networkx 2.5 has a high priority Snyk vulnerability - upgrade to networkx 2.6

[rjurney]

Issue description

We can't have Snorkel as part of our build with a Snyk high priority vulnerability, something that is going to affect many users.

The versions affected are described here: https://snyk.io/vuln/pip:networkx

The vulnerability enables arbitrary code execution when saving unknown data - such as in a real application that accepts user input - to YAML: https://snyk.io/vuln/SNYK-PYTHON-NETWORKX-1062709

For SOC2 compliance, having this hanging around is a problem for an audit. Those companies requiring ISO27001, HIPAA (snorkel is big in a medical context) and PCI are likely to have similar issues.

Expected behavior

Snorkel should upgrade its libraries at least annually to remain runnable by a broad base of users. Networkx 2.5 was released in August 2020.

Additional Information

@bhancock8 if you can outline what is required to upgrade to networkx 2.6 I can have my team make swing at it.

[rsmith49]

Hi @rjurney, thanks for flagging this and we’d be happy to work with your team on updating the networkx requirement. To maintain compatibility with Python 3.6, we’ll need to make sure that networkx 2.5 can still be installed if the user so choose. If your team wants to get started on a PR, we recommend starting by loosening the version in requirements.txt and seeing if unit tests reveal any major incompatibilities.

Edit: Clarified suggested approach

[rjurney]

@marekmodry can you check out this project, update requirements.txt and see if any unit tests fail?

[rjurney]

@rsmith49 note that the PR at https://github.com/snorkel-team/snorkel/pull/1675 actually passes all tests locally. Is the CI broken?

[rsmith49]

@rjurney sorry for the trouble - something is going on with CI and we are currently investigating - if you have any ideas as to what is causing the build errors we would be happy for extra input!

[rjurney]

@bhancock8 thanks!