Remove dependency on future #2063

AndreasBergmeier6176 · 2023-01-09T14:19:40Z

🐛 Describe the bug

There is an advisory due to the future package: GHSA-v3c5-jqr6-7qm8
It seems to me like the future package serves no purpose anymore. See discussion in PythonCharmers/python-future#612.
Is it possible to solve the security problem by just removing the dependency on future and doing a new serve release?

In our project executing poetry show --tree --why future we get the output:

torchserve 0.6.1 TorchServe is a tool for serving neural net models for inference
└── future *

Error logs

See above links.

Installation instructions

poetry

Model Packaing

NA

config.properties

NA

Versions

0.6.1

Repro instructions

NA

Possible Solution

Perhaps remove future line from dependencies.

The text was updated successfully, but these errors were encountered:

msaroufim · 2023-01-09T23:17:33Z

Yeah this makes sense, we are doing a security centric release next so this is timely

msaroufim added security triaged Issue has been reviewed and triaged labels Jan 9, 2023

msaroufim assigned namannandan Jan 13, 2023

namannandan mentioned this issue Jan 19, 2023

Deprecate future package and drop Python2 support #2082

Merged

9 tasks

namannandan closed this as completed Jan 24, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove dependency on future #2063

Remove dependency on future #2063

AndreasBergmeier6176 commented Jan 9, 2023

msaroufim commented Jan 9, 2023

Remove dependency on future #2063

Remove dependency on future #2063

Comments

AndreasBergmeier6176 commented Jan 9, 2023

🐛 Describe the bug

Error logs

Installation instructions

Model Packaing

config.properties

Versions

Repro instructions

Possible Solution

msaroufim commented Jan 9, 2023