Closed ddl-joyce-zhao closed 6 months ago
➜ feast git:(master) ✗ grep --include=*.py -rnw ./sdk/python -e "sqlalchemy"
./sdk/python/feast/infra/registry/sql.py:9:from sqlalchemy import ( # type: ignore
./sdk/python/feast/infra/registry/sql.py:22:from sqlalchemy.engine import Engine
./sdk/python/feast/infra/offline_stores/contrib/mssql_offline_store/tests/data_source.py:5:from sqlalchemy import create_engine
./sdk/python/feast/infra/offline_stores/contrib/mssql_offline_store/mssql.py:12:import sqlalchemy
./sdk/python/feast/infra/offline_stores/contrib/mssql_offline_store/mssql.py:14:from sqlalchemy import create_engine
./sdk/python/feast/infra/offline_stores/contrib/mssql_offline_store/mssql.py:15:from sqlalchemy.engine import Engine
./sdk/python/feast/infra/offline_stores/contrib/mssql_offline_store/mssql.py:16:from sqlalchemy.orm import sessionmaker
./sdk/python/feast/infra/offline_stores/contrib/mssql_offline_store/mssql.py:393: engine: sqlalchemy.engine.Engine,
./sdk/python/feast/infra/offline_stores/contrib/mssql_offline_store/mssqlserver_source.py:8:from sqlalchemy import create_engine
Major two Warnings:
1, RemovedIn20Warning: The current statement is being autocommitted using implicit autocommit, which will be removed in SQLAlchemy 2.0. Use the .begin() method of Engine or Connection in order to use an explicit transaction for DML and DDL statements. (Background on SQLAlchemy 2.0 at: https://sqlalche.me/e/b8d9)
2, RemovedIn20Warning: Using non-integer/slice indices on Row is deprecated and will be removed in version 2.0; please use row._mapping[
Thank you guys very much for your quick action!
Is your feature request related to a problem? Please describe.
There is a security vulnerability PVE-2022-51668 in SQLAlchemy < 2.0.0.b1. https://data.safetycli.com/v/51668/f17/
However feast pinned the SQLAlchemy version to be < 2. We are struggling to have solve this vulnerability in our feast dependent projects. https://github.com/feast-dev/feast/blob/master/setup.py#L60
Describe the solution you'd like
Change the version specification to be >1 only
Describe alternatives you've considered NA
Additional context NA