Security: Investigate Click downgrade to 8.1.8 and possible re-introduction of CVE-2023-43090

[coderabbitai]

Context

The downgrade from click 8.2.1 → 8.1.8 in PR #1325 (see comment #1325 (comment)) was needed to relax the python_version marker, but 8.1.8 predates the fix for shell-escaping vulnerability CVE-2023-43090.

Task

1. Confirm whether Click 8.1.8 is indeed vulnerable in our Python 3.11 & 3.12 images.
2. If vulnerable, either
   • bump back to Click 8.2.x and patch downstream tooling, or
   • apply another safe version that retains relaxed markers.

Acceptance Criteria

• Security assessment documented.
• Decision on version or mitigation implemented.
• Affected images enumerated and updated.

Links

PR: #1325
Comment: #1325 (comment)

[coderabbitai]

Heads-up from PR #1325 (#1325) – discussion (#1325 (comment)) revealed that only jupyter/rocm/pytorch/ubi9-python-3.11 was downgraded to click==8.1.8 while the rest of the runtime images still pin click==8.2.1.

We should decide on one Click version across all images to avoid subtle regressions. Recall that Elyra PR opendatahub-io/elyra#118 exposed a Click incompatibility that broke tests, so any change needs extra scrutiny.

Adding this note here per @jiridanek’s request for tracking.