Plans to update Holmes dependencies?

[dnicodemus]

Hi,

Are there any plans to update the Holmes dependencies?

Currently it requires Spacy >=3.0.0,<3.6.0 but these versions of Spacy requires transforms which are affected by vulnerabilities CVE-2023-7018 and CVE-2023-6730.

I would like to include Holmes in a side care, but am currently unable to do so because of these vulnerabilities.

Thanks for any support or advice.

Dave N

[richardpaulhudson]

Hi @dnicodemus , sorry for taking so long to get back to you. Unfortunately there are no plans to update the dependencies in the foreseeable future because this would require updating the dependencies for Coreferee, on which Holmes depends, and this would be very time-consuming: see https://github.com/richardpaulhudson/coreferee/issues/29.

At the same time, these two vulnerabilities refer to very specific code within the transformers library that is not used in any way by Holmes. Please look at them yourself to convince yourself of this, but it looks as though you can continue to use Holmes with the existing transformers dependencies without needing to worry about them.