Potential Critial Vulnerability for VirtualEnv - CVE-2024-53899

[joshua-janicas]

What's the issue?

Hey all, I'm not sure if this is the right place for it for it but I'm trying to chase down a critical vulnerability flagged in our local DependencyTrack for any virtualenv version earlier than 20.26.6. https://nvd.nist.gov/vuln/detail/CVE-2024-53899. This issue was fixed via: pypa/virtualenv#2771.

I was taking a look into if Dagster was using virtualenv and I noticed that the version is a bit older https://github.com/dagster-io/dagster/blob/master/pyright/master/requirements-pinned.txt virtualenv==20.25.0

What did you expect to happen?

Update virtualenv references to address vulnerability.

How to reproduce?

No response

Dagster version

1.8.13, but currently exists up to (main) 1.9.3

Deployment type

Docker Compose

Deployment details

No response

Additional information

Message from the maintainers

Impacted by this issue? Give it a 👍! We factor engagement into prioritization.
By submitting this issue, you agree to follow Dagster's Code of Conduct.

[gibsondan]

Hi @joshua-janicas - the dagster package doesn't have any dependencies on virtualenv. We'll look into updating the callsite you flagged, but that's only used by our type-checking / automated testing environment and shouldn't have any impact on users of the dagster package.

[gibsondan]

Landed a change that increased that pin in our CI and testing (but it should not affect your usage of dagster as per above)