Skip to content

[universal] - Fix vulnerability issues GHSA-mf9w-mj56-hr94 and GHSA-p423-j2cm-9vmq#1890

Open
Kaniska244 wants to merge 4 commits into
devcontainers:mainfrom
Kaniska244:universal-image-vuln-issue
Open

[universal] - Fix vulnerability issues GHSA-mf9w-mj56-hr94 and GHSA-p423-j2cm-9vmq#1890
Kaniska244 wants to merge 4 commits into
devcontainers:mainfrom
Kaniska244:universal-image-vuln-issue

Conversation

@Kaniska244

@Kaniska244 Kaniska244 commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor
GHSA ID Vulnerability ID Action Package Installed Version Required Version Language Install Path Image Digest
Python (Pip) Security Update for python-dotenv (GHSA-mf9w-mj56-hr94) 5011346 Y python-dotenv 0.21.0 1.2.2 python opt/conda/lib/python3.13/site-packages/python__dotenv-1.2.1.dist-info/METADATA and opt/conda/pkgs/python-dotenv-1.2.1-py313h06a4308__0/lib/python3.13/site-packages/python__dotenv-1.2.1.dist-info/METADATA sha256:d4e0d5954535d633a354e99ff41cffc72f65839696e7be1373c00a2efd392269
Python (Pip) Security Update for cryptography (GHSA-p423-j2cm-9vmq) 5010634 Y cryptography 46.0.5 46.0.7 python opt/conda/pkgs/cryptography-45.0.7-py313h0a354b3__0/lib/python3.13/site-packages/cryptography-45.0.7.dist-info/METADATA cryptography 46.0.5 46.0.7 Python opt/conda/lib/python3.13/site-packages/cryptography-46.0.5.dist-info/METADATA cryptography 46.0.5 46.0.7 Python opt/conda/pkgs/cryptography-46.0.5 py313h04fe016__1/lib/python3.13/site-packages/cryptography-46.0.5.dist-info/METADATA sha256:ebf14f951910c62ec544a6f636027b44a485c5e6a5aaeaf0f6d8ae0afee0d125

@Kaniska244 Kaniska244 changed the title [universal] - Fix vulnerability issue GHSA-mf9w-mj56-hr94 [universal] - Fix vulnerability issues GHSA-mf9w-mj56-hr94 and GHSA-p423-j2cm-9vmq Jun 9, 2026
@Kaniska244 Kaniska244 marked this pull request as ready for review June 9, 2026 05:44
@Kaniska244 Kaniska244 requested a review from a team as a code owner June 9, 2026 05:44
Copilot AI review requested due to automatic review settings June 9, 2026 05:44
Copilot AI reviewed Jun 9, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Universal image’s Conda patching and validation to address reported security advisories for cryptography (GHSA-p423-j2cm-9vmq) and python-dotenv (GHSA-mf9w-mj56-hr94), along with a patch version bump for the image.

Changes:

  • Bump Universal image version from 6.0.4 to 6.0.5.
  • Update Conda patching to install cryptography 46.0.7 and add patching for python-dotenv 1.2.2.
  • Update the Universal test project’s Conda package version checks accordingly.
Show a summary per file
File Description
src/universal/test-project/test.sh Updates expected Conda package versions (and adds python-dotenv validation).
src/universal/manifest.json Bumps Universal image patch version to 6.0.5.
src/universal/.devcontainer/local-features/patch-conda/install.sh Updates Conda patching to target the fixed advisory versions.

Copilot's findings

  • Files reviewed: 3/3 changed files
  • Comments generated: 3

Comment thread src/universal/test-project/test.sh Outdated
Comment thread src/universal/test-project/test.sh
checkCondaPackageVersion "pyopenssl" "26.0.0"
checkCondaPackageVersion "urllib3" "2.6.3"
checkCondaPackageVersion "brotli" "1.2.0"
checkCondaPackageVersion "python-dotenv" "1.2.2"

@Kaniska244 Kaniska244 Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem is in python-dotenv library version installed in the supporting python binary of conda feature, not in the actual python feature installed in the universal image and the library isn't available in conda channels therefore pip was used for the installation. However, once installed with pip, the conda list command perfectly shows the correct version of the python-dotenv library. So this change should not be needed.

Comment thread src/universal/.devcontainer/local-features/patch-conda/install.sh
Comment on lines +63 to +64
# https://github.com/advisories/GHSA-mf9w-mj56-hr94
update_python_package /opt/conda/bin/python3 python-dotenv "1.2.2"

@Kaniska244 Kaniska244 Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem is in python-dotenv library version installed in the supporting python binary of conda feature, not in the actual python feature installed in the universal image and the library isn't available in conda channels therefore pip was used with conda's supporting python binary path /opt/conda/bin/python3 for the installation. So no further change should be needed.

@Kaniska244
Potential fix for pull request finding
0970c9e 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Kaniska244