snorkel-team / snorkel

A system for quickly generating training data with weak supervision
https://snorkel.org
Apache License 2.0
5.81k stars 857 forks source link

Bump version upper bound of networkx to 2.7 #1677

Closed marekmodry closed 2 years ago

marekmodry commented 3 years ago

Description of proposed changes

This PR bumps up the version upper boundary of networkx from <2.6 to <2.7.

The main reason for bumping the version is the existence of high severity security vulnerability to Deserialization of Untrusted Data in networkx package (present in networkx <= 2.5.x and fixed in v2.6).

Note: networkx 2.5.x supports Python >= 3.6, while networkx 2.6.x supports Python >= 3.7. Therefore, when no other constraints are given, networkx 2.5.x is installed when on py36, while networkx 2.6.x is installed when on py3.7.

Historical context: Originally, snorkel allowed networkx <3.0 until snorkel v0.9.2 (networkx bounds changed to <2.4 by https://github.com/snorkel-team/snorkel/pull/1492 for backward compatibility reasons). Subsequently, PR https://github.com/snorkel-team/snorkel/pull/1645 introduced changes improving the compatibility and extended the networkx's version upper bound to <2.6 (this happened before networkx 2.6 was released).

Related issue(s)

Fixes #1673

Test plan

My testing locally and its results:

Checklist

Need help on these? Just ask!

marekmodry commented 3 years ago

@rsmith49 I believe this PR is ready for review. The CI pipeline is failing but given also other PRs and failing pipeline runs it seems that there some pipeline issues.

Please, see the description for the list of tests I ran.

I appreciate any suggestions for further testing or changes. Thanks!

rsmith49 commented 3 years ago

@marekmodry thank you for getting this PR up! Like I commented on the original issue, we are currently looking into the problems with CI failures. I will update you when that has been resolved

rjurney commented 2 years ago

Awesome! We’re hiring a Weakly Supervised Learning Engineer and will make more contributions in the next quarter :)

marekmodry commented 2 years ago

Thanks @rsmith49 and @bhancock8 !