Merge pull request #149 from XAITK/update-to-v0.8.1

Update to v0.8.1.
XAITK · Jun 3, 2024 · e865ec0 · e865ec0
2 parents 6d788a9 + bb381cc
commit e865ec0
Show file tree

Hide file tree

Showing 9 changed files with 2,788 additions and 1,954 deletions.
diff --git a/.github/workflows/ci-unittests.yml b/.github/workflows/ci-unittests.yml
@@ -31,12 +31,12 @@ jobs:
     container: python:3.8
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       # Cache local python environment artifacts for the current python version
       # and poetry lockfile hash.
-      - uses: actions/cache@v2
+      - uses: actions/cache@v4
         id: env-cache
         with:
           # Confirmed that the `.local` directory doesn't exist until the
@@ -57,12 +57,12 @@ jobs:
     container: python:3.8
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       # Cache local python environment artifacts for the current python version
       # and poetry lockfile hash.
-      - uses: actions/cache@v2
+      - uses: actions/cache@v4
         id: env-cache
         with:
           # Confirmed that the `.local` directory doesn't exist until the
@@ -96,12 +96,12 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       # Cache local python environment artifacts for the current python version
       # and poetry lockfile hash.
-      - uses: actions/cache@v2
+      - uses: actions/cache@v4
         id: env-cache
         with:
           # Confirmed that the `.local` directory doesn't exist until the

diff --git a/docs/release_notes.rst b/docs/release_notes.rst
@@ -13,3 +13,4 @@ Release Notes
    release_notes/v0.6.1
    release_notes/v0.7.0
    release_notes/v0.8.0
+   release_notes/v0.8.1
diff --git a/docs/release_notes/v0.8.1.rst b/docs/release_notes/v0.8.1.rst
@@ -0,0 +1,24 @@
+v0.8.1
+======
+
+Addressed a few dependency vulnerabilities and updated the CI/CD to current versions.
+
+Updates / New Features
+----------------------
+
+CI/CD
+
+* Updated to use `checkout@v4` and `cache@v4` instead of `*@v2`.
+
+Fixes
+-----
+
+Dependencies
+
+* Fixed `numpy` dependency versions for downstream resolution.
+
+* Jupyter notebooks now installed with `notebook` instead of `jupyter`.
+
+* Increased the lower bound of `tqdm` to `4.66.3` to address `CVE-2024-34062`.
+
+* Ran `poetry update` to update `poetry.lock` for vulnerability scanning.
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -8,7 +8,7 @@ name = "xaitk_saliency"
 # REMEMBER: `distutils.version.*Version` types can be used to compare versions
 # from strings like this.
 # This package prefers to use the strict numbering standard when possible.
-version = "0.8.0"
+version = "0.8.1"
 description = """\
     Visual saliency map generation interfaces and baseline implementations \
     for explainable AI."""
@@ -34,9 +34,11 @@ classifiers = [
 
 [tool.poetry.dependencies]
 python = "^3.8"
+# Python capped to <3.13 because of:
+# https://stackoverflow.com/questions/77431252/why-doesnt-poetry-select-the-good-version-of-my-dependency
 numpy = [
-    {version = ">=1.22,<1.26", python = ">=3.8,<3.12"},
-    {version = ">=1.26", python = ">=3.12"}
+    {version = ">=1.22,<1.25", python = "~3.8"}, # CVE-2021-34141
+    {version = ">=1.22,^1.25", python = ">=3.9,<3.13" } # CVE-2021-34141
 ]
 scikit-image = [
     # Hinge because minimum support 0.20.0 for py3.11
@@ -53,25 +55,25 @@ smqtk-core = ">=0.18.0"
 smqtk-descriptors = ">=0.16.0"
 smqtk-detection = ">=0.19.0"
 scipy = [
-    {version = ">=1.8.1,<1.9", python = ">=3.8,<3.11"},
+    {version = "<1.11.1", python = "~3.8.1"}, # Can't satisfy CVE-2023-25399 because it is too restrictive
     {version = ">=1.9", python = "^3.11"}
 ]
 click = ">=8.0.3"
 setuptools = "*"
 # Optionals for "example" extra
-jupyter = { version = ">=1.0.0", optional = true }
+notebook = { version = ">=7.0.7", optional = true }
 matplotlib = { version=">=3.4.1", optional = true }
 papermill = { version = ">=2.3.3", optional = true }
 torch = {version = ">=1.9.0,!=2.0.1", optional = true}
 torchvision = {version = ">=0.10.0", optional = true}
-tqdm = { version = ">=4.45.0", optional = true }
+tqdm = { version = "4.66.3", optional = true } # CVE-2024-34062
 # Optionals for "tools" extra"
 kwcoco = { version = ">=0.2.18", optional = true}
 pyyaml = {version = ">=6.0.1", optional = true, python = ">=3.12"}
 shapely = {version = ">=2.0.2", optional = true, python = ">=3.12"}
 
 [tool.poetry.extras]
-example_deps = [ "jupyter", "matplotlib", "papermill", "torch", "torchvision", "tqdm" ]
+example_deps = [ "notebook", "matplotlib", "papermill", "torch", "torchvision", "tqdm" ]
 tools = [ "kwcoco", "matplotlib", "pyyaml", "shapely" ]
 
 [tool.poetry.dev-dependencies]
@@ -101,7 +103,7 @@ coverage = ">=6.5.0"
 pytest = ">=7.2.0"
 pytest-cov = ">=4.0.0"
 # Utility
-ipython = ">=8.6.0"
+notebook = ">=7.0.7"
 
 [tool.poetry.scripts]
 sal-on-coco-dets= "xaitk_saliency.utils.bin.sal_on_coco_dets:sal_on_coco_dets"

diff --git a/tests/impls/gen_image_classifier_blackbox_sal/test_occlusion_based.py b/tests/impls/gen_image_classifier_blackbox_sal/test_occlusion_based.py
@@ -18,7 +18,7 @@ class TestPerturbationOcclusion:
     def teardown(self) -> None:
         # Collect any temporary implementations so they are not returned during
         # later `*.get_impl()` requests.
-        gc.collect()
+        gc.collect()  # pragma: no cover
 
     def test_configuration(self) -> None:
         """ Test configuration suite using known simple implementations. """

diff --git a/tests/impls/gen_image_similarity_blackbox_sal/test_sbsm.py b/tests/impls/gen_image_similarity_blackbox_sal/test_sbsm.py
@@ -19,7 +19,7 @@ class TestBlackBoxSBSM:
     def teardown(self) -> None:
         # Collect any temporary implementations so they are not returned during
         # later `*.get_impl()` requests.
-        gc.collect()
+        gc.collect()  # pragma: no cover
 
     def test_configuration(self) -> None:
         """

diff --git a/tests/impls/gen_image_similarity_blackbox_sal/test_sim_occlusion_based.py b/tests/impls/gen_image_similarity_blackbox_sal/test_sim_occlusion_based.py
@@ -16,7 +16,7 @@ class TestPerturbationOcclusion:
     def teardown(self) -> None:
         # Collect any temporary implementations so they are not returned during
         # later `*.get_impl()` requests.
-        gc.collect()
+        gc.collect()  # pragma: no cover
 
     def test_configuration(self) -> None:
         """

diff --git a/tests/impls/gen_object_detector_blackbox_sal/test_occlusion_based.py b/tests/impls/gen_object_detector_blackbox_sal/test_occlusion_based.py
@@ -17,7 +17,7 @@ class TestPerturbationOcclusion:
     def teardown(self) -> None:
         # Collect any temporary implementations so they are not returned during
         # later `*.get_impl()` requests.
-        gc.collect()
+        gc.collect()  # pragma: no cover
 
     def test_configuration(self) -> None:
         """