[anaconda]-fixing security vulnerabilities - Werkzeug, distributed, wheel, filelock and bokeh (#1790)

* Update vulnerable package versions and increment manifest version

* Fix typo in wheel package version in test script

* Add 'distributed' to the list of packages pinned to required versions

* Update src/anaconda/.devcontainer/apply_security_patches.sh

Co-authored-by: Copilot <[email protected]>

* Update vulnerable_packages with new dependencies

* Add checks for filelock and bokeh package versions

* version change

* Revert "version change"

This reverts commit a1ac116.

---------

Co-authored-by: Copilot <[email protected]>

Author: sireeshajonnalagadda

src/anaconda/.devcontainer/apply_security_patches.sh

@@ -3,8 +3,8 @@
 # vulnerabilities:
 # werkzeug - [GHSA-f9vj-2wh5-fj8j] 
 
-vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=5.29.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "Werkzeug=3.0.6" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \ 
-                      "zipp=3.19.1" "tornado=6.4.2" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" )
+vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=5.29.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "werkzeug=3.1.5" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \ 
+                      "zipp=3.19.1" "tornado=6.4.2" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" "filelock=3.20.1" "bokeh=3.8.2" "distributed=2026.1.0" "wheel=0.46.2" )
 
 # Define the number of rows (based on the length of vulnerable_packages)
 rows=${#vulnerable_packages[@]}
@@ -28,7 +28,7 @@ done
 
 # Add an array for packages that should always pin to the provided version, 
 # even if higher version is available in conda channel
-pin_to_required_version=("transformers" "imagecodecs" "brotli" "protobuf")
+pin_to_required_version=("transformers" "imagecodecs" "brotli" "protobuf" "distributed")
 
 # Function to check if a package is in the pin_to_required_version array
 function is_pin_to_required_version() {

src/anaconda/manifest.json

@@ -1,5 +1,5 @@
 {
-	"version": "1.3.11",
+	"version": "1.3.12",
 	"build": {
 		"latest": true,
 		"rootDistro": "debian",

src/anaconda/test-project/test.sh

@@ -34,9 +34,9 @@ checkPythonPackageVersion "cookiecutter" "2.1.1"
 checkPythonPackageVersion "mistune" "2.0.3"
 checkPythonPackageVersion "numpy" "1.22"
 checkPythonPackageVersion "setuptools" "78.1.1"
-checkPythonPackageVersion "wheel" "0.38.1"
+checkPythonPackageVersion "wheel" "0.46.2"
 checkPythonPackageVersion "nbconvert" "6.5.1"
-checkPythonPackageVersion "werkzeug" "3.0.6"
+checkPythonPackageVersion "werkzeug" "3.1.5"
 checkPythonPackageVersion "certifi" "2022.12.07"
 checkPythonPackageVersion "cryptography" "44.0.1"
 checkPythonPackageVersion "h11" "0.16.0"
@@ -62,6 +62,9 @@ checkPythonPackageVersion "zipp" "3.19.1"
 checkPythonPackageVersion "imagecodecs" "2023.9.18"
 checkPythonPackageVersion "brotli" "1.2.0"
 checkPythonPackageVersion "fonttools" "4.60.2"
+checkPythonPackageVersion "distributed" "2026.1.0"
+checkPythonPackageVersion "filelock" "3.20.1"
+checkPythonPackageVersion "bokeh" "3.8.2"
 
 checkCondaPackageVersion "pyopenssl" "24.2.1"
 checkCondaPackageVersion "requests" "2.32.4"