RFC: Upgrade sqlalchemy #5
Conversation
muttlib/dbconn/base.py
Outdated
| @@ -126,11 +126,14 @@ def __setattr__(self, attr, value): | |||
| elif attr == 'driver': | |||
| value = format_drivername(self.dialect, value) | |||
| attr = 'drivername' | |||
| self.conn_url = self.conn_url.set(**{attr: value}) | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
I don't quickly understand the change, mind explaining it to me if you remember? :)
If it's a breaking change with sqlalchemy 1.3 we could add a version check to remain compatible with both 1.3 and 1.4.
There was a problem hiding this comment.
Yes, this is a breaking change. Previously one could just do
connection.url = "my_url"
But now the attribute is protected from changes like that, and requires to be changed with its set method.
Regarding double compatibility, I'm answering you in another comment.
This reverts commit 8db59e4.
| numpy = ">=1.22.0,<2.0" | ||
| jinjasql = "^0.1.8" | ||
| ipython = "^7.29.0" | ||
| ipython = ">=8.0.1" |
There was a problem hiding this comment.
Motivated not by sqlalchemy but by vulnerability issue.
https://www.cvedetails.com/cve/CVE-2022-21699/
https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699
There was a problem hiding this comment.
Hi 👋🏼 @leo-mansini.
Nice PR you've got there. Is this ready for action? Do you want me to spam someone so it's code reviewed? It looks fairly inoffensive, with the caveat that the PR name is not complete as you're modifying several package, aren't you?
I was just looking to upgrade project-lisa to mlflow 1.28.0 which requires sqlalchemy 1.4... but this lovely package muttlib doesn't let me :) (because of the current sqlalchemy <1.4 limitation) ... unless you merge with the change i'm requesting.
pyproject.toml
Outdated
| @@ -58,28 +58,27 @@ progressbar2 = "^3.55.0" | |||
| PyYAML = ">=5.1,<7.0" | |||
| scikit-learn = "^1.0.1" | |||
| scipy = "^1.7.2" | |||
| SQLAlchemy = "<1.4.0,>=1.3.0" | |||
| SQLAlchemy = "^1.4,<1.5" | |||
There was a problem hiding this comment.
Could it be changed to >=1.3,<2.0? This would retain compatibility with many more projects already using muttlib. Or is the 1.3 -> 1.4 upgrade breaking?
There was a problem hiding this comment.
<2.0 and <1.5 is the same since there aren't any versions in >=1.5, <2.0, but I think <2.0 is better.
Regarding >=1.3, I can try and check!
However I'm not sure how to manage this with MLFlow or other libraries not compatible with 1.3, would muttlib need compatibility for the older version of those libraries too?
There was a problem hiding this comment.
I just started a poetry project with sqlalchemy 1.3 and this branch to test this. In the last commit I attempted the double compatibility and no issues with poetry or pytest 👍 , just need to test it on sqlalchemy 1.3 since poetry.lock set it to 1.4.
muttlib/dbconn/base.py
Outdated
| @@ -126,11 +126,14 @@ def __setattr__(self, attr, value): | |||
| elif attr == 'driver': | |||
| value = format_drivername(self.dialect, value) | |||
| attr = 'drivername' | |||
| self.conn_url = self.conn_url.set(**{attr: value}) | |||
There was a problem hiding this comment.
I don't quickly understand the change, mind explaining it to me if you remember? :)
If it's a breaking change with sqlalchemy 1.3 we could add a version check to remain compatible with both 1.3 and 1.4.
|
@MartinCura answering this. The changes in dependencies are, as far as I can remember, all motivated by sqlalchemy version bump, except for IPython, where I added the vulnerability comment. Other cases that I remember were particular are:
|
|
OK great, and what do you think about retaining compatibility for both sqlalchemy 1.3 and 1.4? |
|
@CrossNox do i bother you for a Code Review? 😅 |
| psycopg2-binary = { version = "^2.9.2", optional = true } | ||
| PyMySQL = { version = "^1.0.2", optional = true } | ||
| pymssql = { version = "^2.2.2", optional = true } | ||
| pymongo = { version = "^3.12.1", optional = true } | ||
| snowflake-connector-python = { version = "^2.7.1", optional = true } | ||
| cryptography = { version = "3.4.7", optional = true } | ||
| snowflake-sqlalchemy = { version = "1.2.4", optional = true } | ||
| snowflake-sqlalchemy = { version = ">=1.2.4, <=1.4.4, !=1.2.5", optional = true } # https://github.com/snowflakedb/snowflake-sqlalchemy/issues/234 |
There was a problem hiding this comment.
Avoiding 1.2.5 because of incompatibility with sqlalchemy 1.3 (source).
|
@MartinCura Added compatibility with SQLAlchemy >1.3. Keep in mind the changes were tested only in the project included tests and in my particular uses, which are Google Sheets and BigQuery. |
pyproject.toml
Outdated
| matplotlib = "^3.5.0" | ||
| pyarrow = { version = "6.0.0", optional = true } | ||
| cx-Oracle = { version = "^8.3.0", optional = true } | ||
| PyHive = { version = ">=0.6.1", optional = true } | ||
| thrift = { version = "^0.15.0", optional = true } | ||
| thrift = { version = "0.16.0", optional = true } |
There was a problem hiding this comment.
pinning to a specific version for same reason? i.e. missing ^?
There was a problem hiding this comment.
Leaving it with ^ works anyways as latest is 0.16.0 so no reason to not have it 🤷
Thanks! Looking good! |
|
Merged this to master, just have an issue with bandit, fails due to a |
| @@ -183,7 +183,7 @@ def clean_quotes(s): | |||
| elif ext == 'feather': | |||
| return pd.read_feather(fn) | |||
| elif ext in ['pickle', 'pkl']: | |||
| return pd.read_pickle(fn) | |||
| return pd.read_pickle(fn) # nosec | |||
There was a problem hiding this comment.
For bandit to pass it's either this or removing the feature.
There was a problem hiding this comment.
maybe add a comment to entrypoint function cautioning about passing unsafe pickle files because it's a security issue; apart from that i can't think of anything else you can do?
There was a problem hiding this comment.
Added to docstring (if by entrypoint you mean the df_read_multi util).
There was a problem hiding this comment.
and maybe local_df_cache()
| @@ -183,7 +183,7 @@ def clean_quotes(s): | |||
| elif ext == 'feather': | |||
| return pd.read_feather(fn) | |||
| elif ext in ['pickle', 'pkl']: | |||
| return pd.read_pickle(fn) | |||
| return pd.read_pickle(fn) # nosec | |||
There was a problem hiding this comment.
maybe add a comment to entrypoint function cautioning about passing unsafe pickle files because it's a security issue; apart from that i can't think of anything else you can do?
pyproject.toml
Outdated
| matplotlib = "^3.5.0" | ||
| pyarrow = { version = "6.0.0", optional = true } | ||
| cx-Oracle = { version = "^8.3.0", optional = true } | ||
| PyHive = { version = ">=0.6.1", optional = true } | ||
| thrift = { version = "^0.15.0", optional = true } | ||
| thrift = { version = "0.16.0", optional = true } |
Seems like there's none :) |
|
TY @MartinCura for the review! |
No description provided.