Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow networkx<3 for Python 3.7 or newer #255

Merged
merged 4 commits into from
Sep 25, 2023

Conversation

Stealthii
Copy link
Contributor

@Stealthii Stealthii commented Jun 28, 2023

This change brings in a conditional dependency for networkx, preventing 2.6 or later being installed for a Python 3.6 environment, but allowing v2.6-2.8 for newer versions.

This should allow for non EOL versions of Python to install a version of networkx that doesn't have the CVE vulnerability (see networkx/networkx#4541).

This change brings in a conditional dependency for networkx, preventing
2.6 or later being installed for a Python 3.6 environment, but allowing
v2.7 or 2.8 for newer versions.

This should allow for non EOL versions of Python to install a version of
networkx that doesn't have the CVE vulnerability.
@CLAassistant
Copy link

CLAassistant commented Jun 28, 2023

CLA assistant check
All committers have signed the CLA.

@Stealthii
Copy link
Contributor Author

Realistically this change shouldn't be needed and the version range softened as networkx introduced python_requires=">=3.7", with the v2.6 release, but depending on package build or install method this might not happen so this PR implements a defensive change.

@jk464
Copy link

jk464 commented Aug 7, 2023

This would be a useful PR for myself as it addresses a Critical CVE in networkx (atleast in Python 3.8) - i.e. the one fixed here networkx/networkx#4541. (There is not compatible version of networkx with the fix available for Py3.6)

Copy link
Member

@arm4b arm4b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, that's helpful.

It needs a changelog record and also green builds to merge it.

@Stealthii @jk464 @StackStorm/maintainers If anyone can help looking into CI failures, https://github.com/StackStorm/orquesta/actions/runs/5402181880/job/14626061246?pr=255#step:3:7 is the first flag.

@arm4b arm4b added the bug label Sep 19, 2023
Copy link
Member

@arm4b arm4b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Thanks to @amanda11 and @nzlosh for fixing the CI here: #257

Let's see if we could merge this one now.

@arm4b
Copy link
Member

arm4b commented Sep 25, 2023

All good. Still needs a changelog though to merge it.

@@ -3,7 +3,8 @@ eventlet
Jinja2>=2.11 # BSD License (3 clause)
jsonschema!=2.5.0,<3.0.0,>=2.0.0 # MIT
# networkx v2.6 does not support Python3.6. Update networkx to match st2
networkx>=2.5.1,<2.6
networkx>=2.5.1,<2.6; python_version < '3.7'
networkx>=2.6,<3; python_version >= '3.7'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated it to a more strict >=2.6 as https://security.snyk.io/vuln/SNYK-PYTHON-NETWORKX-1062709 suggests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants