As part of my automated build, I run pipenv check to check for security vulnerabilities.
It has recently started raising errors due to NumPy, which isn’t a dependency that I’ve installed.
$ pipenv check
Creating a Pipfile for this project…
Checking PEP 508 requirements…
Passed!
Checking installed package safety…
36810: numpy <=1.16.0 resolved (1.15.4 installed)!
An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.
I’m not 100% sure, but I think Pipenv normally checks what’s installed in the Python virtual environment it’s managing under the hood. But because Travis runs Python code in a virtual environment, Pipenv is using that virtual environment which has NumPy installed.
That will of course not work when you want Travis to define the virtualenv for you, making it easy to test with all python versions that Travis supports out of the box.
Another fix is to instruct pipenv to ignore this specific vulnerability: pipenv check --ignore 36810
The best fix is of course that Travis updates the NumPy provided in the image to a non-vulnerable version.