[anaconda]-fixing security vulnerabilities - Werkzeug, distributed, wheel, filelock and bokeh

[sireeshajonnalagadda]

Fixing security vulnerabilities for anacoda image. ref

GHSA ID	Vulnerability ID	Action	Package	Installed Version	Required Version	Language	Install Path/ Note
GHSA-87hc-h4r5-73f7: Werkzeug	5006885	Y	Werkzeug	3.1.3	3.1.5	Python	opt/conda/lib/python3.12/site-packages/werkzeug-3.1.3.dist-info/METADATA opt/conda/pkgs/werkzeug-3.1.3-py312h06a4308__0/lib/python3.12/site-packages/werkzeug-3.1.3.dist-info/METADATA
GHSA-c336-7962-wfj2: distributed	5007047	Y	distributed	2024.8.2	2026.1.0	Python	opt/conda/lib/python3.12/site-packages/distributed-2024.8.2.dist-info/METADATA
GHSA-8rrh-rw8j-w5fx: wheel	5007163	Y	wheel	0.44.0	0.46.2	Python	opt/conda/lib/python3.12/site-packages/wheel-0.44.0.dist-info/METADATA
GHSA-w853-jp5j-5j7f: filelock	5006638	Y	filelock	3.13.1	3.20.1	Python	opt/conda/lib/python3.12/site-packages/filelock-3.13.1.dist-info/METADATA
GHSA-793v-589g-574v: bokeh	5006839	Y	bokeh	3.6.0	3.8.2	Python	opt/conda/lib/python3.12/site-packages/bokeh-3.6.0.dist-info/METADATA

[Copilot]

Pull request overview

Updates the Anaconda devcontainer image to remediate reported Python package vulnerabilities by bumping affected package versions and aligning smoke tests with the new minimums.

Changes:

• Bump wheel, Werkzeug, and add distributed to the security patching flow.
• Update Anaconda smoke tests to require the patched minimum versions.
• Patch-bump the Anaconda image manifest version.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
src/anaconda/.devcontainer/apply_security_patches.sh	Updates the list of vulnerable/pinned Python packages to install patched versions.
src/anaconda/test-project/test.sh	Raises minimum required versions for wheel/werkzeug and adds a version check for distributed.
src/anaconda/manifest.json	Patch version bump for the Anaconda image.

[Copilot]

The header comment lists only a Werkzeug vulnerability (and references a different GHSA ID), but this script now also patches wheel and distributed. Please update the comment block to reflect the current GHSA IDs/packages being addressed so future maintainers know why these pins exist.

See below for a potential fix:

# Security-related version pins for known vulnerabilities in dependencies.
# This script currently enforces versions for packages including Werkzeug,
# distributed, wheel, and others listed in vulnerable_packages below.
# Specific GHSA IDs / advisories are tracked in the project security docs;
# keep this comment in sync if new vulnerable packages are added.
vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=5.29.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "Werkzeug=3.1.5" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \ 
                      "zipp=3.19.1" "tornado=6.4.2" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" "distributed=2026.1.0" "wheel=0.46.2" )

[Copilot]

Adding distributed to pin_to_required_version means the script will force-install exactly distributed==2026.1.0 even if the base image/conda channel already provides a newer (potentially more secure) version. Unless there is a specific compatibility reason to pin distributed, it would be safer to let it float to any version >= the required minimum and keep it out of the pin list.

Suggested change

	pin_to_required_version=("transformers" "imagecodecs" "brotli" "protobuf" "distributed")
	pin_to_required_version=("transformers" "imagecodecs" "brotli" "protobuf")

[abdurriq]

@sireeshajonnalagadda could we avoid pinning this? Also, more generally, why do we need these pinned versions (if you have the context)?