#308: Updated Dependencies of Jupyter Environment

exasol · Aug 21, 2024 · 6a66093 · 6a66093
1 parent fd290cd
commit 6a66093
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 15 deletions.
diff --git a/doc/changes/changes_2.1.0.md b/doc/changes/changes_2.1.0.md
@@ -6,7 +6,16 @@ Code name: Exasol SaaS and Python 3.10
 
 This release adds support for parameters for SaaS instances of Exasol database to the configuration page and fixes vulnerability `CVE-2024-23342` by updating dependencies.
 
-Additionally the release updates the operating system from ubuntu 20.04 to 22.04 and Python version to 3.10 in the published images for Docker, AMI, and virtual machines.
+This release also updates the operating system from ubuntu 20.04 to 22.04 and Python version to 3.10 in the published images for Docker, AMI, and virtual machines.
+
+Additionally, this release fixes the following vulnerabilities by updating dependencies:
+* Vulnerability CVE-2024-23342 in transitive dependency via `localstack` to `ecdsa` vulnerably to Minerva timing attack on P-256 in `python-ecdsa`.
+* Vulnerability CVE-2024-5206 in dependency `scikit-learn` versions below `1.5.0` caused by sensitive data leakage.
+
+The release ignores the following vulnerabilities
+* Ignoring vulnerability CVE-2024-33663 in transitive dependency via `localstack` to `python-jose` `3.3.0` caused by algorithm confusion with OpenSSH ECDSA keys as there is no newer version of `python-jose` available and the dependency only affects tests.
+* Ignoring vulnerability CVE-2024-35195 in dependency `requests` in versions below `2.32.0` caused by requests `Session` object not verifying requests after making first request with `verify=False` as `requests` in version `2.32.0` and higher are incompatible with docker-compose.
+* Ignoring vulnerability CVE-2024-37891 in transitive dependency via `boto3` to `urllib3` in versions below `2.2.2` caused by proxy-authorization request header not to be stripped during cross-origin redirects as no update of notebook-connector is available, yet.
 
 ## AI-Lab-Release
 
@@ -23,6 +32,7 @@ Version: 2.1.0
 ## Security
 
 * #207: Fixed vulnerability CVE-2024-23342 by updating dependency ecdsa
+* #298: Fixed vulnerabilities by updating dependencies
 
 ## Bug Fixes
 
@@ -42,5 +52,18 @@ Version: 2.1.0
 * #295: Made notebook-tests mandatory for merge
 * #193: Ignored warnings in notebook tests
 * #297: Reduced log level for transitive libraries in notebook tests
-* #307: Made the notebook tests running in parallel;
-        moved common steps from test jobs to a composite action
+* #307: Made the notebook tests running in parallel; moved common steps from test jobs to a composite action
+* #308: Removed redundant dependencies from file `notebook_requirements.txt`.
+
+## Dependency Updates
+
+### Jupyter Environment Dependencies
+
+In File [notebook_requirements.txt](https://github.com/exasol/ai-lab/blob/main/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/notebook_requirements.txt):
+* Removed dependency to `uncertainties`
+* Updated `scikit-learn:1.0.2` to `1.5.1`
+* Updated `matplotlib:3.7.4` to `3.9.2`
+* Updated `jupysql:0.10.10` to `0.10.12`
+* Relaxed `stopwatch.py:2.0.1` dependency to `2.*` to avoid inconsistencies with ITDE
+* Replaced GitHub dependency to `exasol/notebook-connector:main` by pypi dependency `0.2.9`
+* Updated `ipywidgets:8.1.1` to `8.1.3`
diff --git a/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/jupyter_requirements.txt b/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/jupyter_requirements.txt
@@ -1,5 +1,2 @@
 jupyterlab==4.1.1
-# enable interactive Javascript widgets in the notebooks
-ipywidgets==8.1.1
 pexpect==4.8.0
-pyexasol==0.16.1
diff --git a/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/notebook_requirements.txt b/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/notebook_requirements.txt
@@ -1,10 +1,8 @@
-uncertainties==3.1.7
-scikit-learn==1.0.2
-matplotlib==3.7.4
-jupysql==0.10.10
-sqlalchemy_exasol==4.6.3
-stopwatch.py==2.0.1
-boto3==1.26.163
-exasol-notebook-connector @ git+https://github.com/exasol/notebook-connector.git@main
+scikit-learn==1.5.1 # required for notebook sklearn
+matplotlib==3.7.4 # required for notebook sklearn
+jupysql==0.10.10 # required for multiple notebooks
+stopwatch.py==2.* # also required by ITDE
+exasol-notebook-connector==0.2.9
 pickleshare==0.7.5 # See https://github.com/exasol/ai-lab/issues/291 for details.
-ipyfilechooser==0.6.0
+ipyfilechooser==0.6.0 # required for SLC notebooks
+ipywidgets==8.1.1 # enable interactive Javascript widgets in the notebooks