search

feast-dev / feast

The Open Source Feature Store for Machine Learning
https://feast.dev
Apache License 2.0
5.56k stars 993 forks source link

SQLAlchemy 2 compatibility #4062

Closed ddl-joyce-zhao closed 6 months ago

ddl-joyce-zhao commented 6 months ago

Is your feature request related to a problem? Please describe.

There is a security vulnerability PVE-2022-51668 in SQLAlchemy < 2.0.0.b1. https://data.safetycli.com/v/51668/f17/

However feast pinned the SQLAlchemy version to be < 2. We are struggling to have solve this vulnerability in our feast dependent projects. https://github.com/feast-dev/feast/blob/master/setup.py#L60

Describe the solution you'd like

Change the version specification to be >1 only

Describe alternatives you've considered NA

Additional context NA

shuchu commented 6 months ago

➜ feast git:(master) ✗ grep --include=*.py -rnw ./sdk/python -e "sqlalchemy"
./sdk/python/feast/infra/registry/sql.py:9:from sqlalchemy import ( # type: ignore ./sdk/python/feast/infra/registry/sql.py:22:from sqlalchemy.engine import Engine ./sdk/python/feast/infra/offline_stores/contrib/mssql_offline_store/tests/data_source.py:5:from sqlalchemy import create_engine ./sdk/python/feast/infra/offline_stores/contrib/mssql_offline_store/mssql.py:12:import sqlalchemy ./sdk/python/feast/infra/offline_stores/contrib/mssql_offline_store/mssql.py:14:from sqlalchemy import create_engine ./sdk/python/feast/infra/offline_stores/contrib/mssql_offline_store/mssql.py:15:from sqlalchemy.engine import Engine ./sdk/python/feast/infra/offline_stores/contrib/mssql_offline_store/mssql.py:16:from sqlalchemy.orm import sessionmaker ./sdk/python/feast/infra/offline_stores/contrib/mssql_offline_store/mssql.py:393: engine: sqlalchemy.engine.Engine, ./sdk/python/feast/infra/offline_stores/contrib/mssql_offline_store/mssqlserver_source.py:8:from sqlalchemy import create_engine

shuchu commented 6 months ago

https://docs.sqlalchemy.org/en/20/changelog/migration_20.html

shuchu commented 6 months ago

Major two Warnings:

1, RemovedIn20Warning: The current statement is being autocommitted using implicit autocommit, which will be removed in SQLAlchemy 2.0. Use the .begin() method of Engine or Connection in order to use an explicit transaction for DML and DDL statements. (Background on SQLAlchemy 2.0 at: https://sqlalche.me/e/b8d9) 2, RemovedIn20Warning: Using non-integer/slice indices on Row is deprecated and will be removed in version 2.0; please use row._mapping[], or the mappings() accessor on the Result object. (Background on SQLAlchemy 2.0 at: https://sqlalche.me/e/b8d9)

ddl-joyce-zhao commented 6 months ago

Thank you guys very much for your quick action!