[
https://issues.apache.org/jira/browse/BEAM-13995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17497590#comment-17497590
]
Brian Hulette commented on BEAM-13995:
--------------------------------------
The pandas versions in the message are odd. I'm not sure what to make of it.
Note pandas 0.25 is quite old and we support newer pandas versions today. In
Beam 2.23 we didn't have restrictions on pandas versions, except for in the
`test` extra:
https://github.com/apache/beam/blob/696fc99f9957c96b9f878f86f686df5e5311b731/sdks/python/setup.py#L185.
But that did r estrict pandas <1.0.
Today, in Beam 2.36 we restrict pandas versions for the DataFrame API, but it
supports up to pandas 1.3 and explicitly does not support 0.x, (and 1.4 support
is coming in Beam 2.37).
I'm not sure what it means to use apache-beam[gcp]==2.23.0 and
apache-beam=2.36.0 - IIUC you can't use a different version for the `gcp`
extra. [~pd3] can you just use `apache-beam[gcp]==2.36.0`?
> Apache beam is having vulnerable dependencies - Tensorflow, httplib2, pandas
> and numpy
> --------------------------------------------------------------------------------------
>
> Key: BEAM-13995
> URL: https://issues.apache.org/jira/browse/BEAM-13995
> Project: Beam
> Issue Type: Bug
> Components: dependencies, sdk-py-core
> Affects Versions: 2.23.0, 2.35.0, 2.36.0
> Reporter: Prerana
> Priority: P1
> Attachments: Tensorflow vulnerabilities.xlsx
>
>
> We are using apache-beam[gcp]==2.23.0 and apache-beam=2.36.0.
> The following vulnerabilities are detected in white source with apache-beam.
> [CVE-2020-13091|https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2020-13091;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c]
> - pandas-0.25.3-cp37-cp37m-manylinux1_x86_64.whl -
> {*}Fix{*}({color:#4c9aff}Upgrade to version pandas -
> 0.3.0.beta,1.0.4;autovizwidget - 0.12.7;pandas - 1.0.4,1.1.0rc0{color})
> [CVE-2021-41496 -
> |https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2021-41496;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c]numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whlnumpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
> - {*}Fix{*}({color:#4c9aff}Upgrade to version autovizwidget - 0.12.7;numpy -
> 1.22.0rc1;numcodecs - 0.6.2;numpy-base - 1.11.3;numpy - 1.17.4{color})
> [CVE-2021-21240|https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2021-21240;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c]
> -httplib2-0.17.4-py3-none-any.whl - {*}Fix{*}({color:#4c9aff}Upgrade to
> version v0.19.0{color})
> {color:#0747a6}See attached xls{color} -
> tensorflow-1.14.0-cp37-cp37m-manylinux1_x86_64.whl -
> {*}Fix({*}{color:#4c9aff}attached xls{color}{*}){*}
> please upgrade the packages to the mentioned versions with fix.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
