Update cadence for anaconda python packages


I had some questions related about the approval policy of python packages to be added as an anaconda package. Running a vulnerabilities scan with Trivy in the latest Miniconda Docker image returned a couple of CVEs related to python packages, requests and cryptography.

$ trivy image --vuln-type library continuumio/miniconda3:23.3.1-0

These packages already have a fix in their newest versions, but said versions are yet to be added to the related anaconda packages.

Besides my main question related to the update cadence, could you please confirm whether conda is affected by those CVEs and if there is any plan of updating those packages?

Thanks for your time!

New versions for miniconda are generally in release cadence with new releases of Python.
However, each release of Python involves extensive testing of packages and making those available with miniconda. So fixes for CVE’s will not be available with pre-releases of Python.