Dependencies: update requirement pyyaml~=5.4

[sphuber]

Fixes #5059

Earlier versions have critical security flaws that have been fixed in
pyyaml==5.4. Note that plumpy also needs to be upgraded to 0.20.0
which adds support for this version of pyyaml.

The UnsafeLoader is replaced by the Loader which are identical, but
the former is only being kept as an alias for backwards compatibility
but it might be removed in future releases.

[codecov]

Codecov Report

Merging #5060 (e38811e) into develop (6b8cf46) will increase coverage by 0.01%.
The diff coverage is 100.00%.

❗ Current head e38811e differs from pull request most recent head 1e31e33. Consider uploading reports for the commit 1e31e33 to get more accurate results

@@             Coverage Diff             @@
##           develop    #5060      +/-   ##
===========================================
+ Coverage    80.24%   80.25%   +0.01%     
===========================================
  Files          515      515              
  Lines        36753    36753              
===========================================
+ Hits         29490    29491       +1     
+ Misses        7263     7262       -1     

Flag	Coverage Δ
django	74.73% <100.00%> (ø)
sqlalchemy	73.65% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
aiida/orm/utils/serialize.py	100.00% <100.00%> (ø)
aiida/transports/plugins/local.py	81.41% <0.00%> (-0.25%)	⬇️
aiida/engine/daemon/client.py	76.15% <0.00%> (+1.02%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6b8cf46...1e31e33. Read the comment docs.

[sphuber]

Tests are failing because of conda install which is waiting for this release: conda-forge/plumpy-feedstock#54

[csadorf]

Are we losing compatibility with the older versions? Otherwise it might be fine to leave this as is.

[sphuber]

This update was not so much for the compatibility, as it was to resolve critical security issues. The whole point of upgrading to 5.4 was that it fixes some critical safety problems and we shouldn't really use the older versions.

[csadorf]

I don't consider it our responsibility to force users to update 3rd party software as long as we don't prevent them from doing so due to our constraints.

That said, I'm fine with going ahead with this.

[sphuber]

Then what is the point of upgrading most of the requirements? Not trying to be snarky, really curious and trying to figure out if we should change our dependency management policy. We do this regularly, upping the minimum requirement, but I think that for many of the minor dependencies, we can just keep the lower level requirement and support a higher major version at the same time. Still we do this, but than surely we should definitely do this for upgrading minimum requirements for packages that pose potential security problems.

[csadorf]

There is in fact no point in updating our dependencies in this way in my opinion and if it is done in this way it is either not with my blessing or it was a mistake on my part.

We should make sure to update our requirements (the ones we test against and are specified in the requirements/*.txt files) and make sure that we are not incompatible with the latest versions, especially if those are fixing security fixes. Being compatible with PyYAML>5.1 was the primary point of this effort for me, not updating our dependency specification.

This policicy I've outlined would be in compliance with AEP 002 in my opinion.

[sphuber]

Just to come back to this, the reason why I thought what I described was the policy, is because that's what you did in these recent two commits: 6558c71 and 78ef633 In both you updated the minimum requirement in the setup.json. Was this because adding simultaneous support for the recent versions would have been to difficult?

[csadorf]

I think I had some reasoning when I made those changes (pytz uses calver and aldjemy was a major version bump), but the simple answer is that I simply didn't think it through when I made those changes.

[csadorf]

Could you also update

aiida-core/utils/requirements.txt

Line 3 in 6b8cf46

pyyaml==5.1.2

before merge, please?