search

neo4j / graph-data-science

Source code for the Neo4j Graph Data Science library of graph algorithms.
https://neo4j.com/docs/graph-data-science/current/
Other
596 stars 157 forks source link

JSON map missing for Neo4j 3.5.34, 3.5.35 #226

Closed jacob-ablowitz closed 1 year ago

jacob-ablowitz commented 1 year ago

The plugins json map at https://graphdatascience.ninja/versions.json only supports as high as v3.5.33 although the latest v3.5 container is v3.5.35. As a result, attempting to use containerized v3.5.35 with graph-data-science can't start their containers. Please update the json map.

Mats-SX commented 1 year ago

Hello @jacob-ablowitz and thank you for highlighting this issue.

I tried to explain the situation with Neo4j version 3.5 and GDS in my reply to the issue you had raised at docker-neo4j, here. We do not recommend using Neo4j 3.5 at all, and we do not recommend using GDS together with it either. The version of GDS that supported Neo4j 3.5 is version 1.1, and it is no longer maintained. Both GDS 1.1 and Neo4j 3.5 are officially end-of-life, which means we do not produce any more releases or support users with bug reports or installation issues.

We recommend upgrading your environment to Neo4j 4.4 and GDS 2.2, to receive a plethora of new features developed over the last few years, including plenty of bugfixes and performance improvements. By not upgrading, there is a risk of missing important security fixes -- and the support we would normally offer for issues like the one mentioned in this report. The releases 3.5.34 and 3.5.35 were exceptional in circumstance due to a particularly high severity security problem. We may choose to not make such exceptions in the future, or for security problems that are of a lesser severity. For new versions, we will naturally make all improvements and fixes available as fast as possible.

Again, if you have a commercial engagement with Neo4j, I recommend contacting us through your commercial contact to reach Customer Support or Customer Success through the established commercial communication channel. But even in this case, I repeat my recommendation to upgrade from Neo4j 3.5, which was initially released nearly four years ago and is not a good choice to use anymore.

All the best Mats

jacob-ablowitz commented 1 year ago

Hi @Mats-SX I've been using 3.5 only because the MRI Neo4j Ruby driver isn't yet released 4.X with https working and I have a rails app that depends upon neo4j as its primary data store. This whole ruby driver saga has turned into a classic 'tech debt nightmare.' I'm actually the guy who made the request thru customer service for the 3.5.34 and 3.5.35 updates precisely because of the 'critical' and 'high' CVEs you mentioned.

Believe me, I can't wait to get off 3.X! I can reach out to the neo4j people directly, I just thought it would be quicker to go right to the source of the information (which I thought would be this repo?) because I can't actually make use of the 3.5.35 update in my containerized CI/CD pipeline since it depends upon this json map and so the 3.5.35 container fails to load if the gds plugin is specified.

gmann11 commented 1 year ago

Hi @jacob-ablowitz - I can work on this directly with you to to put together a container that includes GDS without requiring any external changes to the versions.json map.