SeldonIO · tyndria · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025 · Dec 11, 2025
diff --git a/.github/workflows/security_tests_python_v1.yml b/.github/workflows/security_tests_python_v1.yml
@@ -8,6 +8,7 @@ on:
     branches:
       - master
       - release-1.19.0-prep
+      - refactor-ci-snyk-scanning-oom
   workflow_dispatch:
 jobs:
   build-upload-scan-base-images:
@@ -111,9 +112,9 @@ jobs:
       matrix:
         server:
           - tfserving_proxy
-          - sklearnserver
-          - mlflowserver
-          - xgboostserver
+          #- sklearnserver
+          #- mlflowserver
+          #- xgboostserver
     steps:
       - uses: actions/checkout@v4
 
@@ -155,7 +156,7 @@ jobs:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           image: ${{ env.SERVER_IMAGE_TAG}}:test
-          args:  --fail-on=upgradable --app-vulns --severity-threshold=high
+          args:  --fail-on=upgradable --app-vulns --severity-threshold=high --print-deps
 
       - name: Save scan output to file
         run: echo "${{ matrix.server }}_RESULT=${{ steps.scan.outcome }}" > "report-${{ matrix.server }}.txt"
@@ -167,6 +168,7 @@ jobs:
           path: report-${{ matrix.server }}.txt
 
   build-alibi-explain:
+    if: false  # Temporarily disabled to save CI resources
     needs: build-upload-scan-base-images
     runs-on: ubuntu-latest
     steps:
@@ -224,6 +226,7 @@ jobs:
           path: report-alibi-explain.txt
 
   build-alibi-detect:
+    if: false  # Temporarily disabled to save CI resources
     needs: build-upload-scan-base-images
     runs-on: ubuntu-latest
     steps:
@@ -281,9 +284,10 @@ jobs:
           path: report-alibi-detect.txt
 
   verify-scans:
+    if: false  # Temporarily disabled to save CI resources
     needs: [ build-upload-scan-base-images, build-servers, build-alibi-explain, build-alibi-detect]
     runs-on: ubuntu-latest
-    if: always()
+    #if: always()
 
     steps:
       - name: Download Snyk results for servers

diff --git a/components/alibi-detect-server/poetry.lock b/components/alibi-detect-server/poetry.lock
diff --git a/components/alibi-explain-server/Dockerfile b/components/alibi-explain-server/Dockerfile
@@ -52,6 +52,8 @@ RUN cp ./licenses/* /licenses
 # Install python spacy model to avoid issues in airgapped envs
 RUN python -m spacy download en_core_web_md
 
+# Remove spacy tests to eliminate the CVE-2024-6345 vulnerability in setuptools dependency
+RUN rm -rf /opt/conda/lib/python3.12/site-packages/spacy/tests/
 
 # Copy rest of the package
 COPY alibiexplainer alibiexplainer

diff --git a/components/alibi-explain-server/poetry.lock b/components/alibi-explain-server/poetry.lock
diff --git a/components/alibi-explain-server/pyproject.toml b/components/alibi-explain-server/pyproject.toml
@@ -24,7 +24,7 @@ tornado = "6.5.2"
 protobuf = "5.29.5"
 joblib = "1.2.0"
 requests = "^2.32.5"
-urllib3 = "^2.5.0"
+urllib3 = "^2.6.0"
 jinja2 = "^3.1.6"
 werkzeug = "^3.1.3"
 pillow = "^10.4.0"

diff --git a/python/setup.py b/python/setup.py
@@ -40,7 +40,7 @@
         "cryptography>=46.0.3",
         "pyyaml>=6.0.3",
         "click>=8.3.0",
-        "urllib3>=2.5.0",
+        "urllib3>=2.6.0",
     ],
     extras_require=extras,
     entry_points={

diff --git a/servers/mlflowserver/mlflowserver/requirements.txt b/servers/mlflowserver/mlflowserver/requirements.txt
@@ -1,5 +1,6 @@
 PyYAML >= 6.0.3, < 7.0.0 # Python 3.12 compatiblity + CVE
 requests >= 2.32.5
+urllib3 >= 2.6.0
 pandas >= 2.3.3
 
 # CVE-2023-47248, CVE-2023-6753, CVE-2023-6709

diff --git a/servers/tfserving_proxy/requirements.txt b/servers/tfserving_proxy/requirements.txt
@@ -3,3 +3,5 @@ tensorflow-serving-api>=1.10.1
 grpcio>=1.32.0 # Required for https://github.com/SeldonIO/seldon-core/issues/2787
 grpcio-reflection>=1.32.0 # Required for https://github.com/SeldonIO/seldon-core/issues/2787
 requests
+urllib3 >= 2.6.0
+setuptools >= 70.0.0