Hello,
I had some questions related about the approval policy of python packages to be added as an anaconda package. Running a vulnerabilities scan with Trivy in the latest Miniconda Docker image returned a couple of CVEs related to python packages, requests and cryptography.
$ trivy image --vuln-type library continuumio/miniconda3:23.3.1-0
These packages already have a fix in their newest versions, but said versions are yet to be added to the related anaconda packages.
Besides my main question related to the update cadence, could you please confirm whether conda is affected by those CVEs and if there is any plan of updating those packages?
Thanks for your time!