nigzak commented on PR #27187: URL: https://github.com/apache/superset/pull/27187#issuecomment-1961314576
Hi together, I checked my request on panda => they will not update it because of downgrade compability - so it will stay on panda site https://github.com/pandas-dev/pandas/pull/57567 ``` Thanks for the PR, but pandas tries to support optional dependencies that are at most 1 year old. Additionally, pandas just species a lower pin, so a user is able to specify numexpr>=2.9.0 if they want to avoid this CVE. pandas will bump to 2.9.0 eventually, but I think it's too early to do so at this moment so closing ``` At least the only current possibility would be still here to fix it in the dependencies in my mind. Let it be on the "old" version seems also not good because it is a critical finding which really will lead to an issue that persons cannot deploy this image because it has a critical CVE in it (IT guide says it is not allowed, as example to me it would result into many discussions and things and at the end it will not really be fixable at all ... I currently think I am at all not allowed to use it) I have also runned the command which @dpgaspar told ``` pip-compile-multi --no-upgrade ``` And commited again (you see it here as 2nd commit) Sadly it only works in the windows to run it, in ubuntu subsystem it does not run at all (maybebecause ubuntu does not have latest pip/python?) Error in ubuntu subsystem (WSL2) is this one FYI ``` ... mysqlclient==2.1.0 not in cache, need to check index error: subprocess-exited-with-error × python setup.py egg_info did not run successfully. │ exit code: 1 ╰─> [16 lines of output] /bin/sh: 1: mysql_config: not found /bin/sh: 1: mariadb_config: not found /bin/sh: 1: mysql_config: not found Traceback (most recent call last): File "<string>", line 2, in <module> File "<pip-setuptools-caller>", line 34, in <module> File "/tmp/pip-resolver-cd4ddh_s/mysqlclient/setup.py", line 15, in <module> metadata, options = get_config() File "/tmp/pip-resolver-cd4ddh_s/mysqlclient/setup_posix.py", line 70, in get_config libs = mysql_config("libs") File "/tmp/pip-resolver-cd4ddh_s/mysqlclient/setup_posix.py", line 31, in mysql_config raise OSError("{} not found".format(_mysql_config_path)) OSError: mysql_config not found mysql_config --version mariadb_config --version mysql_config --libs [end of output] ... ``` Many differences are in the path with "/" vs "\" and I did not add/change anything else as the numexpr version to 2.9.0 from my side. Is this fine at all or shall I do/try something more/else? As written this is my first pull request, sorry if there are dumb questions or else ... I really try to learn this for a possible next request and do it better ;) (as example I did not know the "pip-compile-multi --no-upgrade" command at all) Thanks & Regards nigzak -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
