Dependency on versions of Numpy with publicly-known security vulnerabilities (Fixed by Numpy 1.22.2)

Reporting a bug

• I have tried using the latest released version of Numba (most recent is visible in the change log (https://github.com/numba/numba/blob/main/CHANGE_LOG).
• I have included a self contained code sample to reproduce the problem. i.e. it’s possible to run as ‘python bug.py’.
  • ** Note: This bug focuses on publicly-known security vulnerabilities of a numba dependency (Numpy versions < 1.22.2) and would be be well-demonstrated by code.

Numba 0.55.1 has a dependency on Numpy with versions where: 1.18 <= version < 1.22.

However, these versions of numpy are exposed to publicly known security vulnerabilities.

These vulnerabilities are fixed in Numpy 1.22.0 and, most importantly, in Numpy 1.22.2:

• Numpy 1.22.2 includes a fix for CVE-2021-41495: Null Pointer Dereference vulnerability exists in numpy.sort in NumPy in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attacks by repetitively creating sort arrays.
• Numpy 1.22.0 includes a fix for CVE-2021-41496: Buffer overflow in the array_from_pyobj function of fortranobject.c, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values.

I am hoping to use numba as part of an enterprise software package that will not accept security vulnerabilities and am being blocked by this upper limit.

Numpy 1.22.0, while being a major version bump, contained relatively few deprecations and issues that would result in backwards compatibility problems. Instead, this major version bump was mostly additive. Moreover, the changes following (1.22.1, 1.22.2) we predominantly bug fixes. Therefore, I expect that this upgrade would not require major overhaul on behalf of the numba developer team, could be validated relatively quickly, and would add great value to developers depending on secure versions of numba and the value it adds to our products.