Bump version upper bound of networkx to 2.7 #1677
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of proposed changes
This PR bumps up the version upper boundary of networkx from
<2.6
to<2.7
.The main reason for bumping the version is the existence of high severity security vulnerability to Deserialization of Untrusted Data in networkx package (present in networkx <= 2.5.x and fixed in v2.6).
Note:
networkx 2.5.x supports Python >= 3.6, while networkx 2.6.x supports Python >= 3.7. Therefore, when no other constraints are given, networkx 2.5.x is installed when on py36, while networkx 2.6.x is installed when on py3.7.
Historical context:
Originally, snorkel allowed networkx
<3.0
until snorkelv0.9.2
(networkx bounds changed to<2.4
by #1492 for backward compatibility reasons). Subsequently, PR #1645 introduced changes improving the compatibility and extended the networkx's version upper bound to<2.6
(this happened before networkx 2.6 was released).Related issue(s)
Fixes #1673
Test plan
My testing locally and its results:
tox -e py36
on Python 3.6 withnetworkx==2.5.1
installed - PASSEDtox -e py37
on Python 3.7 withnetworkx==2.5.1
installed - PASSEDtox -e py37
on Python 3.7 withnetworkx==2.6.3
installed - PASSEDtox -e type
PASSED (after the recent PR, that pins mypy version to 720 again)tox -e spark
PASSEDtox -e complex
PASSEDChecklist
Need help on these? Just ask!
tox -e complex
and/ortox -e spark
if appropriate.