Skip to content

Set pip>=25.3 to resolve GHSA-4xh5-x5gv-qwph vulnerability #122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
peterfpeterson merged 4 commits into from
Nov 14, 2025
Merged

Set pip>=25.3 to resolve GHSA-4xh5-x5gv-qwph vulnerability #122

peterfpeterson merged 4 commits into from
Nov 14, 2025

Conversation

Copy link
Contributor

Copilot AI commented Nov 13, 2025
edited
Loading

pip versions below 25.3 are affected by vulnerability GHSA-4xh5-x5gv-qwph. This was previously worked around by ignoring the vulnerability in pip-audit.

Changes

  • Set minimum pip version to 25.3 in tool.pixi.feature.developer.dependencies
  • Remove --ignore-vuln GHSA-4xh5-x5gv-qwph flag from audit-deps task
  • Remove obsolete workaround comment
[tool.pixi.feature.developer.dependencies]
-pip = "*"
+pip = ">=25.3"

-audit-deps = { cmd = "pip-audit --ignore-vuln GHSA-4xh5-x5gv-qwph --local -s osv", ... }
+audit-deps = { cmd = "pip-audit --local -s osv", ... }
Original prompt

the pip-audit issue related to pip should be able to resolve if set pip>=25.3, please update accordingly

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Update pip version requirement to resolve pip-audit issue Set pip>=25.3 to resolve GHSA-4xh5-x5gv-qwph vulnerability Nov 13, 2025
Copilot AI requested a review from KedoKudo November 13, 2025 22:06
@KedoKudo
Copy link
Member

KedoKudo commented Nov 13, 2025

@copilot you need to update the lock file after modifying the pyproject.toml

Copy link
Contributor Author

Copilot AI commented Nov 13, 2025
edited
Loading

@copilot you need to update the lock file after modifying the pyproject.toml

I've attempted to update the pixi.lock file after modifying pyproject.toml (commit d932f57), but I'm encountering network timeouts when trying to access https://prefix.dev/pixi-build-backends for the osx-arm64 platform.

I've tried:

  • pixi update - times out fetching osx-arm64 repodata
  • pixi update pip --platform linux-64 - still attempts to solve all platforms
  • pixi install - same timeout issue

The pyproject.toml changes (pip >= 25.3) are already committed. Could you either:

  1. Trigger the "Update lockfiles" workflow manually, or
  2. Grant access to prefix.dev so I can complete the lock file update?

The network restriction is preventing me from completing this task.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • pixi.sh
    • Triggering command: curl -fsSL REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@KedoKudo
Copy link
Member

KedoKudo commented Nov 14, 2025

@copilot in your container, pixi update, and it should update for all platforms even if you are runing this on linux

Copy link
Contributor Author

Copilot AI commented Nov 14, 2025
edited
Loading

@copilot in your container, pixi update, and it should update for all platforms even if you are runing this on linux

I've tried running pixi update as instructed, but it's failing with:

Error: × failed to solve requirements of environment 'jupyter' for platform 'linux-64'
├─▶ × Request failed after 3 retries
├─▶ error sending request for url (https://prefix.dev/pixi-build-backends/linux-64/repodata_shards.msgpack.zst)
├─▶ client error (Connect)
├─▶ tcp connect error
╰─▶ Operation timed out (os error 110)

The issue is that prefix.dev is not accessible from my container - DNS lookups are being refused:

$ nslookup prefix.dev 8.8.8.8
Server: 8.8.8.8
** server can't find prefix.dev: REFUSED

Could you please whitelist prefix.dev in the network policy for this environment? The pyproject.toml changes are already committed (d932f57), but I cannot update pixi.lock without network access to https://prefix.dev/pixi-build-backends.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • prefix.dev
    • Triggering command: ping -c 2 prefix.dev (dns block)
    • Triggering command: nslookup prefix.dev 8.8.8.8 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@KedoKudo KedoKudo marked this pull request as ready for review November 14, 2025 02:06
peterfpeterson
peterfpeterson approved these changes Nov 14, 2025
View reviewed changes
Copy link
Member

@peterfpeterson peterfpeterson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've seen this same fix in ADDIE as well. Thanks for the update

@peterfpeterson peterfpeterson merged commit 0cd104d into main Nov 14, 2025
6 checks passed
@peterfpeterson peterfpeterson deleted the copilot/update-pip-version-requirement branch November 14, 2025 13:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peterfpeterson peterfpeterson peterfpeterson approved these changes

@KedoKudo KedoKudo Awaiting requested review from KedoKudo

Assignees

@KedoKudo KedoKudo

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KedoKudo @peterfpeterson