Why does Anvil show a warning about package X, but doesn’t show any warnings about package X when there is also package Y?
I have created a custom environment starting from the Standard base environment and adding one package from a github repository, and I got a warning message:
I added a second package, and the warning disappeared:
This is the warning:
Thanks for letting us know, @stefano.menci. This looks like a bug to me, so I’ll move it to bug reports and add it to our internal list.
Turns out I was wrong! The reason this is happening is that the second package is probably forcing an upgrade of the package that was causing the security vulnerability, in this case certifi.
It seems like the requests module that comes with the base environment of Anvil is the thing that needs to be updated?
More than once I have fixed this security warning, and my solution was to install the latest requests at the top of the list before building any other part of the environment.
In the build log, it shows that the anvil base image has to remove the older requests module for the new one to be installed.
The reason why I bothered to look at the log is that removing requests and re-installing via pip can very frequently take so long that when it tried to build a few other large packages like pytorch and langchain all together it times out with the “more than 1500 seconds” error.
TLDR: certifi has a known security problem, the newest requests version** uses the patched version of certifi without the problem.
** requests version > 2.30 should be fine.