snorkel-team / snorkel

A system for quickly generating training data with weak supervision
https://snorkel.org
Apache License 2.0
5.81k stars 857 forks source link

Bump networkx version to 27 #1675

Closed marekmodry closed 3 years ago

marekmodry commented 3 years ago

This PR has been replaced by https://github.com/snorkel-team/snorkel/pull/1677

Description of proposed changes

This PR bumps up the version upper boundary of networkx from <2.6 to <2.7.

The main reason for bumping the version is the existence of high severity security vulnerability to Deserialization of Untrusted Data in networkx package (fixed in v2.6).

Note: networkx 2.5.x supports Python >= 3.6, while networkx 2.6.x supports Python >= 3.7. Therefore, when no other constraints are given, networkx 2.5.x is installed when on py36, while networkx 2.6.x is installed when on py3.7.

Historical context: Originally, snorkel allowed networkx <3.0 until snorkel v0.9.2 (networkx bounds changed to <2.4 by https://github.com/snorkel-team/snorkel/pull/1492 for backward compatibility reasons). Subsequently, PR https://github.com/snorkel-team/snorkel/pull/1645 introduced changes improving the compatibility and extended the networkx's version upper bound to <2.6 (this happened before networkx 2.6 was released).

Related issue(s)

Fixes #1673

Test plan

Checklist

Need help on these? Just ask!

rjurney commented 3 years ago

@bhancock8 @rsmith49 it would be amazing if we could get this into the next release. All tests pass locally.

marekmodry commented 3 years ago

I brought in some commit noise with this PR, so I closed this and replaced by: https://github.com/snorkel-team/snorkel/pull/1677 (where I rebased the new mypy/CI fix)