@nathanw-mlc received a vulnerability notification from GitHub regarding the NPM package ip. The isPublic() function can expose private information, and the package looks to be dead, so it probably won't receive a patch.
GitHub says that the Training repo may be affected.
Just to be safe, I think we need to fix this issue, to avoid a situation where someone runs this benchmark and accidentally exposes some private information.
I see two options to solve this issue:
Patch it. If we can contact the developer of this and it is easy to remove this dependency, it may be possible (and not hard) to fix
Drop the joseki folder. It seems to be just an optional part of a retired benchmark to collect statistics. So, it is unlikely many people are using it.
@nathanw-mlc received a vulnerability notification from GitHub regarding the NPM package ip. The
isPublic()function can expose private information, and the package looks to be dead, so it probably won't receive a patch.GitHub says that the Training repo may be affected.
Based on some inspection of the repo this seems to come from one of the retired benchmarks (minigo). Specifically, from this dependency: https://github.com/mlcommons/training/blob/00f04c57d589721aabce4618922780d29f73cf4e/retired_benchmarks/minigo/tensorflow/minigo/oneoffs/joseki/package-lock.json#L6682-L6685
Just to be safe, I think we need to fix this issue, to avoid a situation where someone runs this benchmark and accidentally exposes some private information.
I see two options to solve this issue:
josekifolder. It seems to be just an optional part of a retired benchmark to collect statistics. So, it is unlikely many people are using it.