Upgrades certifi in jax image to address CVE https://github.com/advisories/GHSA-xqr8-7jwr-rhp7

[terrykong]

No description provided.

[terrykong]

Closing since this actually isn't an issue b/c all certifi constraints are open-ended (>=YYYY.MM.DD) so our latest nightlies should automatically get the latest version.

[nouiz]

Closing since this actually isn't an issue b/c all certifi constraints are open-ended (>=YYYY.MM.DD) so our latest nightlies should automatically get the latest version.

I don't like the word "should". Can you download the latest container and check the version in it? Is it recent enough to have that CVE fixed with it?

[terrykong]

Here's yesterday's nightly that has an acceptable version installed:

terryk@joc-sc-ws-005:~$ docker run --entrypoint='' --rm -it ghcr.io/nvidia/pax:nightly-2023-09-06 pip show certifi
Name: certifi
Version: 2023.7.22
Summary: Python package for providing Mozilla's CA Bundle.
Home-page: https://github.com/certifi/python-certifi
Author: Kenneth Reitz
Author-email: [email protected]
License: MPL-2.0
Location: /usr/local/lib/python3.10/dist-packages
Requires:
Required-by: requests

I shouldn't have said "should". To be more precise. We will install a good version of certifi, unless a new package is introduced that pins it and downgrades it.

[nouiz]

SG.