From a81ed1dae6eff56eb2b1b8a42d624078d9dac30e Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sat, 11 Apr 2026 16:48:06 +0000 Subject: [PATCH] fix: resolve security vulnerabilities in dependencies Update mlflow, scikit-learn, setuptools, and cryptography to secure versions to address multiple CVEs including CVE-2026-33866, CVE-2024-5206, CVE-2025-47273, and CVE-2026-34073. - mlflow: ^3.10.1 -> ^3.11.0 - scikit-learn: 1.4.2 -> ^1.5.0 - setuptools: ^71.1.0 -> ^78.1.1 - cryptography: ^46.0.6 (added/updated) Co-authored-by: lgcorzo <46710567+lgcorzo@users.noreply.github.com> --- pyproject.toml | 7 ++++--- python_env.yaml | 6 +++--- requirements.txt | 14 +++++++------- 3 files changed, 14 insertions(+), 13 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 1b2cff3..aa54a79 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -31,7 +31,7 @@ packages = [{ include = "regression_model_template", from = "src" }] python = ">=3.12,<3.13" loguru = "^0.7.2" matplotlib = "^3.9.0" -mlflow = { version = "^3.10.1", extras = ["extras"] } +mlflow = { version = "^3.11.0", extras = ["extras"] } numpy = "^1.26.4" omegaconf = "^2.3.0" pandas = "^2.2.2" @@ -43,8 +43,9 @@ pyarrow = "^15.0.2" pydantic = "^2.7.4" pydantic-settings = "^2.3.4" pynvml = "^11.5.0" -setuptools = "^71.1.0" -scikit-learn = "1.4.2" +cryptography = "^46.0.6" +setuptools = "^78.1.1" +scikit-learn = "^1.5.0" shap = "^0.46.0" dvc = "^3.58.0" mlserver = "^1.7.1" diff --git a/python_env.yaml b/python_env.yaml index 05cec5c..271f2bb 100644 --- a/python_env.yaml +++ b/python_env.yaml @@ -38,7 +38,7 @@ "markdown==3.6", "markupsafe==2.1.5", "matplotlib==3.9.1", - "mlflow[extras]==2.14.3", + "mlflow[extras]==3.11.0", "multimethod==1.10", "mypy-extensions==1.0.0", "numba==0.60.0", @@ -67,9 +67,9 @@ "pyyaml==6.0.1", "querystring-parser==1.2.4", "requests==2.32.3", - "scikit-learn==1.4.2", + "scikit-learn==1.5.0", "scipy==1.14.0", - "setuptools==71.1.0", + "setuptools==78.1.1", "shap==0.46.0", "six==1.16.0", "slicer==0.0.8", diff --git a/requirements.txt b/requirements.txt index 97a48c3..476a3e3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -52,7 +52,7 @@ configobj==5.0.9 ; python_version == "3.12" confluent-kafka==2.13.2 ; python_version == "3.12" contextlib2==21.6.0 ; python_version == "3.12" contourpy==1.3.3 ; python_version == "3.12" -cryptography==46.0.5 ; python_version == "3.12" +cryptography==46.0.6 ; python_version == "3.12" cycler==0.12.1 ; python_version == "3.12" databricks-sdk==0.102.0 ; python_version == "3.12" deprecated==1.3.1 ; python_version == "3.12" @@ -128,10 +128,10 @@ markdown-it-py==4.0.0 ; python_version == "3.12" markupsafe==3.0.3 ; python_version == "3.12" matplotlib==3.10.8 ; python_version == "3.12" mdurl==0.1.2 ; python_version == "3.12" -mlflow-skinny==3.10.1 ; python_version == "3.12" -mlflow-tracing==3.10.1 ; python_version == "3.12" -mlflow==3.10.1 ; python_version == "3.12" -mlflow[extras]==3.10.1 ; python_version == "3.12" +mlflow-skinny==3.11.0 ; python_version == "3.12" +mlflow-tracing==3.11.0 ; python_version == "3.12" +mlflow==3.11.0 ; python_version == "3.12" +mlflow[extras]==3.11.0 ; python_version == "3.12" mlserver-mlflow==1.7.1 ; python_version == "3.12" mlserver==1.7.1 ; python_version == "3.12" msal-extensions==1.3.1 ; python_version == "3.12" @@ -214,12 +214,12 @@ requests[socks]==2.33.0 ; python_version == "3.12" rich==14.3.3 ; python_version == "3.12" ruamel-yaml==0.19.1 ; python_version == "3.12" s3transfer==0.16.0 ; python_version == "3.12" -scikit-learn==1.4.2 ; python_version == "3.12" +scikit-learn==1.5.0 ; python_version == "3.12" scipy==1.17.1 ; python_version == "3.12" scmrepo==3.6.1 ; python_version == "3.12" secretstorage==3.5.0 ; python_version == "3.12" semver==3.0.4 ; python_version == "3.12" -setuptools==71.1.0 ; python_version == "3.12" +setuptools==78.1.1 ; python_version == "3.12" shap==0.46.0 ; python_version == "3.12" shellingham==1.5.4 ; python_version == "3.12" shortuuid==1.0.13 ; python_version == "3.12"