CVE-2021-33503

Advisory

Smqtk-descriptors 0.19.0 updates its dependency 'urllib3' to version '1.26.5' to include a security fix.
https://github.com/Kitware/SMQTK-Descriptors/commit/b5bb08b105bab79c595fe07f82d9c5dda47059fe

Affected package

Affected versions

Fixed versions

Vulnerability changelog

=======

This minor release updates the mimumum supported python to `python = "^3.8"`, addresses dependency vulnerabilities, and updates typing to conform with current mypy and pytest standards.

Updates / New Features
----------------------

Python

* New minimum supported python changed to `python = "^3.8"`.

CI

* Added workflow to inherit the smqtk-core publish workflow.

* Updated CI unittests workflow to include codecov reporting.
Reduced CodeCov report submission by skipping this step on scheduled runs.

* Updated CI unittests to reflect new minimum support `python = "^3.8"`.

Miscellaneous

* Added a wrapper script to pull the versioning/changelog update helper from
smqtk-core to use here without duplication.

Misc.

* Added PyTorch descriptor generator implementation.

Testing

* Updated pytest configuration to cover package + tests and added report output
options.

* Removed or no-cover mark dead lines of code.

Documentation

* Updated CONTRIBUTING.md to reference smqtk-core's CONTRIBUTING.md file.

Fixes
-----

CI

* Modified CI unittests workflow to run for PRs targetting branches that match
the `release*` glob.

Dependency Versions

* Updated the locked version of urllib3 to address a security vulnerability.

* Updated the locked version of pillow to address a security vulnerability.

* Updated the developer dependency and locked version of ipython to address a
security vulnerability.

* Removed `jedi = "^0.17.2"` requirement since recent `ipython = "^7.17.3"`
update appropriately addresses the dependency.

* Updated the locked versions of dependencies to reflect new minimum support `python = "^3.8"`.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503