Skip to content

Remove pyyaml dependency via module getattr#4802

Merged
jarrodmillman merged 11 commits intonetworkx:mainfrom
rossbar:rm-pyyaml-getattr
May 20, 2021
Merged

Remove pyyaml dependency via module getattr#4802
jarrodmillman merged 11 commits intonetworkx:mainfrom
rossbar:rm-pyyaml-getattr

Conversation

@rossbar
Copy link
Contributor

@rossbar rossbar commented May 14, 2021

An alternative to removing pyyaml with a full deprecation cycle. Adds a __getattr__ to each module/package from which read_yaml, write_yaml, and nx_yaml were accessible. Since the functions were one-liners, raise an informative error message describing how to use pyyaml directly to replicate the functionality of the nx_yaml module.

@jarrodmillman
Copy link
Member

jarrodmillman commented May 14, 2021

We should still plan to remove them completely for 3.0. So maybe we should also mention that in the message.

@jarrodmillman
Copy link
Member

jarrodmillman commented May 14, 2021

We may also want to mention the security issue (especially since we are removing a function w/out deprecating it).

@rossbar
Copy link
Contributor Author

rossbar commented May 15, 2021

Okay I've updated the exception messages w/ a note about security and a note that the message will be removed in 3.0. Here's an example:

>>> nx.read_yaml
Traceback (most recent call last)
   ...
ImportError: 
read_yaml has been removed from NetworkX, please use `yaml`
directly:

    import yaml

    with open('path', 'r') as fh:
        yaml.load(fh, Loader=yaml.Loader)

Note that yaml.Loader is considered insecure - see the pyyaml
documentation for further details.

This message will be removed in NetworkX 3.0.

I like the __getattr__ approach in that it raises an exception whenever a user tries to load/access the modules/functions rather than deferring to when users try to run the functions. One thing I don't like about this approach though is the fact that I had to repead the def __getattr__ definition in multiple places in order to cover all the previous access patterns (e.g. nx.read_yaml, nx.readwrite.read_yaml, nx.readwrite.nx_yaml.read_yaml, etc.). Maybe there's a better way to do this?

@rossbar rossbar requested a review from stefanv May 15, 2021 20:31
@janwui
Copy link

janwui commented May 17, 2021

Thank you for fixing the pyyaml dependency. Do you know when this fix will be released? The security bug, CVE-2020-1747, has been flag as a high severity for us and is currently a show stopper.

@dschult dschult added this to the networkx-2.6 milestone May 18, 2021
@dschult
Copy link
Member

dschult commented May 18, 2021

The milestone date for v2.6 is May 31. We are aiming to be close to that.

@MridulS MridulS mentioned this pull request May 18, 2021
Closed
@jarrodmillman
Copy link
Member

jarrodmillman commented May 18, 2021

Add a note about extra files to: https://github.com/networkx/networkx/blob/main/doc/developer/deprecations.rst

@rossbar rossbar self-assigned this May 18, 2021
@rossbar rossbar force-pushed the rm-pyyaml-getattr branch from 4b58cc9 to 96fd946 Compare May 19, 2021 14:47
@rossbar
Copy link
Contributor Author

rossbar commented May 19, 2021

I've updated the deprecation notes and removed the yaml section from the docs. I could've left the yaml section in there as a stub with a warning, but I decided to be more aggressive. If there's a preference for leaving a docs stub with a warning LMK and I'll add it back!

@jarrodmillman jarrodmillman removed the request for review from stefanv May 20, 2021 20:10
@jarrodmillman jarrodmillman merged commit 1f1fb42 into networkx:main May 20, 2021
@rossbar rossbar deleted the rm-pyyaml-getattr branch December 13, 2021 06:01
MridulS pushed a commit to MridulS/networkx that referenced this pull request Feb 4, 2023
@rossbar @MridulS
Remove pyyaml dependency via module getattr (networkx#4802)
a068542 
* WIP: adding getattr to nx_yaml module.

* WIP: Tests that informative exceptions raised.

* Add tests for informative messages.

* Add getattrs to higher-up pkgs.

* Remove test_yaml.py

* Remove pyyaml from requirements.

* Update examples in warning messages.

Ensure they are correct, runnable examples.

* Add security warning and removal time to message.

* Cp __getattr__ to other mods/pkgs.

* Update deprecation notes w/ getattrs.

* Remove yaml section from docs.
cvanelteren pushed a commit to cvanelteren/networkx that referenced this pull request Apr 22, 2024
@rossbar @cvanelteren
Remove pyyaml dependency via module getattr (networkx#4802)
7bc0d9f 
* WIP: adding getattr to nx_yaml module.

* WIP: Tests that informative exceptions raised.

* Add tests for informative messages.

* Add getattrs to higher-up pkgs.

* Remove test_yaml.py

* Remove pyyaml from requirements.

* Update examples in warning messages.

Ensure they are correct, runnable examples.

* Add security warning and removal time to message.

* Cp __getattr__ to other mods/pkgs.

* Update deprecation notes w/ getattrs.

* Remove yaml section from docs.
@PatMyron PatMyron mentioned this pull request Jan 15, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dschult dschult dschult approved these changes

@MridulS MridulS MridulS approved these changes

Assignees

@rossbar rossbar

Labels

type: Maintenance

Milestone

networkx-2.6

Development

Successfully merging this pull request may close these issues.

5 participants

@rossbar @jarrodmillman @janwui @dschult @MridulS