Address new rc4 CVE

Signed-off-by: Dong Hyuk Chang <donghyukc@nvidia.com>

Author: thomasdhc

docker/Dockerfile

@@ -32,6 +32,7 @@ ENV NVIDIA_PRODUCT_NAME="NeMo Curator"
 # Install base dependency
 ENV PIP_BREAK_SYSTEM_PACKAGES=1
 ENV DEBIAN_FRONTEND=noninteractive
+# gnupg upgrade Address CVE-2025-68973
 RUN apt-get update && apt-get install -y --no-install-recommends \
     python3.12-dev \
     python3 \
@@ -41,6 +42,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     curl \
     git \
     vim && \
+    apt install -y --only-upgrade gnupg && \
+    apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
 WORKDIR /opt

pyproject.toml

@@ -185,7 +185,10 @@ index-strategy = "unsafe-best-match"
 no-build-isolation-package = ["flash-attn"]
 constraint-dependencies = [
     "aiohttp>=3.13.3", # Addresses CVE GHSA-6mq8-rvhq-8wgg
-    "protobuf>=4.25.8", # Address CVE GHSA-8qvm-5x2c-j2w7
+    "cryptography>=46.0.5", # Address CVE GHSA-r6ph-v2qm-q3c2
+    "nbconvert>=7.17.0", # Address CVE GHSA-xm59-rqc7-hhvf
+    "pillow>=12.1.1", # Address CVE GHSA-cfh3-3jmp-rvhc
+    "protobuf>=5.29.6", # Address CVE GHSA-8qvm-5x2c-j2w7
     "pyasn1>=0.6.2", # Address CVE GHSA-63vm-454h-vhhq
     "python-multipart>=0.0.22", # Address CVE GHSA-wp53-j4wj-2cfg
     "ray[default,data]>=2.52", # Address CVE GHSA-q279-jhrf-cc6v