Relax duckdb pin.

[danielballan]

Closes #1144

Checklist

• Add a Changelog entry
• Add the ticket number which this PR closes to the comment section

[danielballan]

Power-cycled to see whether recent changes in main resolve the new issue observed here.

[checkmarx-gh-ast-us-povs]

Checkmarx One – Scan Summary & Details – acdd3215-0218-4858-a3bf-c7eaebc28144

---

New Issues (107)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-4800	Npm-lodash-4.17.21	details Recommended version: 4.18.0 Description: The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to "options.imports" key na... Attack Vector: NETWORK Attack Complexity: LOW ID: MZTyN2nQzWrpBYmUdLxJs%2Bhhr7Vq3zQR8rYR7G86%2FIE%3D Vulnerable Package
2		Command_Injection	tiled/client/context.py: 61	details The application's method calls an OS (shell) command with input, at line 61 of /tiled/client/context.py, using an untrusted string with the com... ID: A%2BU6S%2BSIcLHHxUVQzqMVWM323wI%3D Attack Vector
3		Command_Injection	tiled/client/context.py: 83	details The application's method calls an OS (shell) command with input, at line 83 of /tiled/client/context.py, using an untrusted string with the com... ID: 5UWJmmiMhb3k1hEs62%2BjolO2VZ8%3D Attack Vector
4		Stored_Command_Injection	tiled/utils.py: 498	details The application's method calls an OS (shell) command with filepath, at line 84 of /tiled/commandline/_profile.py, using an untrusted string wi... ID: okROum3Vq0g4ZxmvEod80dhYVGA%3D Attack Vector
5		CVE-2025-58754	Npm-axios-1.11.0	details Recommended version: 1.15.0 Description: Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.12.0 runs on Node.js and is given a URL with the "d... Attack Vector: NETWORK Attack Complexity: LOW ID: GIZh39tlwk21Ror6STjUtVVbQsFzTnBsKHE45dVFWPg%3D Vulnerable Package
6		CVE-2025-64756	Npm-glob-10.4.5	details Recommended version: 10.5.0 Description: Glob matches files using patterns the shell uses. In versions 10.2.0 prior to 10.5.0 and 11.0.0 prior to 11.1.0, the glob CLI contains a command in... Attack Vector: NETWORK Attack Complexity: HIGH ID: 77AkxJjT0t%2FHIXlWAj4fq1st4co79215Xk1AHhLKLiw%3D Vulnerable Package
7		CVE-2026-25639	Npm-axios-1.11.0	details Recommended version: 1.15.0 Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.5, the mergeConfig function in axios crashes with a TypeError when ... Attack Vector: NETWORK Attack Complexity: LOW ID: jBsr2Psey7hSZ%2F20DYg41plsrFmcD5HU3nwkkM3o%2FmA%3D Vulnerable Package
8		CVE-2026-26996	Npm-minimatch-9.0.5	details Recommended version: 9.0.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW ID: gLRLNoPYaxctk2VXz5vRN%2Fw4bmnMmNEs7SLIC7M8Xfk%3D Vulnerable Package
9		CVE-2026-27606	Npm-rollup-4.48.1	details Recommended version: 4.59.0 Description: Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.0.0 prior to 3.30.0, and 4.0.0 prior to 4.59.0 of the Rollup module bundler ... Attack Vector: NETWORK Attack Complexity: LOW ID: Ts35JMSCvT2JfUbHUC0msZ9W%2FB5TzHjy7sKeHbdQeaE%3D Vulnerable Package
10		CVE-2026-27903	Npm-minimatch-9.0.5	details Recommended version: 9.0.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW ID: 6hGN46e607LvZyNgP5E4IslDszRoAgd%2BDG%2FFwUHu8zQ%3D Vulnerable Package
11		CVE-2026-27904	Npm-minimatch-9.0.5	details Recommended version: 9.0.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW ID: xBGZnnzgBExrNGL38Aahw7NZ4a8uOYBg%2FL2qb2ZrCxw%3D Vulnerable Package
12		CVE-2026-33671	Npm-picomatch-4.0.3	details Recommended version: 4.0.4 Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi... Attack Vector: NETWORK Attack Complexity: LOW ID: 7Dcpfc1X%2ByMoj5%2B0y2uJ3RpyTjaqQ2HvnWM3ddgBHLY%3D Vulnerable Package
13		CVE-2026-33671	Npm-picomatch-2.3.1	details Recommended version: 2.3.2 Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi... Attack Vector: NETWORK Attack Complexity: LOW ID: gEAShZp9WVfA1wp%2B%2F82okDjmtKGK6sAqEr8yAHCSHU4%3D Vulnerable Package
14		CVE-2026-33750	Npm-brace-expansion-2.0.2	details Recommended version: 2.0.3 Description: The brace-expansion library generates arbitrary strings containing a common prefix and suffix. In versions prior to 1.1.13, 2.0.0 prior to 2.0.3, 3... Attack Vector: NETWORK Attack Complexity: LOW ID: YvR60PdYijPt%2FqQxOivnumhSudL5DMv56mepIEI4dq0%3D Vulnerable Package
15		CVE-2026-39363	Npm-vite-7.1.3	details Recommended version: 7.3.2 Description: Vite is a frontend tooling framework for JavaScript. From 6.0.0 prior to 6.4.2, 7.0.0 prior to 7.3.2, and 8.0.0 prior to 8.0.5, if it is possible t... Attack Vector: NETWORK Attack Complexity: LOW ID: YvMFW6EpUsYC5IZph%2FB1IbzstLcEpwI%2BKmiG4uIn6tE%3D Vulnerable Package
16		CVE-2026-39364	Npm-vite-7.1.3	details Recommended version: 7.3.2 Description: Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.0 prior to 8.0.5, on the Vite dev server, files that should... Attack Vector: NETWORK Attack Complexity: LOW ID: ju0fzulooAD2EDBhgU47PfRd1iynC5pTRy%2FegpfZlUM%3D Vulnerable Package
17		Deserialization_of_Untrusted_Data	tiled/access_control/access_tags.py: 341	details The serialized object tag_config_file processed in  in the file /tiled/access_control/access_tags.py at line 341 is deserialized by load in th... ID: s%2FEQR7%2BMu8jfcaG%2Fk5avRMQ8zsQ%3D Attack Vector
18		Deserialization_of_Untrusted_Data	example_configs/catalog/create_catalog.py: 19	details The serialized object config_file processed in  in the file /example_configs/catalog/create_catalog.py at line 19 is deserialized by load in th... ID: zlWNkoG%2FsLtZkmRzMNGjjEVbTrI%3D Attack Vector
19		Missing User Instruction	/Dockerfile: 7	details Always set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user. ID: Dgo2Hgdh%2Bcn5JbgiIBsxRARM6qk%3D
20		Passwords And Secrets - Generic Password	/compose.yaml: 8	details Query to find passwords and secrets in infrastructure code. ID: vUTxBhHUSvlKoNFgmid3ldhvF1w%3D
21		Passwords And Secrets - Generic Password	/ldap-docker-compose.yml: 11	details Query to find passwords and secrets in infrastructure code. ID: VSJ0FwnLiahAmNH1p7zhT9jADzY%3D
22		Passwords And Secrets - Password in URL	/ci.yml: 85	details Query to find passwords and secrets in infrastructure code. ID: Z8D3J%2BGAmHiJH85Ajv3G%2B49nxoY%3D
23		Passwords And Secrets - Password in URL	/ci.yml: 74	details Query to find passwords and secrets in infrastructure code. ID: EUX39YI7grM9zwYTycCecjZUKFA%3D
24		Privilege Escalation Allowed	/deployment.yaml: 62	details Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process ID: 0V1IYjfDmAH%2BCKLPXTnbu0nnsxk%3D
25		CVE-2025-13465	Npm-lodash-4.17.21	details Recommended version: 4.18.0 Description: Lodash versions from 4.0.0 through 4.17.22 are vulnerable to Prototype Pollution in the "_.unset" and "_.omit" functions. An attacker can pass craf... Attack Vector: NETWORK Attack Complexity: LOW ID: PGkAsDx7ndDyhftJhh8wHwgboyH4sNwZqTtgFn%2BGrp4%3D Vulnerable Package
26		CVE-2025-59288	Npm-playwright-1.55.0	details Recommended version: 1.55.1 Description: In versions prior to 1.55.1, improper verification of the cryptographic signature in Playwright allows an unauthorized attacker to perform spoofin... Attack Vector: ADJACENT_NETWORK Attack Complexity: HIGH ID: HyBH7M874c65xJsriOKdctz1m6%2BDzc07NqayshrOpuc%3D Vulnerable Package
27		CVE-2025-62522	Npm-vite-7.1.3	details Recommended version: 7.3.2 Description: Vite is a frontend tooling framework for JavaScript. In versions 2.9.18 prior to 3.0.0, 3.2.9 prior to 4.0.0, 4.5.3 prior to 5.0.0, 5.2.6 prior to ... Attack Vector: NETWORK Attack Complexity: LOW ID: 2as5fBlw4LeiEQXsvnFFBgF9Azvt1ARiwKgIHTjTYNI%3D Vulnerable Package
28		CVE-2025-62718	Npm-axios-1.11.0	details Recommended version: 1.15.0 Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when chec... Attack Vector: NETWORK Attack Complexity: LOW ID: WPhWw1%2FYwli4tO%2FqUpO58mzof35pdMmpIEcAgFox5V4%3D Vulnerable Package
29		CVE-2025-64718	Npm-js-yaml-4.1.0	details Recommended version: 4.1.1 Description: js-yaml is a JavaScript YAML parser and dumper. In js-yaml versions through 3.14.1 and 4.x through 4.1.0, it's possible for an attacker to modify t... Attack Vector: NETWORK Attack Complexity: LOW ID: YjYZG1FppdL9n1%2F0xT%2FsgpHcAwzoByxQ%2FONYRCjJpOc%3D Vulnerable Package
30		CVE-2025-68470	Npm-react-router-6.30.1	details Recommended version: 6.30.2 Description: React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.6-pre.0, an attacker-supplied path can be crafted so tha... Attack Vector: NETWORK Attack Complexity: LOW ID: fQ8PPZuzoYrU9wbub1BRnMlKXrCAxAJkBK7WbhgY57Y%3D Vulnerable Package
31		CVE-2025-68470	Npm-@remix-run/router-1.23.0	details Recommended version: 1.23.2 Description: React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.6-pre.0, an attacker-supplied path can be crafted so tha... Attack Vector: NETWORK Attack Complexity: LOW ID: lNLLBdu1uIYeIMvgL%2BaEUHZXIXBwD5hg3VhupyEsEEw%3D Vulnerable Package
32		CVE-2026-22029	Npm-@remix-run/router-1.23.0	details Recommended version: 1.23.2 Description: React Router is a router for React. In @remix-run/router version through 1.23.1, and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/... Attack Vector: NETWORK Attack Complexity: LOW ID: pk%2Fmoto9gylgeUtuXXuhMU75zo1crz0nl4yCxg%2BDGa8%3D Vulnerable Package
33		CVE-2026-33532	Npm-yaml-1.10.2	details Recommended version: 1.10.3 Description: yaml is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of yaml on the 1.x branch prior to 1.10.3 or on the 2.x... Attack Vector: NETWORK Attack Complexity: LOW ID: HZhqirsZfj0INIlN6CkxDdFq2q8uzuqSXxB9qSfTyKA%3D Vulnerable Package
34		CVE-2026-33532	Npm-yaml-2.8.1	details Recommended version: 2.8.3 Description: yaml is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of yaml on the 1.x branch prior to 1.10.3 or on the 2.x... Attack Vector: NETWORK Attack Complexity: LOW ID: NPL78w7jJl6zVU9%2FNNse6koK0cIHIP1azTY7d8qVp8U%3D Vulnerable Package
35		CVE-2026-40175	Npm-axios-1.11.0	details Recommended version: 1.15.0 Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.0 and 1.x prior to 1.15.0, the Axios library is vulnerable to a spe... Attack Vector: NETWORK Attack Complexity: HIGH ID: HnGc5q%2F8JZqxNoy0VXhWhVa1aaj2kQA2nLdrhNRgNrk%3D Vulnerable Package
36		CVE-2026-40895	Npm-follow-redirects-1.15.11	details Recommended version: 1.16.0 Description: follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to versio... Attack Vector: NETWORK Attack Complexity: LOW ID: 2ieILUkRc6s9wpsMiPVHh7hFAqqc1QDIrDQS3Ryz68I%3D Vulnerable Package
37		Container Capabilities Unrestricted	/compose.yaml: 25	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: 8dKdRXJYILeNr89kB3XJBta8028%3D
38		Container Capabilities Unrestricted	/compose.yaml: 3	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: mrpQDaSdUSSvd5IV2RZ2nhiTIFs%3D
39		Container Capabilities Unrestricted	docker-compose.yml: 20	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: SE%2FYIN5HD%2BimXWDm7fkArwZMX%2FE%3D
40		Container Capabilities Unrestricted	/ldap-docker-compose.yml: 4	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: 5bpEDTi588IpPBxzWTpv%2Ff0ko9s%3D
41		Container Capabilities Unrestricted	docker-compose.yml: 33	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: n5760znyIA5AkFdbnHqB5zxWnvM%3D
42		Container Capabilities Unrestricted	docker-compose.yml: 3	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... ID: Pvw0%2FfXz2%2B6eUwf9tvswcwRl3EA%3D
43		Container Running As Root	/deployment.yaml: 62	details Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibiliti... ID: 3EixTIpajFppQK4zjy4zNW2CRao%3D
44		Container Running With Low UID	/deployment.yaml: 62	details Check if containers are running with low UID, which might cause conflicts with the host's user table. ID: g3Zg0kD99MFb0GklQUiKS49UYJY%3D
45		Container Traffic Not Bound To Host Interface	/compose.yaml: 32	details Incoming container traffic should be bound to a specific host interface ID: JsmfuIrdjySnYLr4%2BDAj4SM2uXE%3D
46		Container Traffic Not Bound To Host Interface	/ldap-docker-compose.yml: 6	details Incoming container traffic should be bound to a specific host interface ID: tePLgT27mV7ZxS1KEszzaSHDfeI%3D
47		Container Traffic Not Bound To Host Interface	docker-compose.yml: 37	details Incoming container traffic should be bound to a specific host interface ID: GtEZwC0j%2BOOqtadvgwEQ1pvk90A%3D
48		Container Traffic Not Bound To Host Interface	docker-compose.yml: 7	details Incoming container traffic should be bound to a specific host interface ID: FW5hCn2zYpnqET73fYBd6dJno%2FM%3D
49		Container Traffic Not Bound To Host Interface	/compose.yaml: 15	details Incoming container traffic should be bound to a specific host interface ID: X3vnClo1V7s5%2FTUgNL1Tx2r0%2BMA%3D
50		Healthcheck Not Set	docker-compose.yml: 20	details Check containers periodically to see if they are running properly. ID: 8KDIZVUdUGfVSQN2F2ziGKYeDes%3D
51		Healthcheck Not Set	/ldap-docker-compose.yml: 4	details Check containers periodically to see if they are running properly. ID: nXoTfRDDC292HWBmwzq5mrsYH%2Bw%3D
52		Healthcheck Not Set	docker-compose.yml: 33	details Check containers periodically to see if they are running properly. ID: J0JdmvgnAphlHFTgqVM7X9taxqA%3D
53		Healthcheck Not Set	/compose.yaml: 25	details Check containers periodically to see if they are running properly. ID: 9Ji%2BJdR8r3SM9zxFvfPMOYuupYU%3D
54		Image Version Not Explicit	/Dockerfile: 1	details Always tag the version of an image explicitly ID: K2%2Bzy0TUSkslV%2Ffg81eriitvWCw%3D
55		Image Version Not Explicit	/Dockerfile: 7	details Always tag the version of an image explicitly ID: ABDB8gg4VPxwzXnq0j5BZ%2FYu%2Bzk%3D
56		Memory Limits Not Defined	/deployment.yaml: 62	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ... ID: TFC6UtoDMB7TEZPgGFFHkM2atuI%3D
57		Memory Not Limited	/ldap-docker-compose.yml: 4	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ... ID: 3zXZ8OWqDroj4pDie3qO1HX39XI%3D
58		Memory Not Limited	docker-compose.yml: 3	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ... ID: vXqD8Uyh%2Fu%2FyzhlojzhbicCBA2k%3D
59		Memory Not Limited	docker-compose.yml: 20	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ... ID: Wq9zsN8vWhSDwuhQd%2BUMKelQeGA%3D
60		Memory Not Limited	docker-compose.yml: 33	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ... ID: U%2BoR8Mj%2FQgOXgkERZ%2F0uH7DgDDk%3D
61		Memory Requests Not Defined	/deployment.yaml: 62	details Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents ove... ID: znFItESnQhRzeFdAnZwUIDK2YTg%3D
62		Missing Version Specification In dnf install	/Dockerfile: 3	details Specifying a package version allows to reduce failures due to unanticipated changes in required packages. ID: XfdCgaU9f8tnPc5QX5%2FkMUaZxks%3D
63		NET_RAW Capabilities Not Being Dropped	/deployment.yaml: 62	details Containers should drop 'ALL' or at least 'NET_RAW' capabilities ID: ybrVEGQSrSWnTVGkBQVcK4MA%2BN0%3D
64		Pids Limit Not Set	/ldap-docker-compose.yml: 4	details 'pids_limit' should be set and different than -1 ID: qGekROaBQGbge0l2y8sYfTnW1YI%3D
65		Seccomp Profile Is Not Configured	/deployment.yaml: 62	details Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls ID: poxUItT3hCMKqUp6UDaSKklR%2BGM%3D
66		Security Opt Not Set	docker-compose.yml: 20	details Attribute 'security_opt' should be defined. ID: c1QsaPzNIqIhkUUj8h6XjMLo4IE%3D
67		Security Opt Not Set	/compose.yaml: 3	details Attribute 'security_opt' should be defined. ID: WluCYMEN4T8TVLUBoth7mLqcqbI%3D
68		Security Opt Not Set	docker-compose.yml: 33	details Attribute 'security_opt' should be defined. ID: PJ4fxPGMV9PPngPyzBLUFlNu5sQ%3D
69		Security Opt Not Set	/compose.yaml: 25	details Attribute 'security_opt' should be defined. ID: Pv13gQE0aSBqO2aFfyzVngFjzyA%3D
70		Security Opt Not Set	docker-compose.yml: 3	details Attribute 'security_opt' should be defined. ID: madx8Ec86dwZZJaGDLxTAtRyGw8%3D
71		Security Opt Not Set	/ldap-docker-compose.yml: 4	details Attribute 'security_opt' should be defined. ID: utnIvxmRiPPElXiEqsJG17XJIzc%3D
72		Service Account Token Automount Not Disabled	/deployment.yaml: 25	details Service Account Tokens are automatically mounted even if not necessary ID: oKkmpqluOkYCk3vM%2BsPhjwXuAeA%3D
73		Shared Host Network Namespace	/compose.yaml: 26	details Container should not share the host network namespace ID: Qb2asAza6MeXVV4qVn%2B6n0vlF38%3D
74		Use_Of_Hardcoded_Password	tiled/alembic_utils.py: 127	details The application uses the hard-coded password "[redacted]" for authentication purposes, either using it to verify users' identities, or to access... ID: 3V%2BBhb15zjXX%2BeiqihuEspuYiGs%3D Attack Vector
75		Use_Of_Hardcoded_Password	tiled/client/context.py: 109	details The application uses the hard-coded password "password" for authentication purposes, either using it to verify users' identities, or to access ano... ID: RThOSg9dnDE7s5RG%2B02gslx2kUw%3D Attack Vector
76		Use_Of_Hardcoded_Password	tiled/alembic_utils.py: 153	details The application uses the hard-coded password "[redacted]" for authentication purposes, either using it to verify users' identities, or to access... ID: qtK4WnBeCyNxDXUna%2B69nbhtC8E%3D Attack Vector
77		Use_of_Broken_or_Risky_Cryptographic_Algorithm	tiled/adapters/sql.py: 135	details In , the application protects sensitive data using a cryptographic algorithm, hexdigest, that is considered weak or even trivially broken, in /tile... ID: QCeC25%2Bsll4ISwokN0xaq%2FL%2FHa4%3D Attack Vector
78		Use_of_Broken_or_Risky_Cryptographic_Algorithm	tiled/catalog/utils.py: 10	details In , the application protects sensitive data using a cryptographic algorithm, hexdigest, that is considered weak or even trivially broken, in /tile... ID: aeZYj4It%2FHW4RyK6Z24ePh8aYH0%3D Attack Vector
79		Using Unrecommended Namespace	/service.yaml: 3	details Namespaces like 'default', 'kube-system' or 'kube-public' should not be used ID: YS8mlkhTCPXH7dVkg25Uizyd11k%3D
80		Using Unrecommended Namespace	/configmap.yaml: 4	details Namespaces like 'default', 'kube-system' or 'kube-public' should not be used ID: ihIrpLAqhj37Kie6jj9iZ9eTcZE%3D
81		CPU Limits Not Set	/deployment.yaml: 62	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: fxt5h0B6ngM%2FEz3P0Dw7vQJnsvw%3D
82		CPU Requests Not Set	/deployment.yaml: 62	details CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node ID: %2BrJ6gL%2FF0%2FkV5GRJjY0a8iHYaqo%3D
83		CVE-2025-58751	Npm-vite-7.1.3	details Recommended version: 7.3.2 Description: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the ... Attack Vector: NETWORK Attack Complexity: LOW ID: a8iILvZpEf%2BrjdknIEZRAtVa7KTZsM1owI3YBtSTbYs%3D Vulnerable Package
84		CVE-2025-58752	Npm-vite-7.1.3	details Recommended version: 7.3.2 Description: Vite is a frontend tooling framework for JavaScript. In Vite versions through 5.4.19, 6.x through 6.3.5, 7.0.x through 7.0.6 and 7.1.x through 7.1.... Attack Vector: NETWORK Attack Complexity: LOW ID: kOoMOprOpnd5pZsobXxMd2PQ%2FZebPGsqZDva45pr%2F80%3D Vulnerable Package
85		Cpus Not Limited	/ldap-docker-compose.yml: 4	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: YOXQBmN0A9AtsklLZNj57q%2BjVGw%3D
86		Cpus Not Limited	docker-compose.yml: 20	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: MvSiyvjXs6mfvBmfV%2FrGxxnKbac%3D
87		Cpus Not Limited	docker-compose.yml: 33	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: 7XNrYu6quJP3ocNzb7jx3SV9XyY%3D
88		Cpus Not Limited	docker-compose.yml: 3	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: %2BALJ0EsncN4bscuqJd7A63KdNl8%3D
89		Filtering_Sensitive_Logs	tiled/client/context.py: 688	details The application logs various user events, and in method  writes sensitive user details to debug, in /locust/reader.py at line 62. These details i... ID: O9aHSX7ba7EQ7mdZu2TOp7g%2FQTg%3D Attack Vector
90		Healthcheck Instruction Missing	/Dockerfile: 7	details Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working ID: UQpswDLUCcwmf%2B8LMu30Qc5sQJ4%3D
91		Image Without Digest	/deployment.yaml: 62	details Images should be specified together with their digests to ensure integrity ID: K%2BW0dG90ZqQdCubU3lIBqppVpLM%3D
92		Missing AppArmor Profile	/deployment.yaml: 17	details Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources ID: LDjmQrxOU%2FWiKcTyDuA0Zz0v8QM%3D
93		Missing Flag From Dnf Install	/Dockerfile: 3	details The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process... ID: kO2%2BgVkNRilUA%2FJ4BtxpjcrhzHk%3D
94		No Drop Capabilities for Containers	/deployment.yaml: 62	details Sees if Kubernetes Drop Capabilities exists to ensure containers security context ID: dHq0LAG%2Fva7Hy3pWqAvWI0piIvY%3D
95		Pod or Container Without LimitRange	/deployment.yaml: 1	details Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not... ID: RmCD9I6idStW180wyRX284pfZvo%3D
96		Pod or Container Without ResourceQuota	/deployment.yaml: 1	details Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can... ID: kPOVMz3LlQTmieItyqCeJ97e09E%3D
97		Root Container Not Mounted Read-only	/deployment.yaml: 62	details Check if the root container filesystem is not being mounted as read-only. ID: sJ1LAkKzvQ%2Ftjcigj%2BgWz9V8P%2BM%3D
98		Secrets As Environment Variables	/deployment.yaml: 62	details Container should not use secrets as environment variables ID: 38rAj2N45dj%2FX%2FW17VfqFPJP%2FC8%3D
99		Unpinned Actions Full Length Commit SHA	/publish-image.yml: 38	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... ID: 1MI3h0JawHPXV3xgsw7piQFGnT8%3D
100		Unpinned Actions Full Length Commit SHA	/ci.yml: 20	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... ID: dm1hKhv7AdHm2lweheofmHDVH6g%3D
101		Unpinned Actions Full Length Commit SHA	/publish-image.yml: 74	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... ID: G59BMbAXjWO6oR9ny%2BwUg1LP34Y%3D
102		Unpinned Actions Full Length Commit SHA	/ci.yml: 40	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... ID: 5r2XvoSyIJIKxWV4ttKV8yT8KKU%3D
103		Unpinned Actions Full Length Commit SHA	/publish-pypi.yml: 45	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... ID: OxB9%2FhCDv75Bg7uT%2FMV9BPUbJfo%3D
104		Unpinned Actions Full Length Commit SHA	/ci.yml: 93	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... ID: BmdvvUzoM1GTGjYakX32yvsYAVY%3D
105		Unpinned Actions Full Length Commit SHA	/docs.yml: 19	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... ID: fMpRB6d4%2FsHYCLmARUlpG93igeo%3D
106		Unpinned Actions Full Length Commit SHA	/ci.yml: 112	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... ID: 6wykkVV0G5nKKRg%2F0Jak3j%2FMTSI%3D
107		Unpinned Actions Full Length Commit SHA	/publish-docs.yml: 30	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... ID: u5GX8CIXjF2B8wT1iH6ldEcjzpE%3D

---

Communicate with Checkmarx by submitting a PR comment with @Checkmarx followed by one of the supported commands. Learn about the supported commands here.

[tacaswell]

>       assert test_table == pa.Table.from_pandas(result_read)
1547
E       assert pyarrow.Table...se,true,null]] == pyarrow.Table...se,true,true]]
1548
E         
1549
E         Full diff:
1550
E           pyarrow.Table
1551
E           f0: int64
1552
E           f1: double
1553
E           f2: string
1554
E           f3: bool
1555
E           ----
1556
E         - f0: [[1,10,3,4,5,...,1,2,3,4,12]]
1557
E         - f1: [[1,10,3,4,5,...,1,2,3,4,12]]
1558
E         - f2: [["foo0","biz","baz0",null,"goo0",...,"foo0","bar0","baz0",null,"goo"]]
1559
E         - f3: [[true,false,false,true,null,...,true,null,false,true,true]]
1560
E         + f0: [[1,2,3,4,5],[6,7,8,9,10,11,12],...,[13,14],[1,2,3,4,5]]
1561
E         + f1: [[1,2,3,4,5],[6,7,8,9,10,11,12],...,[13,14],[1,2,3,4,5]]
1562
E         + f2: [["foo0","bar0","baz0",null,"goo0"],["foo1","bar1",null,"baz1","biz",null,"goo"],...,["foo2","baz2"],["foo0","bar0","baz0",null,"goo0"]]
1563
E         + f3: [[true,null,false,true,null],[null,true,true,false,false,null,true],...,[false,null],[true,null,false,true,null]]

These failures look real. The old behavior appears to have been flattening list and the new behavior is lists of lists. I don't know enough to judge which is right.