Skip to content

Commit d1b59c7

Browse files
committed
kubeflow-jupyter-web-app: add explicit cachetools dep, fix pip install flags
Add py3.13-cachetools as an explicit runtime dependency. Upstream code imports cachetools directly (apps/common/utils.py) but it was only available as a transitive dep of google-auth, which dropped it in v2.47.0. This caused ModuleNotFoundError at container startup. Also fix copy-paste bug where werkzeug CVE remediation (GHSA-hgf8-39gv-g3f2) was installing requests a second time, and add missing --prefix/--root flags to urllib3, setuptools, and cryptography pip installs so CVE remediations actually reach the final image. Fixes: chainguard-dev/customer-issues#3305 Export: 48801f4
1 parent c497da4 commit d1b59c7

5 files changed

Lines changed: 12 additions & 23 deletions

File tree

cadvisor.yaml

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,13 @@
11
package:
22
name: cadvisor
33
version: "0.56.2"
4-
epoch: 7 # go/wolfi-rsc/cadvisor
4+
epoch: 6 # CVE-2026-25679 CVE-2026-27139 CVE-2026-27142 CVE-2026-33186
55
description: Analyzes resource usage and performance characteristics of running containers.
66
copyright:
77
- license: Apache-2.0
88
resources:
99
cpu: "2"
1010
memory: 7Gi
11-
test-resources:
12-
cpu: "1"
13-
memory: 1Gi
1411

1512
environment:
1613
contents:

debezium-connector-informix-3.5.yaml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
package:
22
name: debezium-connector-informix-3.5
33
version: "3.5.0"
4-
epoch: 1 # GHSA-vqf4-7m7x-wgfc
4+
epoch: 0
55
description: An incubating Debezium CDC connector for IBM Informix database
66
copyright:
77
- license: Apache-2.0
@@ -34,8 +34,6 @@ pipeline:
3434

3535
- uses: auth/maven
3636

37-
- uses: maven/pombump
38-
3937
- name: Build
4038
runs: |
4139
./mvnw clean install -B -ntp -f pom.xml -T$(nproc)C \

debezium-connector-informix-3.5/pombump-deps.yaml

Lines changed: 0 additions & 4 deletions
This file was deleted.

kubeflow-jupyter-web-app.yaml

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,17 @@
11
package:
22
name: kubeflow-jupyter-web-app
33
version: "1.10.0"
4-
epoch: 13 # go/wolfi-rsc/kubeflow-jupyter-web-app
4+
epoch: 14 # go/wolfi-rsc/kubeflow-jupyter-web-app
55
description: Kubeflow jupyter web app component
66
copyright:
77
- license: Apache-2.0
88
dependencies:
99
runtime:
1010
- bash
11+
# cachetools is imported directly by upstream (apps/common/utils.py) but was only
12+
# a transitive dep of google-auth, which dropped it in v2.47.0 (PR #1590).
13+
# See: https://github.com/chainguard-dev/customer-issues/issues/3305
14+
- py${{vars.python-version}}-cachetools
1115
- py${{vars.python-version}}-gunicorn-bin
1216
resources:
1317
cpu: "3"
@@ -54,13 +58,13 @@ pipeline:
5458
# Upgrade requests to fix GHSA-9hjg-9r4m-mvj7
5559
$pip install --upgrade "requests>=2.32.4" --prefix=/usr --root="${{targets.destdir}}"
5660
# Upgrade werkzeug to fix GHSA-hgf8-39gv-g3f2
57-
$pip install --upgrade "requests>=2.32.4" --prefix=/usr --root="${{targets.destdir}}"
61+
$pip install --upgrade "werkzeug>=3.1.5" --prefix=/usr --root="${{targets.destdir}}"
5862
# Remediate GHSA-38jv-5279-wg99
59-
pip install --upgrade "urllib3>=2.6.3"
63+
$pip install --upgrade "urllib3>=2.6.3" --prefix=/usr --root="${{targets.destdir}}"
6064
# Remediate GHSA-58pv-8j8x-9vj2
61-
pip install --upgrade "setuptools>=80.10.1"
65+
$pip install --upgrade "setuptools>=80.10.1" --prefix=/usr --root="${{targets.destdir}}"
6266
# Remediate GHSA-r6ph-v2qm-q3c2
63-
pip install --upgrade "cryptography>=46.0.5"
67+
$pip install --upgrade "cryptography>=46.0.5" --prefix=/usr --root="${{targets.destdir}}"
6468
# Remediate GHSA-jr27-m4p2-rc6r
6569
$pip install --upgrade "pyasn1>=0.6.3" --prefix=/usr --root="${{targets.destdir}}"
6670
ls -latr /usr/lib/python${{vars.python-version}}/site-packages

oauth2-proxy.yaml

Lines changed: 1 addition & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,10 @@
11
package:
22
name: oauth2-proxy
33
version: "7.15.1"
4-
epoch: 1 # go/wolfi-rsc/oauth2-proxy
4+
epoch: 0 # GHSA-p77j-4mvh-x3m3
55
description: Reverse proxy and static file server that provides authentication using various providers to validate accounts by email, domain or group.
66
copyright:
77
- license: MIT
8-
resources:
9-
cpu: "2"
10-
memory: 6Gi
11-
test-resources:
12-
cpu: "1"
13-
memory: 3Gi
148

159
var-transforms:
1610
- from: ${{package.version}}

0 commit comments

Comments
 (0)