CVE-2024-5206 - Scikit-learn minimum version #91
Comments
|
If it's as 'simple' as updating the minimum version in the min-dependencies and pyproject.toml, and removing py3.8 references (or if there's more to consider and someone can point me in the direction of what else that might be) I'd be happy to make a PR. |
|
Thanks for raising this issue -- a PR is very welcome! You're spot on about what's needed to update the minimum version and removing Python 3.8 references/support. The one additional task would be to clean up backward-compatible code that supported older versions of scikit-learn. There are a number of details here, so I'd be happy to lend a hand as well. But this includes the documentation (here), the model parameters (here, here, and here), the docstrings (here and here), the parse version try-except (here), and the parameter validation check (here) along with the corresponding conditionals, since it should now always import successfully. |
|
I opened a PR A couple of things I came across:
Let me know what your thoughts are |
|
Ah, thanks for the note on the build issues. One problem here is that CONTRIBUTING.md is out-of-date; I have been keeping the development instructions updated in the documentation here. That said, you may still be right that including additional instructions for setting up a dev environment would be helpful. Thanks for pointing out the issues here, the instructions should be updated and consolidated. |
|
no worries. Your test coverage is inspirational |
Currently, the minimum version for scikit-learn is set to 1.0, and it would need to be set to 1.5 in order to mitigate the vulnerability in CVE-2024-5206. Latest version of sklearn is 1.5.2 which no longer supports python 3.8 but that's nigh end of life.
The text was updated successfully, but these errors were encountered: