-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow networkx<3 for Python 3.7 or newer #255
Conversation
This change brings in a conditional dependency for networkx, preventing 2.6 or later being installed for a Python 3.6 environment, but allowing v2.7 or 2.8 for newer versions. This should allow for non EOL versions of Python to install a version of networkx that doesn't have the CVE vulnerability.
Realistically this change shouldn't be needed and the version range softened as networkx introduced |
This would be a useful PR for myself as it addresses a Critical CVE in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR, that's helpful.
It needs a changelog record and also green builds to merge it.
@Stealthii @jk464 @StackStorm/maintainers If anyone can help looking into CI failures, https://github.com/StackStorm/orquesta/actions/runs/5402181880/job/14626061246?pr=255#step:3:7 is the first flag.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All good. Still needs a changelog though to merge it. |
@@ -3,7 +3,8 @@ eventlet | |||
Jinja2>=2.11 # BSD License (3 clause) | |||
jsonschema!=2.5.0,<3.0.0,>=2.0.0 # MIT | |||
# networkx v2.6 does not support Python3.6. Update networkx to match st2 | |||
networkx>=2.5.1,<2.6 | |||
networkx>=2.5.1,<2.6; python_version < '3.7' | |||
networkx>=2.6,<3; python_version >= '3.7' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated it to a more strict >=2.6
as https://security.snyk.io/vuln/SNYK-PYTHON-NETWORKX-1062709 suggests
This change brings in a conditional dependency for networkx, preventing 2.6 or later being installed for a Python 3.6 environment, but allowing v2.6-2.8 for newer versions.
This should allow for non EOL versions of Python to install a version of networkx that doesn't have the CVE vulnerability (see networkx/networkx#4541).