Closed marekmodry closed 2 years ago
@rsmith49 I believe this PR is ready for review. The CI pipeline is failing but given also other PRs and failing pipeline runs it seems that there some pipeline issues.
Please, see the description for the list of tests I ran.
I appreciate any suggestions for further testing or changes. Thanks!
@marekmodry thank you for getting this PR up! Like I commented on the original issue, we are currently looking into the problems with CI failures. I will update you when that has been resolved
Awesome! We’re hiring a Weakly Supervised Learning Engineer and will make more contributions in the next quarter :)
Thanks @rsmith49 and @bhancock8 !
Description of proposed changes
This PR bumps up the version upper boundary of networkx from
<2.6
to<2.7
.The main reason for bumping the version is the existence of high severity security vulnerability to Deserialization of Untrusted Data in networkx package (present in networkx <= 2.5.x and fixed in v2.6).
Note: networkx 2.5.x supports Python >= 3.6, while networkx 2.6.x supports Python >= 3.7. Therefore, when no other constraints are given, networkx 2.5.x is installed when on py36, while networkx 2.6.x is installed when on py3.7.
Historical context: Originally, snorkel allowed networkx
<3.0
until snorkelv0.9.2
(networkx bounds changed to<2.4
by https://github.com/snorkel-team/snorkel/pull/1492 for backward compatibility reasons). Subsequently, PR https://github.com/snorkel-team/snorkel/pull/1645 introduced changes improving the compatibility and extended the networkx's version upper bound to<2.6
(this happened before networkx 2.6 was released).Related issue(s)
Fixes #1673
Test plan
My testing locally and its results:
tox -e py36
on Python 3.6 withnetworkx==2.5.1
installed - PASSEDtox -e py37
on Python 3.7 withnetworkx==2.5.1
installed - PASSEDtox -e py37
on Python 3.7 withnetworkx==2.6.3
installed - PASSEDtox -e type
PASSED (after the recent PR, that pins mypy version to 720 again)tox -e spark
PASSEDtox -e complex
PASSEDChecklist
Need help on these? Just ask!
tox -e complex
and/ortox -e spark
if appropriate.