Skip to content

[clang][analyzer] Update python dependency versions #143433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 9, 2025
Merged

[clang][analyzer] Update python dependency versions #143433

merged 1 commit into from
Jun 9, 2025

Conversation

@sarnex
Copy link
Member

@sarnex sarnex commented Jun 9, 2025

We need to make sure we aren't vulnerable to PYSEC-2020-73 and PYSEC-2019-41.

@sarnex sarnex marked this pull request as ready for review June 9, 2025 21:05
@llvmbot llvmbot added clang Clang issues not falling into any other category clang:static analyzer labels Jun 9, 2025
@llvmbot
Copy link
Member

llvmbot commented Jun 9, 2025
edited
Loading

@llvm/pr-subscribers-clang

@llvm/pr-subscribers-clang-static-analyzer-1

Author: Nick Sarnie (sarnex)

Changes

We need to make sure we aren't vulnerable to PYSEC-2020-73 and PYSEC-2019-41.

Full diff: https://github.com/llvm/llvm-project/pull/143433.diff

1 Files Affected:

  • (modified) clang/utils/analyzer/requirements.txt (+2-2)
diff --git a/clang/utils/analyzer/requirements.txt b/clang/utils/analyzer/requirements.txt
index 8ae8bc88ac191..ed09161e5902e 100644
--- a/clang/utils/analyzer/requirements.txt
+++ b/clang/utils/analyzer/requirements.txt
@@ -1,6 +1,6 @@
 graphviz
 humanize
 matplotlib
-pandas
-psutil
+pandas>=1.0.4
+psutil>=5.6.6
 seaborn

@sarnex sarnex requested review from dkrupp, isuckatcs and steakhal June 9, 2025 21:05
@sarnex sarnex mentioned this pull request Jun 9, 2025
Merged
@steakhal
Copy link
Contributor

steakhal commented Jun 9, 2025

Are there other vulns affecting the other deps? Or more recent vulns we should know about the deps you would touch here?

@sarnex
Copy link
Member Author

sarnex commented Jun 9, 2025
edited
Loading

For this specific requirements.txt file, these are the only two vulnerabilities I saw.

steakhal
steakhal approved these changes Jun 9, 2025
View reviewed changes
Copy link
Contributor

@steakhal steakhal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the patch. Merge it at your convinience.

@sarnex
Copy link
Member Author

sarnex commented Jun 9, 2025

Thanks for the quick reviews!

@sarnex sarnex merged commit 339797d into llvm:main Jun 9, 2025
12 checks passed
sarnex added a commit to intel/llvm that referenced this pull request Jun 10, 2025
@sarnex
[clang] Update analyzer python requirement versions (#18875)
cd7024f 
Fixes some vulnerability warnings.

I've [submitted](llvm/llvm-project#143433) this
upstream too, but ideally we can fix the warnings here first.

Signed-off-by: Sarnie, Nick <[email protected]>
tomtor pushed a commit to tomtor/llvm-project that referenced this pull request Jun 14, 2025
@sarnex @tomtor
[clang][analyzer] Update python dependency versions (llvm#143433)
83a5dc4 
We need to make sure we aren't vulnerable to
[PYSEC-2020-73](https://osv.dev/vulnerability/PYSEC-2020-73) and
[PYSEC-2019-41](https://osv.dev/vulnerability/PYSEC-2019-41).

Signed-off-by: Sarnie, Nick <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@steakhal steakhal steakhal approved these changes

@isuckatcs isuckatcs isuckatcs approved these changes

@dkrupp dkrupp Awaiting requested review from dkrupp

Assignees

No one assigned

Labels

clang:static analyzer clang Clang issues not falling into any other category

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sarnex @llvmbot @steakhal @isuckatcs