Allow networkx<3 for Python 3.7 or newer#255
Conversation
This change brings in a conditional dependency for networkx, preventing 2.6 or later being installed for a Python 3.6 environment, but allowing v2.7 or 2.8 for newer versions. This should allow for non EOL versions of Python to install a version of networkx that doesn't have the CVE vulnerability.
|
|
|
Realistically this change shouldn't be needed and the version range softened as networkx introduced |
|
This would be a useful PR for myself as it addresses a Critical CVE in |
arm4b
left a comment
There was a problem hiding this comment.
Thanks for the PR, that's helpful.
It needs a changelog record and also green builds to merge it.
@Stealthii @jk464 @StackStorm/maintainers If anyone can help looking into CI failures, https://github.com/StackStorm/orquesta/actions/runs/5402181880/job/14626061246?pr=255#step:3:7 is the first flag.
|
All good. Still needs a changelog though to merge it. |
| # networkx v2.6 does not support Python3.6. Update networkx to match st2 | ||
| networkx>=2.5.1,<2.6 | ||
| networkx>=2.5.1,<2.6; python_version < '3.7' | ||
| networkx>=2.6,<3; python_version >= '3.7' |
There was a problem hiding this comment.
I updated it to a more strict >=2.6 as https://security.snyk.io/vuln/SNYK-PYTHON-NETWORKX-1062709 suggests
This change brings in a conditional dependency for networkx, preventing 2.6 or later being installed for a Python 3.6 environment, but allowing v2.6-2.8 for newer versions.
This should allow for non EOL versions of Python to install a version of networkx that doesn't have the CVE vulnerability (see networkx/networkx#4541).