Code development platform for open source projects from the European Union institutions 🔵 EU Login authentication by SMS has been phased out. To see alternatives please check here

Skip to content

Application Vulnerability Assessment performed by EC DIGIT's Security Assurance

Actions:

  • Update loguru based logger and follow the guidelines. - commit 572c8865
  • On Path Manipulation : the affected module dependencies.py with items being internal and hardcoded paths to data files, defined in environment variables. We will consider using Path.resolve(strict=True) to further decrease any risks. - commit d796cec5
  • On “System Information Leak: Internal” : we use environment to pre-configure development or production setups. In the production set of configurations, we disable all sorts of console logs. We have to further remove from printing exceptions as part of a printed message.

Packages:

  • setuptools upgraded to version 80.9.0
  • pip v24.0 (+ certify ?) : upgrade to version 25.1.1
  • pandas : upgrade. If pickle is the vulnerability in pandas (2.2.2), we don’t use any, nor do we allow for externally supplied pickled files or data
  • pipv.24.0 + idna : upgrade to versions 25.1.1 and 3.10 respectively
  • tornado : upgrade to version 6.5.1
  • certifi : upgrade to version 2025.6.15
  • setuptools : upgrade to version 80
  • dask: upgrade to version 2025.5.1. We can make the dask package only optional, for the user to install at his own choice, in a running service (i.e. a Web API service). Again, as aforementioned, how will a local user of the software, using his own data be affected (i.e. using the CLI component of PVGIS 6) ? In the context of PVGIS 6, dask offers Dask-Arrays which is a way to serve heavy processing tasks. PVGIS 6 targets mainly scientific / advanced users, who might need have access to advanced hardware (multi-core systems) for their eventual heavy computations. The usual case, however, in using PVGIS6, is to use regular NumPy. While we are not examining a future Web service here, we will not include Dask at first for our Beta Web API service.
  • urllib3 : upgrade to version 2.5.0
  • jinja : upgrade to version 3.1.6
  • mkdocs-material : upgrade to version 9.6.14
  • mkdos: upgrade to version 1.6.1
  • zipp: upgrade to version 3.23.0
  • pillow: upgrade to version 11.2.1
  • scipy upgrade to varsion 1.16.0
  • numpy upgrade to 2.3.1
  • parso version 0.8.4: we don’t use directly parso – it’s some other library that uses it! And we hope this is not a blocker to release our prototype software as an open source package
  • requests: we upgraded to version 2.32.4
  • mkdocs-mermaid2-plugin: upgrade to version 1.2.1`

For further information about the platform and support, please see https://code.europa.eu/info/about