feat(kubeflow-pipelines-visualization-server): pending upstream fix GHSA-h95x-26f3-88hr (#8661)

philroche · web-flow · commit da3609cf2a62 · 2024-10-14T19:02:49.000Z
Marking as pending upstream fix: > There is not currently a fixed version of the js2py package. So, the upstream project must migrate away from using js2py or wait for js2py to release a fixed version (and upgrade to it). Upstream PR @ PiotrDabkowski/Js2Py#323 which is yet to be merged. This follows on from the same advisory filed for apache-beam-python-3.11-sdk @ chainguard-dev/enterprise-advisories#5130 Signed-off-by: philroche <phil.roche@chainguard.dev>
diff --git a/kubeflow-pipelines-visualization-server.advisories.yaml b/kubeflow-pipelines-visualization-server.advisories.yaml
@@ -572,6 +572,10 @@ advisories:
             componentType: python
             componentLocation: /usr/lib/python3.10/site-packages/Js2Py-0.74.dist-info/METADATA, /usr/lib/python3.10/site-packages/Js2Py-0.74.dist-info/RECORD, /usr/lib/python3.10/site-packages/Js2Py-0.74.dist-info/top_level.txt
             scanner: grype
+      - timestamp: 2024-10-14T15:09:26Z
+        type: pending-upstream-fix
+        data:
+          note: There is not currently a fixed version of the js2py package. So, the upstream project must migrate away from using js2py or wait for js2py to release a fixed version (and upgrade to it). Upstream PR @ https://github.com/PiotrDabkowski/Js2Py/pull/323 which is yet to be merged.
 
   - id: CGA-r33j-gmf8-rqgp
     aliases:
