-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support PyYAML up to 5.x version #6623
Conversation
Please sign your commits following these rules: $ git clone -b "yaml_upgrade" [email protected]:GeyseR/compose.git somewhere
$ cd somewhere
$ git commit --amend -s --no-edit
$ git push -f Amending updates the existing PR. You DO NOT need to open a new one. |
Any thoughts? |
Do you think those issues are critical for the compose project? In the PR description, I've added an explanation of why we can allow 5.1 without any breakage of the compose functionality. |
Taking a more in depth look:
We use this in a couple of places so we should move to
That is worrying as we support Python 2.7. Thank you for this PR and for taking the time to investigate this properly. Given the Python 2.7 issue though, I think it's best to hold off until pyyaml 5.2. |
|
Thank you!
Since you've done the work of moving to |
Fixes security issues with Jinja2, urllib3, pyyaml. Raises an error when installing pyyaml==5.1 due to pinned constraints in docker-compose and aws-cli. AWS-cli has issues w pyyaml 5 dropping support for python 2.6 aws/aws-cli#3828 Docker compose is still waiting on some issues w unicode support in pyyaml 5.1, but this doesn't affect us. docker/compose#6623
Unless I'm missing something, the Python 2 issue is not relevant here. Since the package code already uses Thank you for being cautious and careful! EDIT: |
although that seems to only be broken in compose/contrib/migration/migrate-compose-file-v1-to-v2.py Lines 136 to 142 in 75d5eb0
|
ah, no there's a dump here: compose/compose/config/serialize.py Lines 105 to 112 in 75d5eb0
|
@GeyseR can you rebase this against latest master to address the conflicts? My vote for getting this into 1.25 (rather than 1.26). |
There is one more call to --- a/contrib/migration/migrate-compose-file-v1-to-v2.py
+++ b/contrib/migration/migrate-compose-file-v1-to-v2.py
@@ -19,7 +19,7 @@ log = logging.getLogger('migrate')
def migrate(content):
- data = ruamel.yaml.load(content, ruamel.yaml.RoundTripLoader)
+ data = ruamel.yaml.safe_load(content, ruamel.yaml.RoundTripLoader)
service_names = data.keys()
|
Hey @hartwork
compose uses ruamel's RoundTripLoader for loading files, that uses RoundTripConstructor that in turn inherits from SafeConstructor. So we should be ok there. |
rebased on current master |
@rumpl will this make it for 1.25.1? (eg py2 supported) |
@ulyssessouza how many reviewers are required for a PR? |
@graingert A PR normally needs the approval of 2 maintainers. This PR will get merged just after The reason is that I'm very sorry to have a PR that LGTM not merged for that long but we are working on "cleaning the house" to get better workflows. |
@ulyssessouza will it make a 1.25.x release? Eg py2 still supported? |
@graingert Probably not |
So Python3 would work with PyYAML 5.x? Would it help to use environment markers and provide different PyYAML requirement for python 2.7 and 3.x? So in
would be like
There are other choises of comparisons, but that should work for existing and future versions. I am a little impatient as I am fighting now to use two libraries at the same time where other requires PyYAML 5. I regret moving to Pipenv as I find no way to tell it to ignore this requires-dist that does not affect our use. |
There would be no point in doing that because this PR provides pyaml 3.10 to 6 support for both py2 and py3 |
Python2 will be dropped in version 1.26.0 anyways. Check #7031 |
This pr is compatible with a v1.25.x release though |
Just squash the commits and that's good for me |
@GeyseR this will also need a rebase to deal with the conflicts in requirements.txt @ulyssessouza if you merge PRs that manually change requirements.txt and therefore conflict with dependabot PRs dependabot will automatically rebase to fix the conflicts, this way you don't have to wait for a human to resolve the conflicts |
I know. I do not disrespects this PR. If this PR is really going in now, I am happy, but I was maybe unclear in asking if another PR could go in while waiting for this. docker-compose can not be currently installed with some other libraries. It is a blocker, and a partial solution would be better than keeping those unaffected waiting. |
There is no partial solution that is py3 only, the code change in this PR is required to support pyyaml~=5.2 on either py3 or py2 |
@GeyseR can you rebase and squash everything into 1 commit? |
Signed-off-by: Sergey Fursov <[email protected]>
@graingert @ulyssessouza I've squashed commits and rebased changes against the actual master branch |
Thank you all and specially @GeyseR for the patience! |
@ulyssessouza great stuff! Do you know when the next release will be? |
That will be 1.26.0 for sure but for the when, that depends on the advancement on the CI rework |
@ulyssessouza I see docker-compose==1.25.2rc2 has |
@hartwork awesome I'm upgrading everywhere now! |
Resolves #6619
The yaml/pyyaml#265 ticket in the original PyYAML mention several backward-incompatible changes in v.5.1:
default_flow_style
argument toFalse
Also, in the same ticket author suggests waiting for the next release if the project uses
yaml.add_constructor
,YAMLObject
,from_yaml
,to_yaml
, which seems unrelated to the docker-compose project.