pyyaml version 3.13 listed as High severity risk by Github audit. #819
Description
Hi! Thanks for using the Jupyter Docker Stacks.
If you are looking to contribute to the images, please see the [Contributor's Guide] (http://jupyter-docker-stacks.readthedocs.io/en/latest/#) in the documentation for our preferred processes.
If you are reporting an issue with one of the existing images, please answer the questions below to help us troubleshoot the problem. Please be as thorough as possible.
What docker image you are using?
jupyter/scipy-notebook
What complete docker command do you run to launch the container (omitting sensitive values)?
docker build -t jupyter/scipy-notebook .
What steps do you take once the container is running to reproduce the issue?
The following step in the build has output which lists pyyaml 3.13 as a package to be installed.
step 7/13 : RUN conda install --quiet --yes 'conda-forge::blas==openblas' 'ipywidgets=7.4' 'pandas=0.23*' 'numexpr=2.6*' 'matplotlib=2.2*' 'scipy=1.1*' 'seaborn=0.9*' 'scikit-learn=0.20*' 'scikit-image=0.14*' 'sympy=1.1*' 'cython=0.28*' 'patsy=0.5*' 'statsmodels=0.9*' 'cloudpickle=0.5*' 'dill=0.2*' 'dask=1.1.' 'numba=0.38' 'bokeh=0.13*' 'sqlalchemy=1.2*' 'hdf5=1.10*' 'h5py=2.7*' 'vincent=0.4.' 'beautifulsoup4=4.6.' 'protobuf=3.*' 'xlrd' && conda remove --quiet --yes --force qt pyqt && conda clean -tipsy
Two issues here.
- Github flags pyyaml 3.13 as High severity.
- Installing other packages like azure-cli-core requires pyyaml > 4.2b1 and the 3.13 version
can't be upgraded due to a distutils error.
What do you expect to happen?
Expect pyyaml to run a newer version without the High Severity vuln.
What actually happens?
Builds with pyyaml 3.13
...