Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[VR-12461] Bump PyYAML version constraint #2718

Merged
merged 1 commit into from
Nov 19, 2021
Merged

[VR-12461] Bump PyYAML version constraint #2718

merged 1 commit into from
Nov 19, 2021

Conversation

convoliution
Copy link
Contributor

@convoliution convoliution commented Nov 19, 2021
edited
Loading

Impact and Context

PyYAML has a security vulnerability that was addressed in pyyaml==5.4. Although verta itself doesn't use that vulnerable code, its dependency version constraint was conflicting with other libraries'.

This PR bumps the upper constraint on our pyyaml dependency from <5.4 to <6.0, which is when Python 2 support is dropped.

Closes #2536.

Risks and Area of Effect

Low risk: From PyYAML's changelog, the new versions we're allowing do not introduce any relevant breakages.

Low area of effect: verta only uses PyYAML for reading user-optional config files (currently only client config & endpoint update config).

Testing

I ran

pytest test_config.py test_endpoint/test_endpoint.py

from my machine on both Python 2 and 3, which encompasses all our config file-related functionality.

There were a handful of unrelated failures:

  • FAILED test_endpoint/test_endpoint.py::TestEndpoint::test_update_init_error
    • VR-12994
  • FAILED test_endpoint/test_endpoint.py::TestEndpoint::test_update_with_custom_module in Python 2
    • VR-11973
  • FAILED test_endpoint/test_endpoint.py::TestEndpoint::test_update_twice
    • updating an endpoint twice in one test exceeds the timeout, and should probably be moved out of our client test suite

How to Revert

Revert this PR.

@convoliution convoliution self-assigned this Nov 19, 2021
@convoliution convoliution merged commit 42998fe into master Nov 19, 2021
@convoliution convoliution deleted the ml/yaml branch November 19, 2021 20:28
@liuverta
Copy link
Contributor

liuverta commented Feb 7, 2022

Also closed #2379

@liuverta liuverta mentioned this pull request Mar 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daniel-verta daniel-verta daniel-verta approved these changes

Assignees

@convoliution convoliution

Labels
python-client
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

please support pyyaml>5.4
3 participants
@convoliution @liuverta @daniel-verta