Merge pull request #235 from spolti/RHOAIENG-3381

[Cherry-Pick] Python vulnerability fixes (kserve#3441)
spolti · Feb 27, 2024 · 298fe40 · 298fe40
2 parents 0b7d2bc + ed4f7a0
commit 298fe40
Show file tree

Hide file tree

Showing 26 changed files with 23,423 additions and 20,164 deletions.
diff --git a/.github/workflows/python-test.yml b/.github/workflows/python-test.yml
@@ -81,7 +81,7 @@ jobs:
         uses: actions/cache@v3
         with:
           path: python/sklearnserver/.venv
-          key: sklearn-venv-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/kserve/poetry.lock, **/sklearnserver/poetry.lock') }}
+          key: sklearn-venv-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/kserve/poetry.lock', '**/sklearnserver/poetry.lock') }}
         # install sklearn server dependencies if cache does not exist
       - name: Install sklearn dependencies
         if: steps.cached-sklearn-dependencies.outputs.cache-hit != 'true'
@@ -105,7 +105,7 @@ jobs:
         uses: actions/cache@v3
         with:
           path: python/xgbserver/.venv
-          key: xgb-venv-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/kserve/poetry.lock, **/xgbserver/poetry.lock') }}
+          key: xgb-venv-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/kserve/poetry.lock', '**/xgbserver/poetry.lock') }}
         # install xgb server dependencies if cache does not exist
       - name: Install xgb dependencies
         if: steps.cached-xgb-dependencies.outputs.cache-hit != 'true'
@@ -129,7 +129,7 @@ jobs:
         uses: actions/cache@v3
         with:
           path: python/pmmlserver/.venv
-          key: pmml-venv-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/kserve/poetry.lock, **/pmmlserver/poetry.lock') }}
+          key: pmml-venv-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/kserve/poetry.lock', '**/pmmlserver/poetry.lock') }}
         # install pmml server dependencies if cache does not exist
       - name: Install pmml dependencies
         if: steps.cached-pmml-dependencies.outputs.cache-hit != 'true'
@@ -153,7 +153,7 @@ jobs:
         uses: actions/cache@v3
         with:
           path: python/lgbserver/.venv
-          key: lgb-venv-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/kserve/poetry.lock, **/pmmlserver/poetry.lock') }}
+          key: lgb-venv-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/kserve/poetry.lock', '**/lgbserver/poetry.lock') }}
         # install lgb server dependencies if cache does not exist
       - name: Install lgb dependencies
         if: steps.cached-lgb-dependencies.outputs.cache-hit != 'true'
@@ -178,7 +178,7 @@ jobs:
         uses: actions/cache@v3
         with:
           path: python/paddleserver/.venv
-          key: paddle-venv-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/kserve/poetry.lock, **/paddleserver/poetry.lock') }}
+          key: paddle-venv-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/kserve/poetry.lock', '**/paddleserver/poetry.lock') }}
         # install paddle server dependencies if cache does not exist
       - name: Install paddle dependencies
         if: ${{ steps.cached-paddle-dependencies.outputs.cache-hit != 'true' && !startsWith(steps.setup-python.outputs.python-version, '3.11') }}
@@ -205,7 +205,7 @@ jobs:
         uses: actions/cache@v3
         with:
           path: python/alibiexplainer/.venv
-          key: alibi-venv-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/kserve/poetry.lock, **/alibiexplainer/poetry.lock') }}
+          key: alibi-venv-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/kserve/poetry.lock', '**/alibiexplainer/poetry.lock') }}
         # install alibi explainer dependencies if cache does not exist
       - name: Install alibi dependencies
         run: |

diff --git a/Makefile b/Makefile
@@ -336,3 +336,6 @@ apidocs:
 .PHONY: check-doc-links
 check-doc-links:
 	@python3 hack/verify-doc-links.py && echo "$@: OK"
+
+poetry-update-lockfiles:
+	bash -ec 'for value in $$(find . -name poetry.lock -exec dirname {} \;); do (cd "$${value}" && echo "Updating $${value}/poetry.lock" && poetry update --lock); done'
diff --git a/python/aiffairness/poetry.lock b/python/aiffairness/poetry.lock
diff --git a/python/alibiexplainer/poetry.lock b/python/alibiexplainer/poetry.lock
diff --git a/python/alibiexplainer/pyproject.toml b/python/alibiexplainer/pyproject.toml
@@ -12,7 +12,8 @@ packages = [
 [tool.poetry.dependencies]
 python = ">=3.8,<3.12"
 kserve = { path = "../kserve", extras = ["storage"], develop = true }
-alibi = { version = "^0.9.3", extras = ["shap", "tensorflow"] }
+alibi = { version = "^0.9.4", extras = ["shap", "tensorflow"] } # From 0.9.5 alibi uses BSL license
+tensorflow = ">=2.12.0,<2.14"  # the range that supports python 3.8 -- 3.11
 dill = "^0.3.6"
 nest-asyncio = "~1.4.0"
 llvmlite = ">0.38.1" # needed since poetry chooses lower version of llvmlite which is not supported by python 3.9 above
@@ -32,4 +33,4 @@ file_path = "../VERSION"
 
 [build-system]
 requires = ["poetry-core>=1.0.0"]
-build-backend = "poetry.core.masonry.api"
+build-backend = "poetry.core.masonry.api"