From 63236069c2fd070c70e914dac2df5f9bfe67302d Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Thu, 10 Aug 2023 19:26:40 +0400 Subject: [PATCH 01/16] Lock `dotnet` version to resolve issue with Oryx --- src/universal/.devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/universal/.devcontainer/devcontainer.json b/src/universal/.devcontainer/devcontainer.json index d1273c1981..13ebc341c6 100644 --- a/src/universal/.devcontainer/devcontainer.json +++ b/src/universal/.devcontainer/devcontainer.json @@ -10,7 +10,7 @@ "userGid": "1000" }, "ghcr.io/devcontainers/features/dotnet:1": { - "version": "7", + "version": "7.0.306", "installUsingApt": "false", "additionalVersions": "6" }, From 067f004262e122890a6b34b935191b6c1716e268 Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Thu, 10 Aug 2023 19:30:07 +0400 Subject: [PATCH 02/16] Update `patch-python` feature - Remove `setuptools` patch for Python 3.10 since not required anymore; - Lock versions for packages; --- .../.devcontainer/local-features/patch-python/install.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/universal/.devcontainer/local-features/patch-python/install.sh b/src/universal/.devcontainer/local-features/patch-python/install.sh index 2dfa7f8191..d7eb8ad774 100644 --- a/src/universal/.devcontainer/local-features/patch-python/install.sh +++ b/src/universal/.devcontainer/local-features/patch-python/install.sh @@ -41,8 +41,7 @@ update_package() { # They are installed by the base image (python) which does not have the patch. # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897 -update_package /usr/local/python/3.9.*/bin/python setuptools -update_package /usr/local/python/3.10.*/bin/python setuptools +update_package /usr/local/python/3.9.*/bin/python setuptools==65.5.1 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32681 -update_package /usr/local/python/3.10.*/bin/python requests +update_package /usr/local/python/3.10.*/bin/python requests==2.31.0 From 3de9207ab16db406b086f6212910631413b78638 Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Thu, 10 Aug 2023 19:30:59 +0400 Subject: [PATCH 03/16] Add patch for GHSA-c2qf-rxjj-qqgw --- .../.devcontainer/local-features/setup-user/install.sh | 6 ++++++ src/universal/test-project/test.sh | 2 ++ 2 files changed, 8 insertions(+) diff --git a/src/universal/.devcontainer/local-features/setup-user/install.sh b/src/universal/.devcontainer/local-features/setup-user/install.sh index 3ada4a785c..389436d3b7 100644 --- a/src/universal/.devcontainer/local-features/setup-user/install.sh +++ b/src/universal/.devcontainer/local-features/setup-user/install.sh @@ -97,4 +97,10 @@ find "${OPT_DIR}" -type d | xargs -n 1 chmod g+s echo "Defaults secure_path=\"${DOTNET_PATH}:${NODE_PATH}/bin:${PHP_PATH}/bin:${PYTHON_PATH}/bin:${JAVA_PATH}/bin:${RUBY_PATH}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/share:/home/${USERNAME}/.local/bin:${PATH}\"" >> /etc/sudoers.d/$USERNAME +# Temporary: Due to GHSA-c2qf-rxjj-qqgw +source "${NVM_DIR}/nvm.sh" +nvm use 18 +npm -g install -g npm@9.8.1 +nvm use stable + echo "Done!" diff --git a/src/universal/test-project/test.sh b/src/universal/test-project/test.sh index 64d58ab436..845d69f323 100644 --- a/src/universal/test-project/test.sh +++ b/src/universal/test-project/test.sh @@ -95,6 +95,8 @@ count=$(ls /usr/local/share/nvm/versions/node | wc -l) expectedCount=2 checkVersionCount "two versions of node are present" $count $expectedCount echo $(echo "node versions" && ls -a /usr/local/share/nvm/versions/node) +npm_version=$(npm --version) +check-version-ge "npm-requirement" "${npm_version}" "9.8.1" # PHP check "php" php --version From cacc9bcc99d639b324994926742bfa7d89997425 Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Thu, 10 Aug 2023 20:32:51 +0400 Subject: [PATCH 04/16] Fix tests --- src/universal/test-project/test.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/universal/test-project/test.sh b/src/universal/test-project/test.sh index 845d69f323..0bb71d3b05 100644 --- a/src/universal/test-project/test.sh +++ b/src/universal/test-project/test.sh @@ -53,7 +53,7 @@ check "seaborn" python -c "import seaborn; print(seaborn.__version__)" check "scikit-learn" python -c "import sklearn; print(sklearn.__version__)" check "torch" python -c "import torch; print(torch.__version__)" check "requests" python -c "import requests; print(requests.__version__)" -check "jupyterlab-git" bash -c "python3 -m pip list | grep jupyterlab-git" +check "jupyterlab-git" python -c "import jupyterlab_git; print(jupyterlab_git.__version__)" # Check JupyterLab check "jupyter-lab" jupyter-lab --version @@ -96,7 +96,7 @@ expectedCount=2 checkVersionCount "two versions of node are present" $count $expectedCount echo $(echo "node versions" && ls -a /usr/local/share/nvm/versions/node) npm_version=$(npm --version) -check-version-ge "npm-requirement" "${npm_version}" "9.8.1" +check-version-ge "npm-requirement" "${npm_version}" "9.8.0" # PHP check "php" php --version From 2432c4a63044f20fb1bf1eb47efbbcb74fd3b666 Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Thu, 10 Aug 2023 20:58:58 +0400 Subject: [PATCH 05/16] Update manifest.json --- src/universal/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/universal/manifest.json b/src/universal/manifest.json index e4d96b60d6..324877b5ce 100644 --- a/src/universal/manifest.json +++ b/src/universal/manifest.json @@ -117,7 +117,7 @@ "torch", "requests", "plotly", - "jupyterlab-git", + "jupyterlab_git", "certifi", "setuptools", "wheel" From 907b2859eeac80a68e382d81c153ced4c23b8878 Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Thu, 10 Aug 2023 21:02:56 +0400 Subject: [PATCH 06/16] Update tests --- src/universal/test-project/test-utils.sh | 15 +++++++++++++++ src/universal/test-project/test.sh | 4 ++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/src/universal/test-project/test-utils.sh b/src/universal/test-project/test-utils.sh index 10f8b4ffe0..7271fb54f9 100644 --- a/src/universal/test-project/test-utils.sh +++ b/src/universal/test-project/test-utils.sh @@ -235,3 +235,18 @@ checkCondaPackageVersion() current_version=$(conda list "${PACKAGE}" | grep -E "^${PACKAGE}\s" | awk '{print $2}') check-version-ge "conda-${PACKAGE}-requirement" "${current_version}" "${REQUIRED_VERSION}" } + +checkBundledNpmVersion() +{ + NODE_VERSION=$1 + REQUIRED_NPM_VERSION=$2 + bash -c ". /usr/local/share/nvm/nvm.sh && nvm use ${NODE_VERSION}" + + current_npm_version=$(npm --version) + + if [[ "$NODE_VERSION" != "default" ]]; then + bash -c ". /usr/local/share/nvm/nvm.sh && nvm use default" + fi + + check-version-ge "node-${NODE_VERSION}-requirement" "${current_npm_version}" "${REQUIRED_NPM_VERSION}" +} diff --git a/src/universal/test-project/test.sh b/src/universal/test-project/test.sh index 0bb71d3b05..126a19bf2f 100644 --- a/src/universal/test-project/test.sh +++ b/src/universal/test-project/test.sh @@ -95,8 +95,8 @@ count=$(ls /usr/local/share/nvm/versions/node | wc -l) expectedCount=2 checkVersionCount "two versions of node are present" $count $expectedCount echo $(echo "node versions" && ls -a /usr/local/share/nvm/versions/node) -npm_version=$(npm --version) -check-version-ge "npm-requirement" "${npm_version}" "9.8.0" +checkBundledNpmVersion "default" "9.8.0" +checkBundledNpmVersion "18" "9.8.1" # PHP check "php" php --version From 0d0c6dde1e61129386fa70d924732d6fb83b5a2c Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Fri, 11 Aug 2023 12:56:42 +0400 Subject: [PATCH 07/16] Resolve review comment: Lock `setuptools` package version for Python 3.10 --- .../.devcontainer/local-features/patch-python/install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/src/universal/.devcontainer/local-features/patch-python/install.sh b/src/universal/.devcontainer/local-features/patch-python/install.sh index d7eb8ad774..b546305a3f 100644 --- a/src/universal/.devcontainer/local-features/patch-python/install.sh +++ b/src/universal/.devcontainer/local-features/patch-python/install.sh @@ -42,6 +42,7 @@ update_package() { # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897 update_package /usr/local/python/3.9.*/bin/python setuptools==65.5.1 +update_package /usr/local/python/3.10.*/bin/python setuptools==68.0.0 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32681 update_package /usr/local/python/3.10.*/bin/python requests==2.31.0 From a19202c0b04e46e79d66e55549d131a376fdd60d Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Fri, 11 Aug 2023 13:38:07 +0400 Subject: [PATCH 08/16] Reworked patch --- .../.devcontainer/local-features/setup-user/install.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/universal/.devcontainer/local-features/setup-user/install.sh b/src/universal/.devcontainer/local-features/setup-user/install.sh index 389436d3b7..82e61af914 100644 --- a/src/universal/.devcontainer/local-features/setup-user/install.sh +++ b/src/universal/.devcontainer/local-features/setup-user/install.sh @@ -98,9 +98,8 @@ find "${OPT_DIR}" -type d | xargs -n 1 chmod g+s echo "Defaults secure_path=\"${DOTNET_PATH}:${NODE_PATH}/bin:${PHP_PATH}/bin:${PYTHON_PATH}/bin:${JAVA_PATH}/bin:${RUBY_PATH}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/share:/home/${USERNAME}/.local/bin:${PATH}\"" >> /etc/sudoers.d/$USERNAME # Temporary: Due to GHSA-c2qf-rxjj-qqgw -source "${NVM_DIR}/nvm.sh" -nvm use 18 -npm -g install -g npm@9.8.1 -nvm use stable +bash -c ". /usr/local/share/nvm/nvm.sh && nvm use 18" +bash -c "npm -g install -g npm@9.8.1" +bash -c ". /usr/local/share/nvm/nvm.sh && nvm use stable" echo "Done!" From 6ddb26b2ee84efcff48824b162c94a0b01f8109d Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Fri, 11 Aug 2023 14:03:44 +0400 Subject: [PATCH 09/16] Test: Update PIP for Python 3.10 --- .../.devcontainer/local-features/patch-python/install.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/universal/.devcontainer/local-features/patch-python/install.sh b/src/universal/.devcontainer/local-features/patch-python/install.sh index b546305a3f..9ad365bbf6 100644 --- a/src/universal/.devcontainer/local-features/patch-python/install.sh +++ b/src/universal/.devcontainer/local-features/patch-python/install.sh @@ -37,6 +37,8 @@ update_package() { sudo_if "$PYTHON_PATH -m pip install --user --upgrade --no-cache-dir $PACKAGE" } +sudo_if /usr/local/python/3.10.*/bin/python -m pip install --upgrade pip + # Temporary: Upgrade python packages due to security vulnerabilities # They are installed by the base image (python) which does not have the patch. From 4556babfda362155423ea912a6f6ea6653e2b228 Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Fri, 11 Aug 2023 14:34:13 +0400 Subject: [PATCH 10/16] Revert "Test: Update PIP for Python 3.10" This reverts commit 6ddb26b2ee84efcff48824b162c94a0b01f8109d. --- .../.devcontainer/local-features/patch-python/install.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/universal/.devcontainer/local-features/patch-python/install.sh b/src/universal/.devcontainer/local-features/patch-python/install.sh index 9ad365bbf6..b546305a3f 100644 --- a/src/universal/.devcontainer/local-features/patch-python/install.sh +++ b/src/universal/.devcontainer/local-features/patch-python/install.sh @@ -37,8 +37,6 @@ update_package() { sudo_if "$PYTHON_PATH -m pip install --user --upgrade --no-cache-dir $PACKAGE" } -sudo_if /usr/local/python/3.10.*/bin/python -m pip install --upgrade pip - # Temporary: Upgrade python packages due to security vulnerabilities # They are installed by the base image (python) which does not have the patch. From eb2d2381f17e6b4b23c336ac9c3170b8e6489e1c Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Fri, 11 Aug 2023 18:17:07 +0400 Subject: [PATCH 11/16] Test: Update Python --- src/universal/.devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/universal/.devcontainer/devcontainer.json b/src/universal/.devcontainer/devcontainer.json index 13ebc341c6..715867ce41 100644 --- a/src/universal/.devcontainer/devcontainer.json +++ b/src/universal/.devcontainer/devcontainer.json @@ -23,7 +23,7 @@ }, "./local-features/nvs": "latest", "ghcr.io/devcontainers/features/python:1": { - "version": "3.10.8", + "version": "3.10.12", "additionalVersions": "3.9.16", "installJupyterlab": "true", "configureJupyterlabAllowOrigin": "*" From 2a6d9b59842c38e7abbb6503dd1342fdced74b13 Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Fri, 11 Aug 2023 18:43:23 +0400 Subject: [PATCH 12/16] Revert "Test: Update Python" This reverts commit eb2d2381f17e6b4b23c336ac9c3170b8e6489e1c. --- src/universal/.devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/universal/.devcontainer/devcontainer.json b/src/universal/.devcontainer/devcontainer.json index 715867ce41..13ebc341c6 100644 --- a/src/universal/.devcontainer/devcontainer.json +++ b/src/universal/.devcontainer/devcontainer.json @@ -23,7 +23,7 @@ }, "./local-features/nvs": "latest", "ghcr.io/devcontainers/features/python:1": { - "version": "3.10.12", + "version": "3.10.8", "additionalVersions": "3.9.16", "installJupyterlab": "true", "configureJupyterlabAllowOrigin": "*" From b8923a4601c75657a1efd1ce33a6f4e48ed62373 Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Mon, 14 Aug 2023 12:09:08 +0400 Subject: [PATCH 13/16] Restart checks From 9447967d232762fc5ceb3f170532940f23336a2a Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Tue, 15 Aug 2023 13:50:41 +0400 Subject: [PATCH 14/16] test: Add trace commands --- .../.devcontainer/local-features/patch-python/install.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/universal/.devcontainer/local-features/patch-python/install.sh b/src/universal/.devcontainer/local-features/patch-python/install.sh index b546305a3f..c14832f582 100644 --- a/src/universal/.devcontainer/local-features/patch-python/install.sh +++ b/src/universal/.devcontainer/local-features/patch-python/install.sh @@ -39,6 +39,8 @@ update_package() { # Temporary: Upgrade python packages due to security vulnerabilities # They are installed by the base image (python) which does not have the patch. +ls -la /usr/local/python/3.9.16/lib/python3.9 +ls -la /usr/local/python/3.10.8/lib/python3.10 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897 update_package /usr/local/python/3.9.*/bin/python setuptools==65.5.1 From 059fa060a445bda0feb5f03c7c27d7db11bde0d5 Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Tue, 15 Aug 2023 18:04:23 +0400 Subject: [PATCH 15/16] Revert "test: Add trace commands" This reverts commit 9447967d232762fc5ceb3f170532940f23336a2a. --- .../.devcontainer/local-features/patch-python/install.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/universal/.devcontainer/local-features/patch-python/install.sh b/src/universal/.devcontainer/local-features/patch-python/install.sh index c14832f582..b546305a3f 100644 --- a/src/universal/.devcontainer/local-features/patch-python/install.sh +++ b/src/universal/.devcontainer/local-features/patch-python/install.sh @@ -39,8 +39,6 @@ update_package() { # Temporary: Upgrade python packages due to security vulnerabilities # They are installed by the base image (python) which does not have the patch. -ls -la /usr/local/python/3.9.16/lib/python3.9 -ls -la /usr/local/python/3.10.8/lib/python3.10 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897 update_package /usr/local/python/3.9.*/bin/python setuptools==65.5.1 From be073a8c38e0e48602647acc6020a51958cb40d7 Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Tue, 15 Aug 2023 18:05:40 +0400 Subject: [PATCH 16/16] Explicitly set `useOryxIfAvailable` to `false` --- src/universal/.devcontainer/devcontainer.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/universal/.devcontainer/devcontainer.json b/src/universal/.devcontainer/devcontainer.json index 13ebc341c6..e303cf8d07 100644 --- a/src/universal/.devcontainer/devcontainer.json +++ b/src/universal/.devcontainer/devcontainer.json @@ -26,7 +26,8 @@ "version": "3.10.8", "additionalVersions": "3.9.16", "installJupyterlab": "true", - "configureJupyterlabAllowOrigin": "*" + "configureJupyterlabAllowOrigin": "*", + "useOryxIfAvailable": "false", }, "./local-features/machine-learning-packages": "latest", "ghcr.io/devcontainers/features/php:1": {