CVE in dependency (black==22.3.0)

[sstefanov78]

black==22.3.0 is a dependency and the version is pinned in spaCy's requirements.txt. There is a CVE affecting black versions prior to 24.3.0, specifically CVE-2024-21503 (https://nvd.nist.gov/vuln/detail/CVE-2024-21503).

Impact: Although not a run-time vulnerability in most scenarios (unless untrusted code is being processed), it still shows up in security scans that are the norm for any enterprise grade software, thus triggering processes for handling vulnerabilities / exceptions.

Please evaluate what it would take to migrate to the latest version of black so this detection would clear up.

How to reproduce the behaviour

To reproduce: in our pipeline we are using Wiz for scans, but even a "visual/manual" check in requirements.txt in the installed python package will show the reference to black==22.3.0.

Your Environment

• Operating System: not relevant (linux based)
• Python Version Used: not relevant (3.8 / 3.9)
• spaCy Version Used: not relevant (at least one of our models uses 3.6.0 but the issue is also affecting master)
• Environment Information: not relevant (building various docker based images in linux and/or Windows VMs)

[honnibal]

Thanks for letting us know about this. Black isn't an installation or setup requirement of spaCy, so this doesn't affect users. I'll update the requirement though.

[MedericCar]

Hi @honnibal, just checking in to see if there’s been any update on the black version bump to address CVE-2024-21503. Thanks!

[ebk46]

Any updates on this?