Vulnerable dependencies identified in requirements.txt (GHSA High)

A security audit of the current dependencies in `requirements.txt` has identified several high-severity vulnerabilities. While these are pinned via the `pip-compile` process from `requirements.in`, they introduce known security risks that could potentially affect users.

**Identified Vulnerabilities:**
- **cryptography:** [GHSA-r6ph-v2qm-q3c2](https://github.com/advisories/GHSA-r6ph-v2qm-q3c2) (High)
- **keras:** [GHSA-3m4q-jmj6-r34q](https://github.com/advisories/GHSA-3m4q-jmj6-r34q) (High)
- **pillow:** [GHSA-cfh3-3jmp-rvhc](https://github.com/advisories/GHSA-cfh3-3jmp-rvhc) (High)
- **protobuf:** [GHSA-7gcm-g887-7qv7](https://github.com/advisories/GHSA-7gcm-g887-7qv7) (High)
- **tornado:** [GHSA-qjxf-f2mg-c6mc](https://github.com/advisories/GHSA-qjxf-f2mg-c6mc) (High)

**Recommendation:**
Updating these core dependencies (especially `tensorflow` and its transitives) to safer versions by updating `requirements.in` and regenerating `requirements.txt` would significantly improve the security posture of the project.

I'm flagging this as an issue for discussion to determine the best timing for a dependency bump, as these changes can sometimes introduce breaking changes in large-scale projects.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerable dependencies identified in requirements.txt (GHSA High) #1018

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Vulnerable dependencies identified in requirements.txt (GHSA High) #1018

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions