Bump Dependencies to Fix Security Issues (#1208)

* bump dependencies * modify mypy * fix unstructured * new poetry lock * hold back onnx * improve comment
aryn-ai · Mar 5, 2025 · e571919 · e571919
1 parent 88e991b
commit e571919
Show file tree

Hide file tree

Showing 13 changed files with 10,569 additions and 8,665 deletions.
diff --git a/apps/integration/poetry.lock b/apps/integration/poetry.lock
diff --git a/apps/integration/pyproject.toml b/apps/integration/pyproject.toml
@@ -7,7 +7,7 @@ license = "Apache 2.0"
 readme = "README.md"
 
 [tool.poetry.dependencies]
-python = ">=3.9,<3.13"
+python = ">=3.9.2,<3.13"
 docker = "^7.0.0"
 pytest = "7.4.0"
 opensearch-py = "^2.5.0"

diff --git a/apps/jupyter/poetry.lock b/apps/jupyter/poetry.lock
diff --git a/apps/jupyter/pyproject.toml b/apps/jupyter/pyproject.toml
@@ -7,7 +7,7 @@ readme = "README.md"
 repository = "https://github.com/aryn-ai/sycamore.git"
 
 [tool.poetry.dependencies]
-python = ">=3.9,<3.13"
+python = ">=3.9.2,<3.13"
 sycamore-ai = {extras = ["opensearch"], version = "^0.1.30"}
 
 jupyterlab = "^4.0.11"

diff --git a/lib/aryn-sdk/poetry.lock b/lib/aryn-sdk/poetry.lock
diff --git a/lib/poetry-lock/poetry.lock b/lib/poetry-lock/poetry.lock
diff --git a/lib/poetry-lock/pyproject.toml b/lib/poetry-lock/pyproject.toml
@@ -7,7 +7,7 @@ readme = "README.md"
 repository = "https://github.com/aryn-ai/sycamore.git"
 
 [tool.poetry.dependencies]
-python = ">=3.9,<3.13"
+python = ">=3.9.2,<3.13"
 # required older version
 protobuf = "4.25.3"   # rps
 fsspec = "2024.2.0"   # sycamore (via datasets)
@@ -25,6 +25,7 @@ weaviate-client = "4.6.4" # Failes typechecking with 4.7.0
 scipy = "1.13.1" 
 networkx = "3.2.1"
 ipython = "8.18.1"
+onnxruntime = "1.19.0" # Required by unstructured
 
 # Package versions from being yanked
 matplotlib = "3.9.0"
@@ -35,6 +36,9 @@ nltk = ">3.9.0"
 #requests = ">=2.32.0"
 scrapy = ">=2.11.2"
 jinja2 = ">=3.1.5"
+cryptography = ">=44.0.1"
+tornado = "^6.4.2"
+pillow = "^11.1.0"
 # black = ">=24.3.0"
 
 [build-system]

diff --git a/lib/sycamore/poetry.lock b/lib/sycamore/poetry.lock
diff --git a/lib/sycamore/pyproject.toml b/lib/sycamore/pyproject.toml
@@ -13,7 +13,7 @@ packages = [{ include = "sycamore" }]
 "Documentation" = "https://sycamore.readthedocs.io"
 
 [tool.poetry.dependencies]
-python = ">=3.9,<3.13"
+python = ">=3.9.2,<3.13"
 
 pandas = "^2.1.1"
 pdf2image = "^1.16.3"
@@ -81,7 +81,7 @@ torchvision = { version = "^0.18.1", optional = true }
 transformers = { version = "^4.43.1", optional = true }
 
 # Legacy partitioner dependencies
-unstructured = { version = "0.10.20", optional = true }
+unstructured = { version = "^0.16.2", extras=["pdf"], optional = true }
 python-pptx = {version = "^0.6.22", optional = true }
 nanoid = "^2.0.0"
 nltk = { version = "^3.9.0", optional = true }

diff --git a/lib/sycamore/sycamore/materialize.py b/lib/sycamore/sycamore/materialize.py
@@ -10,7 +10,7 @@
 from sycamore.transforms.base import rename
 
 if TYPE_CHECKING:
-    from ray import Dataset
+    from ray.data import Dataset
     import pyarrow
 
 

diff --git a/lib/sycamore/sycamore/plan_nodes.py b/lib/sycamore/sycamore/plan_nodes.py
@@ -3,7 +3,7 @@
 from typing import Callable, Optional, TYPE_CHECKING
 
 if TYPE_CHECKING:
-    from ray import Dataset
+    from ray.data import Dataset
     from sycamore.context import Context
 
 

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -15,7 +15,8 @@ repository = "https://github.com/aryn-ai/sycamore.git"
 
 [tool.poetry.dependencies]
 # streamlit in query-ui disallows 3.9.7
-python = ">=3.9,<3.9.7 || >3.9.7,<3.13"
+# cryptography in sycamore-ai disallows 3.9.1, 3.9.0, need >44.0.1 due to CVE-2024-12797: https://github.com/aryn-ai/sycamore/security/dependabot/327
+python = ">=3.9.2,<3.9.7 || >3.9.7,<3.13"
 
 sycamore-ai = "^0.1.13"