PyPi: Elyra

CVE-2022-0639

Transitive

Safety vulnerability ID: 50877

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Feb 17, 2022 Updated at Nov 29, 2024
Scan your Python projects for vulnerabilities →

Advisory

Elyra 3.11.0 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.

Affected package

elyra

Latest version: 3.15.0

Elyra provides AI Centric extensions to JupyterLab

Affected versions

Fixed versions

Vulnerability changelog

- [Installation documentation](https://elyra.readthedocs.io/en/v3.11.0/getting_started/installation.html)
- [Getting help](https://elyra.readthedocs.io/en/v3.11.0/getting_started/getting-help.html)

New feature highlights

JupyterLab launcher: Find out what's new in Elyra

The JupyterLab launcher now includes a `What's new` tile in the _Elyra_ category, which links to the release summary of the release you are using, e.g. https://github.com/elyra-ai/elyra/releases/tag/v3.11.0 for Elyra version 3.11. The release summary highlights new features and provides links to release specific resources.

![image](https://user-images.githubusercontent.com/13068832/187368482-6f84739e-674a-460b-99b2-0c9a15588495.png)


Python code editor: improved debugger integration

**This feature is currently experimental.** The [Elyra Python editor](https://elyra.readthedocs.io/en/v3.11.0/user_guide/enhanced-script-support.html#python-script-execution-support) was extended to make it easier to use the [JupyterLab debugger](https://jupyterlab.readthedocs.io/en/latest/user/debugger.html). Refer to [the user guide](https://elyra.readthedocs.io/en/v3.11.0/user_guide/enhanced-script-support.html#python-script-debugging-support-experimental) for more information.

![image](https://user-images.githubusercontent.com/13068832/184614413-5bd6bab0-3571-43a5-b15c-d9366260f6f5.png)

New Scala code editor

**This feature is currently experimental.** The Elyra family of editors for JupyterLab now includes a [Scala code editor](https://elyra.readthedocs.io/en/v3.11.0/user_guide/enhanced-script-support.html#scala-script-execution-support-experimental). This editor can also be installed as a stand-alone extension from [PyPI](https://elyra.readthedocs.io/en/v3.11.0/getting_started/installation.html#pip).

![image](https://user-images.githubusercontent.com/13068832/184099736-6a3dc7da-ea74-41f5-a8ae-18950585b6fb.png)

Note that Scala files are not supported by the Visual Pipeline Editor.

Pipeline editor: support Kubernetes tolerations

The Visual Pipeline Editor now allows for optional input of [Kubernetes pod tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). Tolerations can be defined as [pipeline defaults (applying to all nodes) and for individual nodes](https://elyra.readthedocs.io/en/v3.11.0/user_guide/pipelines.html#defining-pipeline-properties) and are supported for Kubeflow Pipelines and Apache Airflow.

![image](https://user-images.githubusercontent.com/13068832/183430312-8051e79c-db1b-4f5f-bcdb-3f02c8819d34.png)

Pipeline editor: support Kubernetes pod annotations

The Visual Pipeline Editor now allows for optional input of [Kubernetes [pod] annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). Annotations can be defined as [pipeline defaults (applying to all nodes) and for individual nodes](https://elyra.readthedocs.io/en/v3.11.0/user_guide/pipelines.html#defining-pipeline-properties) and are supported for Kubeflow Pipelines and Apache Airflow.

![image](https://user-images.githubusercontent.com/13068832/183426950-f6f54435-8a07-493e-b99d-b9851173d7f5.png)

Pipeline editor: remove resource caps for CPU and RAM

In earlier releases the Visual Pipeline Editor capped CPU and RAM resource requests at 99. The caps have been removed.

Component catalog connectors: support loading from local sources

The [Apache Airflow package component catalog connector](https://elyra.readthedocs.io/en/latest/user_guide/pipeline-components.html#apache-airflow-package-catalog), the [Apache Airflow provider package component catalog connector](https://elyra.readthedocs.io/en/v3.11.0/user_guide/pipeline-components.html#apache-airflow-provider-package-catalog), and the [URL component catalog connector](https://elyra.readthedocs.io/en/v3.11.0/user_guide/pipeline-components.html#url-component-catalog), now support locally stored files as source.

![image](https://user-images.githubusercontent.com/13068832/183875746-19c5049a-29c3-4b85-ad24-bbde320c9989.png)

Locally stored files can improve the performance of the Visual Pipeline Editor by eliminating the need to download them from remote locations.

Runtime configuration: support for optional public object storage endpoint

[Runtime configurations](https://elyra.readthedocs.io/en/v3.11.0/user_guide/runtime-conf.html) provide Elyra access to external resources, such as Kubeflow Pipelines or Apache Airflow for scalable pipeline execution. In prior releases runtime configurations only allowed for specification of a single URL for cloud object storage. This limitation causes issues in the Elyra UI when object storage deployment policies are configured to enforce separation of read-only and write operations.

To support those deployments it's now possible to optionally configure a read-only endpoint (`Public Cloud Object Storage Endpoint`) in addition to the existing write endpoint (`Cloud Object Storage Endpoint`). Refer to the [documentation](https://elyra.readthedocs.io/en/v3.11.0/user_guide/runtime-conf.html#cloud-storage-settings) for details.

![image](https://user-images.githubusercontent.com/13068832/185364208-e4f764af-c1af-4239-8d54-0205ad866bd3.png)

<!-- Release notes generated using configuration in .github/release.yml at v3.11.0 -->

What's Changed
New Features
* Add support for schema validators by kevin-bates in https://github.com/elyra-ai/elyra/pull/2829
* Add Scala editor by lresende in https://github.com/elyra-ai/elyra/pull/2850
* Add support for Kubernetes annotations by ptitzler in https://github.com/elyra-ai/elyra/pull/2868
* Add support for 'file' URI scheme to URL-based connectors by ptitzler in https://github.com/elyra-ai/elyra/pull/2873
* Add support for Kubernetes tolerations by ptitzler in https://github.com/elyra-ai/elyra/pull/2848
* Makefile: Add capability to validate individual runtime images by ptitzler in https://github.com/elyra-ai/elyra/pull/2879
* Add "what's new" tile to launcher by salonee13 in https://github.com/elyra-ai/elyra/pull/2857
* Add support for COS public endpoint to Kubeflow Pipelines runtime config by portellaa in https://github.com/elyra-ai/elyra/pull/2887
* Add support for COS public endpoint to Airflow runtime config by ptitzler in https://github.com/elyra-ai/elyra/pull/2890
Bug Fixes
* Fix container image build issues for official releases by ptitzler in https://github.com/elyra-ai/elyra/pull/2845
* Fix invalid URL in extension descriptions by ptitzler in https://github.com/elyra-ai/elyra/pull/2860
* Update user guide to enable elyra[all] install on zsh by leucir in https://github.com/elyra-ai/elyra/pull/2839
* Fix Airflow Operator execution bugs in handling of Elyra-owned properties by kiersten-stokes in https://github.com/elyra-ai/elyra/pull/2865
* Fix invalid variable names in error messages by ptitzler in https://github.com/elyra-ai/elyra/pull/2883
* Fix release script and instructions by ptitzler in https://github.com/elyra-ai/elyra/pull/2843
* Fix linting errors in server code by ptitzler in https://github.com/elyra-ai/elyra/pull/2885
* Remove .ONESHELL Makefile directive so multi-step targets properly fail by kevin-bates in https://github.com/elyra-ai/elyra/pull/2888
* Address SVG rendering issues by ajbozarth in https://github.com/elyra-ai/elyra/pull/2895
Other
* Address test warnings by kevin-bates in https://github.com/elyra-ai/elyra/pull/2833
* Add Open Data Hub image refresh instructions by ptitzler in https://github.com/elyra-ai/elyra/pull/2847
* Fix doc requirements to address build issue by kevin-bates in https://github.com/elyra-ai/elyra/pull/2853
* Removes max limit for the GPU and RAM properties by VNA818-RPI in https://github.com/elyra-ai/elyra/pull/2856
* Added development environment dockerfile and requirements file by salonee13 in https://github.com/elyra-ai/elyra/pull/2808
* Remove deprecation warning for local runtime type by kiersten-stokes in https://github.com/elyra-ai/elyra/pull/2862
* Improve 'Running Elyra in an air-gapped environment' documentation topic by ptitzler in https://github.com/elyra-ai/elyra/pull/2871
* Improve repository README by ptitzler in https://github.com/elyra-ai/elyra/pull/2835
* Dev workflow documentation updates by salonee13 in https://github.com/elyra-ai/elyra/pull/2832
* Add export and validation handler tests by akchinSTC in https://github.com/elyra-ai/elyra/pull/2876
* Bump kfp-tekton dependency to 1.3.0 by ptitzler in https://github.com/elyra-ai/elyra/pull/2884
* Add image verification steps to 'Creating a custom runtime container image' documentation by ptitzler in https://github.com/elyra-ai/elyra/pull/2882
* Improve JSON output of 'elyra-pipeline describe' command by ptitzler in https://github.com/elyra-ai/elyra/pull/2878
* Update documentation for elyra development image by akchinSTC in https://github.com/elyra-ai/elyra/pull/2889
* Script editor debugger - experimental by karlaspuldaro in https://github.com/elyra-ai/elyra/pull/2087
* Update release script container builds by akchinSTC in https://github.com/elyra-ai/elyra/pull/2891
* Node package security updates by akchinSTC in https://github.com/elyra-ai/elyra/pull/2896

New Contributors
* salonee13 made their first contribution in https://github.com/elyra-ai/elyra/pull/2808
* leucir made their first contribution in https://github.com/elyra-ai/elyra/pull/2839
* portellaa made their first contribution in https://github.com/elyra-ai/elyra/pull/2887

**Full Changelog**: https://github.com/elyra-ai/elyra/compare/v3.10.1...v3.11.0

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 5.3

CVSS v3 Details

MEDIUM 5.3
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
LOW
Availability Availability (A)
NONE

CVSS v2 Details

MEDIUM 5.0
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
NONE
Confidentiality Impact (C)
NONE
Integrity Impact (I)
PARTIAL
Availability Impact (A)
NONE