Vunerable version for the onnx package in the poetry.lock

[linqiu0-0]

[ ] I have checked the documentation and related resources and couldn't resolve my bug.

Describe the bug I’ve identified that the onnx package listed in the src/experimental/poetry.lock file has a version defined as 1.16.1, which contains a path traversal vulnerability. This issue has been documented in Snyk, as indicated in this report.

This vulnerability will likely trigger some CVE issues during the vulnerability scans in our Docker image build and push process with Ragas as a dependency. To ensure the integrity and security of this package, could we please update the onnx package to the safe version 1.16.2?

Ragas version: lastest

Thank you!

[dosubot[bot]]

Hey there, @linqiu0-0! 👋 I'm here to help you with any bugs, questions, or contributions you have for the repository. Let's squash those bugs together!

To address the vulnerability in the onnx package, you should update the version to 1.16.2 in the poetry.lock file. Additionally, ensure that the onnx package version is updated in requirements/test.txt and verify that the unit tests pass successfully in the CI pipeline. The unit_tests job in the CI pipeline installs dependencies from requirements/test.txt, which should include the onnx package ^[1].

To continue talking to Dosu, mention @dosu.

[jjmachan]

@linqiu0-0 thank you so much for reporting this 🙌🏽. If you to maybe you have give a shot at contributing a fix?

I can take it up if not but if you're interested let me know 🙂

[anistark]

Closing this as resolved.