verta doesn't support pyYAML 5.4 version

[vineeth-shyam]

Hi team
In one of our project we are using verta==0.17.2 python library to connect to modelDB. In the last days we included Grype analysis in our pipeline to scan vulnerabilities, one such vulnerability was due an older version of pyYAML (GHSA-8q59-q68h-6hv4) whose version should be > 5.4.

However, I see that even the latest version of verta only supports pyYAML < 5.4.

Do you guys have any plans to release a patch to resolve this issue?

Thank you

[liuverta]

Hi @vineeth-shyam, thank you for your interest in verta!

Our next release will support pyyaml<6.0 (the PR #2718 has already been merged). I can't provide an exact date at the moment, but we're working on having it published soon. Thank you for your patience—I'll let you when it's live.

[vineeth-shyam]

Thank you very much for your reply, @liuverta. I'm wondering do you guys have any tentative date for the new release?

[liuverta]

Hi @vineeth-shyam, we are looking to release a new version 0.20.0 within the next couple of weeks!

[liuverta]

@vineeth-shyam verta==0.20.0 should be pip-installable within the next hour, with support for PyYAML==5.4. Please let me know if you encounter any issues there. Thanks again for your patience!

[vineeth-shyam]

Hi Liu,
Thank you very much for the update. I'm sorry I have to write you again, does the new release support click>=8.0?

Regards,
Vineeth

[liuverta]

@vineeth-shyam We don't yet support click>=8.0; as I recall, there are some incompatibilities we would have to resolve.

If that is of interest to you, would you be so kind as to file a new Issue for that? I'd also be curious as to what other libraries require click>=8.0, if you know (I'm assuming that it's potentially causing dependency conflicts). Thank you!

[vineeth-shyam]

Sure @liuverta I will create a new issue.