PyPi: Flytekit

CVE-2022-2309

Transitive

Safety vulnerability ID: 51327

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jul 05, 2022 Updated at Dec 11, 2024
Scan your Python projects for vulnerabilities →

Advisory

Flytekit 1.2.0 updates its dependency 'lxml' to v4.9.1 to include a security fix.

Affected package

flytekit

Latest version: 1.14.0

Flyte SDK for Python

Affected versions

Fixed versions

Vulnerability changelog

What's Changed
* Housekeeping for pyflyte package and register commands by madhur-tandon in https://github.com/flyteorg/flytekit/pull/1084
* [Snyk] Security upgrade lxml from 4.9.0 to 4.9.1 by eapolinario in https://github.com/flyteorg/flytekit/pull/1095
* Bump requirements 1657041111 by eapolinario in https://github.com/flyteorg/flytekit/pull/1094
* [Snyk] Security upgrade mistune from 0.8.4 to 2.0.3 by EngHabu in https://github.com/flyteorg/flytekit/pull/1090
* [Snyk] Security upgrade mistune from 0.8.4 to 2.0.3 by snyk-bot in https://github.com/flyteorg/flytekit/pull/1091
* TypeTransformers for PyTorch Tensor, Module, and Checkpoint by samhita-alla in https://github.com/flyteorg/flytekit/pull/1032
* Correctly fetch `typing.Annotated` metadata in `typing.NamedTuple` by samhita-alla in https://github.com/flyteorg/flytekit/pull/1096
* Update flytekit deck README.md installation instruction by cosmicBboy in https://github.com/flyteorg/flytekit/pull/1098
* ONNX Plugin by samhita-alla in https://github.com/flyteorg/flytekit/pull/804
* Don't override target name when using self-signed certs by wild-endeavor in https://github.com/flyteorg/flytekit/pull/1102
* Fix tar permisison override by bimtauer in https://github.com/flyteorg/flytekit/pull/1103
* Add pyspark pipeline model transformer by esadler-hbo in https://github.com/flyteorg/flytekit/pull/1101
* Introducing whylogs integration to flytekit by murilommen in https://github.com/flyteorg/flytekit/pull/1104
* StructuredDatasetTransformerEngine should derive default protocol from raw output prefix by wild-endeavor in https://github.com/flyteorg/flytekit/pull/1107
* Fix PyPI package source for `v1.1.0` by sugatoray in https://github.com/flyteorg/flytekit/pull/1088
* Added AzureBlobFileSystem support for StructuredDatasets by MorpheusXAUT in https://github.com/flyteorg/flytekit/pull/1109
* Chain tasks in dynamic workflows in local executions by pingsutw in https://github.com/flyteorg/flytekit/pull/1108
* remove welcome bot from boilerplate by samhita-alla in https://github.com/flyteorg/flytekit/pull/1110
* Use latest (as of 2022-07-11) version of codecov action by eapolinario in https://github.com/flyteorg/flytekit/pull/1099
* ImageConfig should contain the image from sandbox.config by pingsutw in https://github.com/flyteorg/flytekit/pull/1106
* [nit] Add unit test by wild-endeavor in https://github.com/flyteorg/flytekit/pull/1115
* Add entrypoint to setup.py in flytekit plugins by pingsutw in https://github.com/flyteorg/flytekit/pull/1120
* Remove py.typed by wild-endeavor in https://github.com/flyteorg/flytekit/pull/1122
* Add deck to papermill plugin task by CalvinLeather in https://github.com/flyteorg/flytekit/pull/1111
* Run compilation even in local execution for dynamic tasks to early detect errors by wild-endeavor in https://github.com/flyteorg/flytekit/pull/1121
* Add sagemaker script back in by kumare3 in https://github.com/flyteorg/flytekit/pull/1112
* Set to remote when dealing with remote files by wild-endeavor in https://github.com/flyteorg/flytekit/pull/1128
* Override voidPromise resource by pingsutw in https://github.com/flyteorg/flytekit/pull/1127
* Ray Task Support by pingsutw in https://github.com/flyteorg/flytekit/pull/1093
* update clis.rst by SmritiSatyanV in https://github.com/flyteorg/flytekit/pull/1124
* Fix how ShellTask retrieves the Pod class name by matheusMoreno in https://github.com/flyteorg/flytekit/pull/1132
* Add restriction for pandas to be >=1.2 for fsspec plugin by wild-endeavor in https://github.com/flyteorg/flytekit/pull/1136
* Fix the type of optional[int] in dataclass by pingsutw in https://github.com/flyteorg/flytekit/pull/1135
* Use joblib hashing to generate cache key to ensure repeatability by wild-endeavor in https://github.com/flyteorg/flytekit/pull/1126
* [Snyk] Security upgrade notebook from 6.4.11 to 6.4.12 by snyk-bot in https://github.com/flyteorg/flytekit/pull/1069
* Allow None protocol to mean all data persistence supported storage options in Structured Dataset by wild-endeavor in https://github.com/flyteorg/flytekit/pull/1134
* minor doc and code updates by samhita-alla in https://github.com/flyteorg/flytekit/pull/1139
* handle ImportError and OSError in extras.pytorch by cosmicBboy in https://github.com/flyteorg/flytekit/pull/1141
* ONNX plugin docs by samhita-alla in https://github.com/flyteorg/flytekit/pull/1142
* Register dataframe renderers in structured dataset by pingsutw in https://github.com/flyteorg/flytekit/pull/1140
* pyflyte run imperative workflows by pingsutw in https://github.com/flyteorg/flytekit/pull/1131
* Using sidecar handler to run Papermill task by pingsutw in https://github.com/flyteorg/flytekit/pull/1143
* [Snyk] Security upgrade cookiecutter from 1.7.3 to 2.1.1 by snyk-bot in https://github.com/flyteorg/flytekit/pull/1145
* [Snyk] Security upgrade mistune from 0.8.4 to 2.0.3 by EngHabu in https://github.com/flyteorg/flytekit/pull/1137
* Bump pyspark from 3.2.1 to 3.2.2 in /plugins/flytekit-papermill by dependabot in https://github.com/flyteorg/flytekit/pull/1130
* Bump numpy from 1.21.6 to 1.22.0 in /tests/flytekit/integration/remote/mock_flyte_repo/workflows by dependabot in https://github.com/flyteorg/flytekit/pull/1072
* Properly raise `TypeTransformerFailedError` in `NumpyArrayTransformer` by rahul-theorem in https://github.com/flyteorg/flytekit/pull/1146
* Add assert_type in dataclass transformer by pingsutw in https://github.com/flyteorg/flytekit/pull/1149
* Pickle in Union Type by pingsutw in https://github.com/flyteorg/flytekit/pull/1147
* Require docker<7.0.0 in setup.py by rahul-theorem in https://github.com/flyteorg/flytekit/pull/1138
* Set flytekit<2.0 in plugins by eapolinario in https://github.com/flyteorg/flytekit/pull/1152
* Add literal type to union literal by pingsutw in https://github.com/flyteorg/flytekit/pull/1144
* Fix the type of optional[int] in nested dataclass by pingsutw in https://github.com/flyteorg/flytekit/pull/1148
* Added symlink dereferencing in fast packaging and tests by vchowdhary in https://github.com/flyteorg/flytekit/pull/1151
* [Snyk] Fix for 2 vulnerabilities by snyk-bot in https://github.com/flyteorg/flytekit/pull/1154
* [Snyk] Security upgrade oauthlib from 3.2.0 to 3.2.1 by snyk-bot in https://github.com/flyteorg/flytekit/pull/1155
* [Snyk] Security upgrade oauthlib from 3.2.0 to 3.2.1 by snyk-bot in https://github.com/flyteorg/flytekit/pull/1156
* Strip newline from client secret by eapolinario in https://github.com/flyteorg/flytekit/pull/1163
* Adds docstrings for pod task by SmritiSatyanV in https://github.com/flyteorg/flytekit/pull/1153
* Update clis.rst by SmritiSatyanV in https://github.com/flyteorg/flytekit/pull/1166
* Execution model fields by katrogan in https://github.com/flyteorg/flytekit/pull/1164
* Overwrite SQLite3 Task image by pingsutw in https://github.com/flyteorg/flytekit/pull/1165
* hugging Face Datasets Plugin by esadler-hbo in https://github.com/flyteorg/flytekit/pull/1116
* Flytekit dbt plugin by eapolinario in https://github.com/flyteorg/flytekit/pull/1150
* refreshing examples and to_html() method by murilommen in https://github.com/flyteorg/flytekit/pull/1169
* Open HashMethod to all types by eapolinario in https://github.com/flyteorg/flytekit/pull/1171
* Return None for SyncCheckpoint.read() when src is empty by andrewwdye in https://github.com/flyteorg/flytekit/pull/1189
* [Snyk] Security upgrade protobuf from 3.20.1 to 3.20.2 by snyk-bot in https://github.com/flyteorg/flytekit/pull/1192
* pyflyte non-fast register by pingsutw in https://github.com/flyteorg/flytekit/pull/1205
* ContainerTask fix to read base env vars properly from compilation settings by wild-endeavor in https://github.com/flyteorg/flytekit/pull/1216

New Contributors
* madhur-tandon made their first contribution in https://github.com/flyteorg/flytekit/pull/1084
* esadler-hbo made their first contribution in https://github.com/flyteorg/flytekit/pull/1101
* murilommen made their first contribution in https://github.com/flyteorg/flytekit/pull/1104
* sugatoray made their first contribution in https://github.com/flyteorg/flytekit/pull/1088
* MorpheusXAUT made their first contribution in https://github.com/flyteorg/flytekit/pull/1109
* CalvinLeather made their first contribution in https://github.com/flyteorg/flytekit/pull/1111
* matheusMoreno made their first contribution in https://github.com/flyteorg/flytekit/pull/1132
* rahul-theorem made their first contribution in https://github.com/flyteorg/flytekit/pull/1146
* vchowdhary made their first contribution in https://github.com/flyteorg/flytekit/pull/1151
* andrewwdye made their first contribution in https://github.com/flyteorg/flytekit/pull/1189

**Full Changelog**: https://github.com/flyteorg/flytekit/compare/v1.1.0...v1.2.0

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Availability (A)
HIGH

CVSS v2 Details

MEDIUM 5.0
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
NONE
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Impact (A)
PARTIAL