JavierEscobarOrtiz
commented
2 days ago Hello @vebjorre
Thank you for opening the issue and providing full information about the vulnerability.
We will be updating the requirements for skforecast 0.13.0.
Best,
Javi
Description:
There is a recently identified vulnerability, CVE-2024-5206, affecting versions of scikit-learn below 1.5. This security issue necessitates updating the dependency requirement in skforecast to ensure compatibility with scikit-learn version 1.5 or higher.
Current Behavior:
The current version of skforecast restricts the scikit-learn dependency to versions below 1.5. This constraint forces users to utilize vulnerable versions of scikit-learn.
Proposed Change:
Update the skforecast package to allow scikit-learn version 1.5 and above by modifying the dependency requirement. This change will enable users to upgrade to a secure version of scikit-learn, mitigating the risks associated with CVE-2024-5206.
Steps to Reproduce:
Install skforecast in a project. Attempt to upgrade scikit-learn to version 1.5 or higher. Observe the dependency conflict due to the current version constraints. Expected Behavior:
Users should be able to install and use scikit-learn version 1.5 or higher without any dependency conflicts when using skforecast.
Additional Information:
CVE Details: CVE-2024-5206 scikit-learn Release Notes: scikit-learn 1.5 Release Notes
Impact:
Allowing scikit-learn>=1.5 will ensure that users of skforecast are protected against the vulnerabilities addressed in the latest scikit-learn release, thereby enhancing the security of their machine learning projects.