved these changes Jan 14, 2022
View reviewed changes
Copy link
Contributor

@engelke engelke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dandhlee dandhlee removed the do not merge Indicates a pull request not ready for merge, due to either quality or timing. label Jan 14, 2022
@dandhlee dandhlee merged commit 0b87159 into main Jan 14, 2022
@dandhlee dandhlee deleted the fix_vulnerabilities branch January 14, 2022 00:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@parthea parthea parthea approved these changes

+2 more reviewers

@engelke engelke engelke approved these changes

@davidcavazos davidcavazos davidcavazos approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@engelke engelke

Labels

samples Issues that are directly related to samples.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Vulnerability for Pillow V8 references

4 participants

@dandhlee @engelke @davidcavazos @parthea