Vulnerable versions of packages 'cryptograpy', 'aiohttp' are installed together with 'stellargraph' #2108
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Vulnerable packages are installed together with 'stellargraph'
When 'stellargraph' is installed via the channel 'stellargraph', some packages for web communication are installed automatically. Although these packages are not used in my application (its goal is predicting node properties, and it can run offline), they contain known vulnerabilities. This causes surprising warning messages from GitHub.
This raises the following question: as the libraries cryptograpy', 'aiohttp' are (a priori) not related to graph theory, are they needed for stellargraph ?
To Reproduce
Run the following installation:
conda create -c stellargraph -n stellar_test python=3.11 stellargraph
conda activate stellar_test
conda list cryptography # 41.0.3
conda list aiohttp # 3.9.3
conda list stellargraph # 1.2.1
Observed behavior
These libraries cause warnings after uploading a repository to GitHub. These warnings are due to known vulnerabilities in the installed packages, see:
GHSA-6vqw-3v5j-54x4 ,
GHSA-5m98-qgg9-wh84
Expected behavior
I expect all messages relative to the repository to be related to my own work.
Environment
Operating system: Ubuntu.
Conda version: 24.4.0 .
Python version: 3.11.
Package versions: stellargraph==1.2.1
Thanks for Your attention!
The text was updated successfully, but these errors were encountered: