CVE-2024-3660 and CVE-2023-38039 Resolutions

pyproject.toml

@@ -88,7 +88,7 @@ line-length = 88
 select = [ "D", "E", "F", "W", "RUF",]
 
 [tool.poetry.dependencies]
-python = ">=3.8,<3.11"
+python = ">=3.9,<3.11"
 boto3 = "^1.26.136"
 requests = "^2.23"
 matplotlib = ">=3.1,<3.6"
@@ -120,7 +120,7 @@ sanic-cors = "~2.0.0"
 sanic-jwt = "^1.6.0"
 sanic-routing = "^0.7.2"
 websockets = ">=10.0,<11.0"
-aiohttp = ">=3.9.0,<3.10"
+aiohttp = ">=3.10.11"
 questionary = ">=1.5.1,<1.11.0"
 prompt-toolkit = "^3.0,<3.0.29"
 python-socketio = ">=4.4,<6"
@@ -150,7 +150,7 @@ confluent-kafka = ">=1.9.2,<3.0.0"
 portalocker = "^2.7.0"
 structlog = "^23.1.0"
 structlog-sentry = "^2.0.2"
-dnspython = "2.3.0"
+dnspython = ">=2.6.1"
 wheel = ">=0.38.1"
 certifi = ">=2023.7.22"
 cryptography = ">=41.0.7"
@@ -177,15 +177,15 @@ version = "2022.10.2"
 python = ">=3.8,<3.11"
 
 [[tool.poetry.dependencies.numpy]]
-version = ">=1.19.2,<1.22.0"
+version = ">=1.19.2,<1.23.0"
 python = "~=3.7.0"
 
 [[tool.poetry.dependencies.numpy]]
-version = ">=1.19.2,<1.25.0"
+version = ">=1.19.2,<=1.23.5"
 python = ">=3.8,<3.11"
 
 [[tool.poetry.dependencies.numpy]]
-version = "1.22.3"
+version = "1.23.5"
 markers = "sys_platform =='Windows' and platform_python_implementation != 'PyPy'"
 python = "3.10"
 
@@ -198,20 +198,20 @@ version = ">=1.10.0,<1.11.0"
 python = ">=3.8,<3.11"
 
 [[tool.poetry.dependencies.scikit-learn]]
-version = ">=0.22,<1.1"
+version = ">=1.5"
 python = "~=3.7.0"
 
 [[tool.poetry.dependencies.scikit-learn]]
-version = ">=0.22,<1.2"
+version = ">=1.5"
 python = ">=3.8,<3.11"
 
 [[tool.poetry.dependencies.spacy]]
-version = "^3.4"
+version = "^3.8"
 markers = "sys_platform == 'darwin' and platform_machine == 'arm64'"
 optional = true
 
 [[tool.poetry.dependencies.spacy]]
-version = ">=3.1,<3.5"
+version = ">=3.1,<3.9"
 markers = "sys_platform != 'darwin' or platform_machine != 'arm64'"
 optional = true
 
@@ -248,19 +248,19 @@ timeout_func_only = true
 asyncio_mode = "auto"
 
 [tool.poetry.dependencies.tensorflow]
-version = "2.12.0"
+version = "2.14"
 markers = "sys_platform != 'darwin' or platform_machine != 'arm64'"
 
 [tool.poetry.dependencies.tensorflow-intel]
-version = "2.12.0"
+version = "2.14"
 markers = "sys_platform == 'win32'"
 
 [tool.poetry.dependencies.tensorflow-cpu-aws]
-version = "2.12.0"
+version = "2.14"
 markers = "sys_platform == 'linux' and (platform_machine == 'arm64' or platform_machine == 'aarch64')"
 
 [tool.poetry.dependencies.tensorflow-macos]
-version = "2.12.0"
+version = "2.14"
 markers = "sys_platform == 'darwin' and platform_machine == 'arm64'"
 
 [tool.poetry.dependencies.PyJWT]
@@ -277,15 +277,15 @@ markers = "sys_platform == 'darwin' and platform_machine == 'arm64'"
 optional = true
 
 [tool.poetry.dependencies.tensorflow-text]
-version = "2.12.0"
+version = "2.14"
 markers = "sys_platform != 'win32' and platform_machine != 'arm64' and platform_machine != 'aarch64'"
 
 [tool.poetry.dependencies."github3.py"]
 version = "~3.2.0"
 optional = true
 
 [tool.poetry.dependencies.transformers]
-version = "~4.36.2"
+version = "4.30.0"
 optional = true
 
 [tool.poetry.dependencies.sentencepiece]
@@ -298,7 +298,7 @@ version = ">=0.39, <0.43"
 optional = true
 
 [tool.poetry.dependencies.pymongo]
-version = ">=3.8,<4.4"
+version = "4.6.3"
 extras = [ "tls", "srv",]
 
 [tool.poetry.dev-dependencies.pytest-sanic]

rasa/utils/tensorflow/layers.py

@@ -3,8 +3,8 @@
 import tensorflow as tf
 
 # TODO: The following is not (yet) available via tf.keras
-from keras.utils.control_flow_util import smart_cond
-import tensorflow.keras.backend as K
+from tensorflow.python.keras.utils.control_flow_util import smart_cond
+import tensorflow.python.keras.backend as K
 
 import rasa.utils.tensorflow.crf
 from rasa.utils.tensorflow.constants import (
@@ -1569,4 +1569,4 @@ def _accuracy(
             name="acc_concat_gt",
         )
 
-        return layers_utils.reduce_mean_equal(all_pred_labels, all_positives, mask=mask)
+        return layers_utils.reduce_mean_equal(all_pred_labels, all_positives, mask=mask)

rasa/utils/tensorflow/models.py

@@ -7,7 +7,7 @@
 from collections import defaultdict
 from typing import List, Text, Dict, Tuple, Union, Optional, Any, TYPE_CHECKING
 
-from keras.utils import tf_utils
+from tensorflow.python.keras.utils import tf_utils
 from keras import Model
 
 from rasa.shared.constants import DIAGNOSTIC_DATA
@@ -288,7 +288,8 @@ def _rasa_predict(
 
         # Once we take advantage of TF's distributed training, this is where
         # scheduled functions will be forced to execute and return actual values.
-        outputs = tf_utils.sync_to_numpy_or_python_type(self._tf_predict_step(batch_in))
+        val = self._tf_predict_step(list(batch_in))
+        outputs = tf_utils.sync_to_numpy_or_python_type(val)
         if DIAGNOSTIC_DATA in outputs:
             outputs[DIAGNOSTIC_DATA] = self._empty_lists_to_none_in_dict(
                 outputs[DIAGNOSTIC_DATA]
@@ -931,4 +932,4 @@ def batch_predict(
         Returns:
             The output to predict.
         """
-        raise NotImplementedError
+        raise NotImplementedError

rasa/utils/tensorflow/transformer.py

@@ -4,8 +4,8 @@
 import tensorflow as tf
 
 # TODO: The following is not (yet) available via tf.keras
-from keras.utils.control_flow_util import smart_cond
-from tensorflow.keras import backend as K
+from tensorflow.python.keras.utils.control_flow_util import smart_cond
+import tensorflow.python.keras.backend as K
 
 import rasa.shared.utils.cli
 from rasa.utils.tensorflow.layers import RandomlyConnectedDense
@@ -641,4 +641,4 @@ def call(
 
         # (batch_size, length, units),
         # (batch_size, num_layers, num_heads, length, length)
-        return x, attention_weights_as_output
+        return x, attention_weights_as_output