[BUG] Remote code execution vulnerability in < 2021.10.0 dask pip package

[Atharex]

The github advisory deems it critical with a CVSS score of 9.8

GHSA-j8fq-86c5-5v2r

[beckernick]

This is likely the wrong repository for this report, as cuDF does not distribute Dask pip packages. I recommend filing this issue on https://github.com/dask/dask/

[Atharex]

Perhaps, but you have a pinned version in dask_cudf, which potentially uses a vulnerable version of dask as a dependency:
https://github.com/rapidsai/cudf/blob/branch-22.02/python/dask_cudf/setup.py#L13

[beckernick]

Thanks for the reminder. We'll keep this open until an appropriate path forward is identified, and share it in this issue.

[github-actions]

This issue has been labeled inactive-30d due to no recent activity in the past 30 days. Please close this issue if no further response or action is needed. Otherwise, please respond with a comment indicating any updates or changes to the original issue and/or confirm this issue still needs to be addressed. This issue will be labeled inactive-90d if there is no activity in the next 60 days.

[github-actions]

This issue has been labeled inactive-90d due to no recent activity in the past 90 days. Please close this issue if no further response or action is needed. Otherwise, please respond with a comment indicating any updates or changes to the original issue and/or confirm this issue still needs to be addressed.