Allow networkx<3 for Python 3.7 or newer #255
Conversation
This change brings in a conditional dependency for networkx, preventing 2.6 or later being installed for a Python 3.6 environment, but allowing v2.7 or 2.8 for newer versions. This should allow for non EOL versions of Python to install a version of networkx that doesn't have the CVE vulnerability.
|
|
|
Realistically this change shouldn't be needed and the version range softened as networkx introduced |
|
This would be a useful PR for myself as it addresses a Critical CVE in |
There was a problem hiding this comment.
Thanks for the PR, that's helpful.
It needs a changelog record and also green builds to merge it.
@Stealthii @jk464 @StackStorm/maintainers If anyone can help looking into CI failures, https://github.com/StackStorm/orquesta/actions/runs/5402181880/job/14626061246?pr=255#step:3:7 is the first flag.
|
All good. Still needs a changelog though to merge it. |
| @@ -3,7 +3,8 @@ eventlet | |||
| Jinja2>=2.11 # BSD License (3 clause) | |||
| jsonschema!=2.5.0,<3.0.0,>=2.0.0 # MIT | |||
| # networkx v2.6 does not support Python3.6. Update networkx to match st2 | |||
| networkx>=2.5.1,<2.6 | |||
| networkx>=2.5.1,<2.6; python_version < '3.7' | |||
| networkx>=2.6,<3; python_version >= '3.7' | |||
There was a problem hiding this comment.
I updated it to a more strict >=2.6 as https://security.snyk.io/vuln/SNYK-PYTHON-NETWORKX-1062709 suggests
This change brings in a conditional dependency for networkx, preventing 2.6 or later being installed for a Python 3.6 environment, but allowing v2.6-2.8 for newer versions.
This should allow for non EOL versions of Python to install a version of networkx that doesn't have the CVE vulnerability (see networkx/networkx#4541).