github-actions[bot] commented on PR #111: URL: https://github.com/apache/incubator-hugegraph-ai/pull/111#issuecomment-2473461070
<h1>Dependency Review</h1> The following issues were found:<ul><li>❌ 1 vulnerable package(s)</li><li>✅ 0 package(s) with incompatible licenses</li><li>✅ 0 package(s) with invalid SPDX license definitions</li><li>✅ 0 package(s) with unknown licenses.</li></ul> See the Details below.<h2>Vulnerabilities</h2> <h4><em>hugegraph-llm/requirements.txt</em></h4> <table><tr><th>Name</th><th>Version</th><th>Vulnerability</th><th>Severity</th></tr><tr><td><a href="https://github.com/gradio-app/gradio";>gradio</a></td><td>~> 4.44.1</td><td><a href="https://github.com/advisories/GHSA-8c87-gvhj-xm8m";>Gradio lacks integrity checking on the downloaded FRP client</a></td><td>high</td></tr><tr><td colspan="2"><td><a href="https://github.com/advisories/GHSA-xh2x-3mrm-fwqm";>Gradio has a race condition in update_root_in_config may redirect user traffic</a></td><td>high</td></tr><tr><td colspan="2"><td><a href="https://github.com/advisories/GHSA-279j-x4gx-hfrh";>Gradio uses insecure communication between the FRP client and server</a></td><td>high</td></tr><tr><td colspan="2"><td><a href="https://github.com/advisories/GHSA-77xq-6g77-h274";>Gradio's `is_in_or_equal` function may be bypassed</a></td><td>moderate</td></tr><tr><td colspan="2"><td><a href="https://github.com/advisories/GHSA-89v2-pqfv-c5r9";>Gradio's CORS origin validation accepts the null origin </a></td><td>moderate</td></tr><tr><td colspan="2"><td><a href="https://github.com/advisories/GHSA-576c-3j53-r9jj";>Gradio vulnerable to SSRF in the path parameter of /queue/join</a></td><td>moderate</td></tr><tr><td colspan="2"><td><a href="https://github.com/advisories/GHSA-4q3c-cj7g-jcwf";>Gradio has several components with post-process steps allow arbitrary file leaks</a></td><td>moderate</td></tr><tr><td colspan="2"><td><a href="https://github.com/advisories/GHSA-gvv6-33j7-884g";>Gradio has an XSS on every Gradio server via upload of HTML files, JS files, or SVG files</a></td><td>moderate</td></tr><tr><td colspan="2"><td><a href="https://github.com/advisories/GHSA-26jh-r8g2-6fpr";>Gradio's dropdown component pre-process step does not limit the values to those in the dropdown list</a></td><td>low</td></tr></table> <h2>Scanned Manifest Files</h2> <details><summary>hugegraph-llm/requirements.txt</summary><ul><li>gradio@~> 4.44.1</li><li>gradio@~> 4.43.0</li></ul></details> <!-- dependency-review-pr-comment-marker --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
