Revert urllib3 version pin #648
Comments
|
@nvda-mesharma @mc-nv in this PR: #457, we updated the urllib3 requirement. |
|
CVE-2023-45803 prevent locking version as |
|
@mc-nv CVE says that |
|
Sorry to bother you guys once again. Have you had an opportunity to look into this? It's a really simple fix that will avert a dependency hell for us. |
|
Its not bothering us. We just have to be careful with the CVE issue. Let me ping one more person. |
|
Dear customer we understand your request and have to clarify following for you. According to Python Packaging User Guide#Version Specifier documentation both version are valid as you mentioned above. We may not be impacted, but it will require rebuild entire product and make sure that none of the other customers is impacted. |
|
@mc-nv Hey, thanks for the clarification. Regarding semver, I'll note here a quote from urllib3 v2 migration guide:
And their recommended version specifier during the migration is |
|
Hey guys. Just pinging if there's any update on this? |
|
@nvda-mesharma any idea what is happening on this? I am out of the loop on this now |
|
We are also running into this in an application that uses boto3. Boto requires urllib3<2.0.0. |
|
Any progress on this issue? |
|
Following up again. This issue is blocking our ability to update the client package. |
Hi. We are trying to integrate with OIP model servers over at feast feature store and need to add mlserver and tritonclient as optional dependencies. The problem is that we also already depend on
snowflake-connector-pythonwhich still has a strict urllib3<2.0.0 requirement for python 3.9. I saw that urllib3 version pin here was only to avoid vulnerability reports. #457 Not sure which vulnerability that was referring to, but seems like urlib3 plan to ship security fixes for v1 still. Is is possible to revert the version pin? Or maybe allow something like (>=1.26.18<2 or >=2.0.7). ThanksThe text was updated successfully, but these errors were encountered: