Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump version upper bound of networkx to 2.7 #1677

Merged
merged 1 commit into from
Nov 18, 2021
Merged

Bump version upper bound of networkx to 2.7 #1677

merged 1 commit into from
Nov 18, 2021

Conversation

marekmodry
Copy link
Contributor

@marekmodry marekmodry commented Oct 14, 2021
edited
Loading

Description of proposed changes

This PR bumps up the version upper boundary of networkx from <2.6 to <2.7.

The main reason for bumping the version is the existence of high severity security vulnerability to Deserialization of Untrusted Data in networkx package (present in networkx <= 2.5.x and fixed in v2.6).

Note:
networkx 2.5.x supports Python >= 3.6, while networkx 2.6.x supports Python >= 3.7. Therefore, when no other constraints are given, networkx 2.5.x is installed when on py36, while networkx 2.6.x is installed when on py3.7.

Historical context:
Originally, snorkel allowed networkx <3.0 until snorkel v0.9.2 (networkx bounds changed to <2.4 by #1492 for backward compatibility reasons). Subsequently, PR #1645 introduced changes improving the compatibility and extended the networkx's version upper bound to <2.6 (this happened before networkx 2.6 was released).

Related issue(s)

Fixes #1673

Test plan

My testing locally and its results:

  • tox -e py36 on Python 3.6 with networkx==2.5.1 installed - PASSED
  • tox -e py37 on Python 3.7 with networkx==2.5.1 installed - PASSED
  • tox -e py37 on Python 3.7 with networkx==2.6.3 installed - PASSED
  • tox -e type PASSED (after the recent PR, that pins mypy version to 720 again)
  • tox -e spark PASSED
  • tox -e complex PASSED

Checklist

Need help on these? Just ask!

  • I have read the CONTRIBUTING document.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • I have run tox -e complex and/or tox -e spark if appropriate.
  • All new and existing tests passed.

@marekmodry marekmodry mentioned this pull request Oct 14, 2021
Closed
5 tasks
@marekmodry marekmodry marked this pull request as draft October 14, 2021 09:02
@marekmodry marekmodry marked this pull request as ready for review October 14, 2021 11:31
@marekmodry
Copy link
Contributor Author

marekmodry commented Oct 14, 2021
edited
Loading

@rsmith49 I believe this PR is ready for review. The CI pipeline is failing but given also other PRs and failing pipeline runs it seems that there some pipeline issues.

Please, see the description for the list of tests I ran.

I appreciate any suggestions for further testing or changes. Thanks!

@rsmith49
Copy link
Contributor

@marekmodry thank you for getting this PR up! Like I commented on the original issue, we are currently looking into the problems with CI failures. I will update you when that has been resolved

rsmith49
rsmith49 approved these changes Nov 18, 2021
View reviewed changes
Copy link
Contributor

@rsmith49 rsmith49 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay, this looks good!

@bhancock8 bhancock8 merged commit b182abb into snorkel-team:master Nov 18, 2021
@rjurney
Copy link

rjurney commented Nov 20, 2021

Awesome! We’re hiring a Weakly Supervised Learning Engineer and will make more contributions in the next quarter :)

@marekmodry
Copy link
Contributor Author

Thanks @rsmith49 and @bhancock8 !

akode pushed a commit to akode/snorkel that referenced this pull request Jun 10, 2022
@marekmodry
Bump version upper bound of networkx to 2.7 (snorkel-team#1677)
d1eeac9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rsmith49 rsmith49 rsmith49 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

networkx 2.5 has a high priority Snyk vulnerability - upgrade to networkx 2.6
4 participants
@marekmodry @rsmith49 @rjurney @bhancock8