PyPi: Cellxgene

CVE-2021-23440

Transitive

Safety vulnerability ID: 44976

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Sep 12, 2021 Updated at Dec 19, 2023
Scan your Python projects for vulnerabilities →

Advisory

Cellxgene 0.12.0 updates its NPM dependency 'set-value' to v2.0.1 to include a security fix.

Affected package

cellxgene

Latest version: 1.2.0

Web application for exploration of large scale scRNA-seq datasets

Affected versions

Fixed versions

Vulnerability changelog

Summary: this release adds three major features, in addition to a number of bug fixes and other features:
* The location of the H5AD file may be specified as a URL, in addition to the currently supported file path
* Anndata "backed" mode is supported via `--backed` command line option
* A new experimental feature: the ability to create new categorical metadata for cells, aka cell annotations.

Added
* `cellxgene launch` command now accepts a URL as well as file paths. Example: "cellxgene launch http://…" Supports HTTP, HTTPS, and with optional package installations, S3 and GS URLs. (920)
* New command line option, --backed, will load H5AD file in "backed" mode. This uses less memory, and loads faster. However, it will dramatically increase the time required to load expression histograms or compute differential expression. This feature is most useful to explore metadata and embeddings for very large datasets, or to load only the embedding and metadata on computers with limited memory. This mode is diabled by default.
* New command line option, `--about`, provides a means to link out to more information about the dataset. The link provided on the command line will appear in the application info menu, and as a link in the dataset title (upper left, next to logo) (907)
* New command line option, `--disable-diffexp`, will cause on-demand differential expression (top N gene finding) to be disabled in the application. This is useful when exploring very large datasets, where the differential expression calculation is likely to be extremely slow or unusable due to memory exhaustion. Differential expression is enabled by default.
* Hovering the cursor over a category name will highlight cells in the gene expression scatterplot (previously only highlighted cells in the embedding graph). (900)
* [_Experimental feature, may be incomplete or unstable_] Added capability to label cells with new metadata (categorical annotations). This feature is enabled with the "--experimental-label-file" command line option, which requires a CSV file name. User-created metadata will be saved to this file. We would love feedback on this feature - please submit via GitHub issues.

Changed
* Pip install for `prepare` sub-command is now separate from default installation. If you wish to use prepare, install via `pip install cellxgene[prepare]`. See getting started guide for more info. (887, 889)
* Improved layout when strings are long. Will now break/truncate data set title, category name, etc. (858, 909)
* Improved the formatting for histogram axis labels, better handling of large numbers (913)
* Significant improvements to the embedding and gene expression plots, including reduction in CPU usage, zoom/pan constraints, a new rendering method designed to highlight meaningful data and improve overall usability/visibility (893)
* Miscellaneous improvements to documentation and README (878, 857, 880)
* Python and Javascript package updates, for both security and performance
* Rename "layout" to "embedding" in the UI (921)

Fixed
* Category-specific mini histograms were computed incorrectly in some cases (869)
* Remove pinned matplotlib version, and resolve incompatibility by installing scanpy earlier in the dependency list (so it specifies the matplotlib dependency).
* H5py dependency pinned to 2.9.0 to temporarily work around regression reading older anndata files (scanpy issue 832). This will be removed in a future release. (916).
* Fixed several bugs in gene adding (both in bulk and autosuggest).
Improved performance for datasets with a very large number of continuous metadata fields.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.8

CVSS v3 Details

CRITICAL 9.8
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
HIGH
Availability Availability (A)
HIGH

CVSS v2 Details

HIGH 7.5
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
NONE
Confidentiality Impact (C)
PARTIAL
Integrity Impact (I)
PARTIAL
Availability Impact (A)
PARTIAL