Vulnerable dependencies identified in requirements.txt (GHSA High)

[RinZ27]

A security audit of the current dependencies in requirements.txt has identified several high-severity vulnerabilities. While these are pinned via the pip-compile process from requirements.in, they introduce known security risks that could potentially affect users.

Identified Vulnerabilities:

• cryptography: GHSA-r6ph-v2qm-q3c2 (High)
• keras: GHSA-3m4q-jmj6-r34q (High)
• pillow: GHSA-cfh3-3jmp-rvhc (High)
• protobuf: GHSA-7gcm-g887-7qv7 (High)
• tornado: GHSA-qjxf-f2mg-c6mc (High)

Recommendation:
Updating these core dependencies (especially tensorflow and its transitives) to safer versions by updating requirements.in and regenerating requirements.txt would significantly improve the security posture of the project.

I'm flagging this as an issue for discussion to determine the best timing for a dependency bump, as these changes can sometimes introduce breaking changes in large-scale projects.

[mhucka]

Thank you for your report. Currently, we can't update the requirements that are transitive dependencies coming from the base requirements on Cirq and TensorFlow. For example, Pillow is brought in through the path of relationships from Cirq 1.4. Until we can raise the max version of Cirq, we can't change that dependency version.

Updating TFQ to work with the latest versions of Cirq and TensorFlow are a work in progress, so these security vulnerabilities will hopefully be address soon.