Skip to content

security: address CVE-2025-53000 and CVE-2026-21441 #376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
olivermeyer merged 2 commits into from
Jan 8, 2026
Merged

security: address CVE-2025-53000 and CVE-2026-21441 #376

olivermeyer merged 2 commits into from
Jan 8, 2026

Conversation

@olivermeyer
Copy link
Collaborator

@olivermeyer olivermeyer commented Jan 8, 2026

  • Bumping minimum version of urllib3 for CVE-2026-21441
  • Updating the vulnerability ID in pip-audit command - not sure why the GHSA ID stopped working but the CVE ID seems to fix it

@codecov
Copy link

codecov bot commented Jan 8, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.
see 8 files with indirect coverage changes

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 8, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

neelay-aign
neelay-aign approved these changes Jan 8, 2026
View reviewed changes
noxfile.py
"GHSA-4xh5-x5gv-qwph", # https://pyinstaller.org/en/stable/license.html
"--ignore-vuln",
"GHSA-xm59-rqc7-hhvf", # nbconvert CVE-2025-53000: no fix available
"CVE-2025-53000", # no fix available
Copy link
Collaborator

@neelay-aign neelay-aign Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for my information - we're okay with using the nbconvert tool despite the vulnerability having a high score?

Copy link
Collaborator Author

@olivermeyer olivermeyer Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately we don't have much of a choice - nbconvert is an indirect dependency from jupyter, which we need.

@olivermeyer olivermeyer merged commit 1ff7283 into main Jan 8, 2026
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@neelay-aign neelay-aign neelay-aign approved these changes

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen Awaiting requested review from helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@olivermeyer @neelay-aign