scvi-tools icon indicating copy to clipboard operation
scvi-tools copied to clipboard

Published 20 hours ago verified publisher icon scverse

lightning dependency critical CVE - Update dependency list, especially for conda which is pinned below the CVE patch

Open pranavmishra90 opened this issue 6 months ago • 1 comments

conda package feedstock has a lightning package dependency of "lightning >=2.0,<2.1" which is different from the pypi dependency of "lightning>=2.0".

lightning has a a critical level of CVE reported https://github.com/advisories/GHSA-mr7h-w2qc-ffc2, with a patch in version 2.3.3. Recommend bumping the dependency for scvi-tools before v1.2 (#2889) after testing.

The pip package may automatically pick up the latest version of lightning. However, the conda package installer is preventing it from being installed

 ## snippet of environment.yaml
  - python=3.11
  - lightning>=2.3.3
  - scvi-tools=1.1

## generating a conda-lock file
conda-lock --mamba --kind lock -p linux-64 -f environment.yml --with-cuda 12.4 --lockfile ./tmp/conda-lock.yml

└─ scvi-tools 1.1**  is not installable because it requires
   └─ lightning >=2.0,<2.1 , which conflicts with any installable versions previously reported.

This is expected because:

conda search scvi-tools=1.1.5 --info -c conda-forge

Loading channels: done
scvi-tools 1.1.5 pyhd8ed1ab_0
-----------------------------
file name   : scvi-tools-1.1.5-pyhd8ed1ab_0.conda
name        : scvi-tools
version     : 1.1.5
build       : pyhd8ed1ab_0
build number: 0
size        : 224 KB
license     : BSD-3-Clause
subdir      : noarch
url         : https://conda.anaconda.org/conda-forge/noarch/scvi-tools-1.1.5-pyhd8ed1ab_0.conda
md5         : e019ce59ca342c17768f579857b6d48a
timestamp   : 2024-07-01 01:09:48 UTC
dependencies: 
  - anndata >=0.7.5
  - docrep >=0.3.2
  - flax >=0.4.0
  - h5py >=2.9.0
  - jax >=0.4.4
  - jaxlib >=0.4.3
  - lightning >=2.0,<2.1
  - ml-collections >=0.1.1
  - mudata >=0.1.2
  - numpy >=1.17.0
  - numpyro >=0.12.1
  - openpyxl >=3.0
  - optax
  - pandas >=1.0
  - pyro-ppl >=1.6.0
  - python >=3.9
  - pytorch >=1.8.0
  - rich >=12.0.0
  - scikit-learn >=0.21.2
  - sparse >=0.14.0
  - torchmetrics >=0.11.0
  - tqdm >=4.56.0
  - xarray >=2023.2.0

matching the lightning version which is present at https://github.com/conda-forge/scvi-tools-feedstock/blob/main/recipe/meta.yaml

Versions:

scvi-tools: 1.1.5

pranavmishra90 avatar Aug 19 '24 06:08 pranavmishra90