Closed vagenas closed 1 year ago
Describe the bug\ https://github.com/BiomedSciAI/fuse-med-ml/issues/193 was supposed to fix https://github.com/BiomedSciAI/fuse-med-ml/issues/192, however depending on the order pip decides to resolve dependencies (e.g. if it resolves the latest possible pytorch_lightning first), protobuf may still get resolved to the vulnerable version 3.20.1.
pip
pytorch_lightning
protobuf
FuseMedML version\ 0.2.6
Python version\ Exact Python version used. E.g. 3.8.13
To reproduce\ Occurrence depends on dependency resolution order, which may vary.
Expected behavior\ A secure version should be installed instead.
Describe the bug\ https://github.com/BiomedSciAI/fuse-med-ml/issues/193 was supposed to fix https://github.com/BiomedSciAI/fuse-med-ml/issues/192, however depending on the order
pipdecides to resolve dependencies (e.g. if it resolves the latest possiblepytorch_lightningfirst),protobufmay still get resolved to the vulnerable version 3.20.1.FuseMedML version\ 0.2.6
Python version\ Exact Python version used. E.g. 3.8.13
To reproduce\ Occurrence depends on dependency resolution order, which may vary.
Expected behavior\ A secure version should be installed instead.