Skip to content

Fix vulnerability in cryptography #395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
benglewis wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Fix vulnerability in cryptography #395

benglewis wants to merge 5 commits into from

Conversation

@benglewis
Copy link

@benglewis benglewis commented Nov 23, 2025

This fixes #342

@benglewis
Fix vulnerability in cryptography
5698ac0 
Signed-off-by: Ben Lewis <hello@blewis.me>
@benglewis benglewis mentioned this pull request Nov 24, 2025
Open
@benglewis
Copy link
Author

benglewis commented Nov 24, 2025

It seems like skypilot won't install with this change right now :/ I have opened a PR to that repo, which should fix the issue:
skypilot-org/skypilot#8070

@benglewis
Drop version restriction
655cf30 
This way users of the package can choose their own `cryptography` version. This should be safe since users that aren't installing `skypilot` can just install more recent versions and users of `skypilot` can add their own restriction to `cryptography`, but AFAIK, the built-in restriction to `pyopenssl` on `skypilot` should prevent any issues (I actually believe that that restriction itself is no longer relevant, [see here](skypilot-org/skypilot#8070) )

Signed-off-by: Ben Lewis <hello@blewis.me>
@benglewis
Copy link
Author

benglewis commented Dec 7, 2025
edited
Loading

I have dropped the version restriction and it seems like this PR is safe since it won't break usage of skypilot from what I can tell (the code installs and the tests still pass) and it also allows users who aren't using skypilot to restrict their cryptography version to versions which do not have vulnerabilities. I have a parallel PR for skypilot, but I don't see that advancing at this stage, so I would still be happy to have this merged first 🙏

@benglewis
Copy link
Author

benglewis commented Dec 8, 2025

@hemildesai It would be great if you could consider this pull request 🙏

@benglewis
Switch to torchx from GitHub (i.e. main branch) directly
6f414ae 
This is necessary to use `urllib >=  2.6.0` to avoid vulnerabilities:
CVE-2025-66471 and CVE-2025-66418

Signed-off-by: Ben Lewis <hello@blewis.me>
@benglewis
Fix missing git+ prefix for torchx install
e10b515 
Signed-off-by: Ben Lewis <hello@blewis.me>
@benglewis
Copy link
Author

benglewis commented Dec 8, 2025

Note to reader: I have switched to torchx from git instead of the latest released version, and this is due to them locking urllib3 to a version with vulnerabilities

@chtruong814 chtruong814 added the needs-follow-up Issue needs follow-up label Jan 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

community-request needs-follow-up Issue needs follow-up

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

nemo-run 0.5.0 depends on cryptography<43.0.0

2 participants

@benglewis @chtruong814