Remove py library due to denial of service CVE (#391)

2025-04-08 03:48:14 +02:00 · 2023-09-03 16:36:13 -07:00 · 2023-09-03 16:36:13 -07:00 · c28f4d4527
commit c28f4d4527
parent 884f746211
2 changed files with 6 additions and 2 deletions
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -8,6 +8,10 @@ RUN apt-get update \

 COPY ./requirements/default.txt /tmp/requirements.txt
 RUN pip install --no-cache-dir --upgrade -r /tmp/requirements.txt
+
+# Remove py which is pulled in by retry, py is not needed and is a CVE
+RUN pip uninstall py
+
 RUN playwright install chromium
 RUN playwright install-deps chromium

--- a/backend/requirements/default.txt
+++ b/backend/requirements/default.txt
@ -37,9 +37,9 @@ python-multipart==0.0.6
 qdrant-client==1.2.0
 requests==2.31.0
 requests-oauthlib==1.3.1
-retry==0.9.2
+retry==0.9.2  # This pulls in py which is in CVE-2022-42969, must remove py from image
 rfc3986==1.5.0
-# need to pin `safetensors` version, since the latest versions require 
+# need to pin `safetensors` version, since the latest versions requires
 # building from source using Rust
 safetensors==0.3.1
 sentence-transformers==2.2.2