Seldon currently pins its Werkzeug version to < 2.3, but Werkzeug needs v2.3.8 or v3.0.1+ to avoid an insufficient algorithmic complexity vulnerability: SNYK-PYTHON-WERKZEUG-6035177. Consumers of the Python microservice are unable to use a safe version of Werkzeug because of this version pin.
Attempt to install werkzeug v2.3.8 with seldon-core v1.18.1
> cat requirements.txt
seldon-core==1.18.1
werkzeug==2.3.8
> pip install -r requirements.txt
...
ERROR: Cannot install -r requirements.txt (line 1) and werkzeug==2.3.8 because these package versions have conflicting dependencies.
The conflict is caused by:
The user requested werkzeug==2.3.8
seldon-core 1.18.1 depends on werkzeug<2.3 and >=2.1.1
maxqlord
commented
5 months ago
Seldon currently pins its Werkzeug version to < 2.3, but Werkzeug needs v2.3.8 or v3.0.1+ to avoid an insufficient algorithmic complexity vulnerability: SNYK-PYTHON-WERKZEUG-6035177. Consumers of the Python microservice are unable to use a safe version of Werkzeug because of this version pin.
Describe the bug
This line restricts a consumer from using Werkzeug 2.3.8 https://github.com/SeldonIO/seldon-core/blob/c9ee03bdae8ed15c9c6dcec5b60eb4d33660a3d5/python/setup.py#L39
To reproduce
Attempt to install werkzeug v2.3.8 with seldon-core v1.18.1
Expected behaviour
A non-vulnerable version of Werkzeug can be used.