update pillow to fix voulnerability issue

[HomoPolyethylen]

Description of the bug

biocontainers hat detected a vulnerability in querynator 0.4.2 should be fixable by updating pillow from 10.0.1 -> 10.2.0

Command used and terminal output

No response

System information

No response

[HomoPolyethylen]

checked dependencies

command used:

conda activate querynator && conda install pillow=10.2.0 --dry-run

output:

warning  libmamba Problem type not implemented SOLVER_RULE_STRICT_REPO_PRIORITY
warning  libmamba Problem type not implemented SOLVER_RULE_STRICT_REPO_PRIORITY
failed

LibMambaUnsatisfiableError: Encountered problems while solving:
  - package querynator-0.4.2-pyh7cba7a3_0 requires civicpy 3.0.0.*, but none of the providers can be installed

Could not solve for environment specs
The following packages are incompatible
├─ pillow 10.2.0**  is installable with the potential options
│  ├─ pillow 10.2.0 would require
│  │  ├─ lcms2 >=2.16,<3.0a0 , which requires
│  │  │  └─ libjpeg-turbo >=3.0.0,<4.0a0 , which can be installed;
│  │  └─ libtiff >=4.6.0,<4.7.0a0  but there are no viable options
│  │     ├─ libtiff 4.6.0 would require
│  │     │  ├─ libdeflate >=1.18,<1.19.0a0 , which can be installed;
│  │     │  └─ libjpeg-turbo >=2.1.5.1,<3.0a0 , which conflicts with any installable versions previously reported;
│  │     ├─ libtiff 4.6.0 would require
│  │     │  └─ libdeflate >=1.20,<1.21.0a0 , which conflicts with any installable versions previously reported;
│  │     └─ libtiff 4.6.0 would require
│  │        └─ libdeflate >=1.19,<1.20.0a0 , which conflicts with any installable versions previously reported;
│  ├─ pillow 10.2.0 would require
│  │  └─ python >=3.11,<3.12.0a0 , which can be installed;
│  ├─ pillow 10.2.0 would require
│  │  └─ python >=3.12,<3.13.0a0 , which can be installed;
│  ├─ pillow 10.2.0 would require
│  │  └─ python >=3.8,<3.9.0a0 , which can be installed;
│  ├─ pillow 10.2.0 would require
│  │  └─ python >=3.9,<3.10.0a0 , which can be installed;
│  └─ pillow 10.2.0 conflicts with any installable versions previously reported;
├─ pin-1 is not installable because it requires
│  └─ python 3.10.* , which conflicts with any installable versions previously reported;
└─ querynator 0.4.2  is installable and it requires
   └─ civicpy 3.0.0.* , which requires
      └─ pysam with the potential options
         ├─ pysam [0.21.0|0.22.0] would require
         │  └─ libdeflate >=1.18,<1.19.0a0 , which can be installed;
         ├─ pysam [0.10.0|0.11.0|...|0.9.1.4] would require
         │  └─ python [2.7* |>=2.7,<2.8.0a0 ], which can be installed;
         ├─ pysam [0.10.0|0.11.0|...|0.9.1.4] would require
         │  └─ python 3.4* , which can be installed;
         ├─ pysam [0.10.0|0.11.0|...|0.9.1.4] would require
         │  └─ python [3.5* |>=3.5,<3.6.0a0 ], which can be installed;
         ├─ pysam [0.10.0|0.11.1|...|0.9.1] would require
         │  └─ python 3.6* , which can be installed;
         ├─ pysam [0.10.0|0.14.1|...|0.9.1] would require
         │  └─ python >=3.6,<3.7.0a0 , which can be installed;
         ├─ pysam [0.15.1|0.15.2|0.15.3] would require
         │  └─ libdeflate >=1.0,<1.1.0a0 , which conflicts with any installable versions previously reported;
         ├─ pysam [0.15.2|0.15.3|...|0.9.1] would require
         │  └─ python >=3.7,<3.8.0a0 , which can be installed;
         ├─ pysam [0.15.2|0.16.0.1|...|0.9.1] would require
         │  └─ python >=3.8,<3.9.0a0 , which can be installed;
         ├─ pysam [0.16.0.1|0.17.0|...|0.9.1] would require
         │  └─ python >=3.9,<3.10.0a0 , which can be installed;
         ├─ pysam 0.19.1 would require
         │  └─ libdeflate >=1.10,<1.11.0a0 , which can be installed;
         ├─ pysam [0.19.1|0.20.0|0.21.0] would require
         │  └─ libdeflate >=1.13,<1.14.0a0 , which can be installed;
         ├─ pysam [0.21.0|0.22.0] would require
         │  ├─ libdeflate >=1.18,<1.19.0a0 , which can be installed;
         │  └─ python >=3.8,<3.9.0a0 , which can be installed;
         ├─ pysam [0.21.0|0.22.0] would require
         │  ├─ libdeflate >=1.18,<1.19.0a0 , which can be installed;
         │  └─ python >=3.9,<3.10.0a0 , which can be installed;
         └─ pysam 0.7.7 would require
            └─ python <3.0.0 , which can be installed.

Pins seem to be involved in the conflict. Currently pinned specs:
 - python 3.10.* (labeled as 'pin-1')

[HomoPolyethylen]

command used to check dependencies using mamba:

mamba repoquery whoneeds pillow

returned:

(qn2) casimir@rechenmaschine02:~$ mamba repoquery whoneeds pillow

Executing the query pillow

 Name            Version Build             Depends        Channel     Subdir  
───────────────────────────────────────────────────────────────────────────────
 matplotlib-base 3.6.1   py310h8d5ebf3_1   pillow >=6.2.0 conda-forge linux-64

-> only matplotlib depends on pillow?

[HomoPolyethylen]

bumping pillow to 10.2.0 worked using mamba

• [x] try with conda on thanos

[HomoPolyethylen]

mamba create -n qn2 querynator -y && mamba activate qn2 && mamba install pillow=10.2.0 --dry-run

output:

Looking for: ['pillow=10.2.0']

conda-forge/linux-64                                        Using cache
conda-forge/noarch                                          Using cache
bioconda/linux-64                                           Using cache
bioconda/noarch                                             Using cache
pkgs/r/linux-64                                               No change
pkgs/main/noarch                                              No change
pkgs/main/linux-64                                            No change
pkgs/r/noarch                                                 No change

Pinned packages:
  - python 3.10.*

Transaction

  Prefix: /home/casimir/opt/miniforge3/envs/qn2

  Updating specs:

   - pillow=10.2.0
   - ca-certificates
   - certifi
   - openssl

  Package          Version  Build            Channel           Size
─────────────────────────────────────────────────────────────────────
  Install:
─────────────────────────────────────────────────────────────────────

  + zlib            1.2.13  hd590300_5       conda-forge     Cached
  + jpeg                9e  h166bdaf_2       conda-forge     Cached

  Upgrade:
─────────────────────────────────────────────────────────────────────

  - pillow          10.0.1  py310h29da1c1_1  conda-forge     Cached
  + pillow          10.2.0  py310h5eee18b_0  pkgs/main       Cached

  Downgrade:
─────────────────────────────────────────────────────────────────────

  - libjpeg-turbo  2.1.5.1  hd590300_1       conda-forge     Cached
  + libjpeg-turbo    2.1.4  h166bdaf_0       conda-forge     Cached
  - libtiff          4.6.0  h8b53f26_0       conda-forge     Cached
  + libtiff          4.2.0  hf544144_3       conda-forge     Cached
  - lcms2             2.15  h7f713cb_2       conda-forge     Cached
  + lcms2             2.12  hddcbb42_0       conda-forge     Cached
  - openjpeg         2.5.2  h488ebb8_0       conda-forge     Cached
  + openjpeg         2.4.0  hb52868f_1       conda-forge     Cached

  Summary:

  Install: 2 packages
  Upgrade: 1 packages
  Downgrade: 4 packages

  Total download: 0 B

─────────────────────────────────────────────────────────────────────

Dry run. Exiting.

DryRunExit: Dry run. Exiting.

matplotlib untouched, executing as described above works, test queries &report creation on querynator work

[HomoPolyethylen]

conda on the other hand has some issues:

(qn2) [zxmgc83@thanos querynator]$ conda install pillow=10.2.0
warning  libmamba Problem type not implemented SOLVER_RULE_STRICT_REPO_PRIORITY
warning  libmamba Problem type not implemented SOLVER_RULE_STRICT_REPO_PRIORITY
warning  libmamba Problem type not implemented SOLVER_RULE_STRICT_REPO_PRIORITY
warning  libmamba Problem type not implemented SOLVER_RULE_STRICT_REPO_PRIORITY
warning  libmamba Problem type not implemented SOLVER_RULE_STRICT_REPO_PRIORITY
warning  libmamba Problem type not implemented SOLVER_RULE_STRICT_REPO_PRIORITY
warning  libmamba Problem type not implemented SOLVER_RULE_STRICT_REPO_PRIORITY
warning  libmamba Problem type not implemented SOLVER_RULE_STRICT_REPO_PRIORITY
done

## Package Plan ##

  environment location: /home-link/zxmgc83/miniconda3/envs/qn2

  added / updated specs:
    - pillow=10.2.0

The following packages will be downloaded:

    package                    |            build
    ---------------------------|-----------------
    querynator-0.1.3           |     pyhdfd78af_0          18 KB  bioconda
    ------------------------------------------------------------
                                           Total:          18 KB

The following packages will be REMOVED:

  civicpy-3.0.0-py310hdfd78af_0
  pysam-0.22.0-py310h41dec4a_1
  vcfpy-0.13.8-pyhdfd78af_0

The following packages will be UPDATED:

  lcms2                                     2.15-h7f713cb_2 --> 2.16-hb7c19ff_0 
  libdeflate                                1.18-h0b41bf4_0 --> 1.20-hd590300_0 
  libjpeg-turbo                          2.1.5.1-hd590300_1 --> 3.0.0-hd590300_1 
  libtiff                                  4.6.0-h8b53f26_0 --> 4.6.0-h1dd3fc0_3 
  pillow                             10.0.1-py310h29da1c1_1 --> 10.2.0-py310h01dd4db_0 

The following packages will be DOWNGRADED:

  querynator                             0.4.2-pyh7cba7a3_0 --> 0.1.3-pyhdfd78af_0

• [x] make environment.yml with mamba, create new env from that using conda, check if this works

[HomoPolyethylen]

make environment.yml with mamba, create new env from that using conda, check if this works

(qn2) [zxmgc83@thanos querynator]$ conda env create --file qn-mamba.yml 
Channels:
 - conda-forge
 - bioconda
 - defaults
Platform: linux-64
Collecting package metadata (repodata.json): done
Solving environment: failed
Channels:
 - conda-forge
 - bioconda
 - defaults
Platform: linux-64
Collecting package metadata (repodata.json): done
Solving environment: failed

LibMambaUnsatisfiableError: Encountered problems while solving:
  - package pillow-10.2.0-py310h5eee18b_0 is excluded by strict repo priority

=> channel_priority: strict in ~/.condarc makes the difference -> remove line and conda behaves as mamba

[HomoPolyethylen]

issue resolved with release of querynator 0.5.0 https://quay.io/repository/biocontainers/querynator/manifest/sha256:d61912ea181d9395da28725e7ff34245b8a1597b61bc77ef6e0dc88544521926?tab=vulnerabilities