Safety vulnerability ID: 64830
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Descarteslabs version 3.0.0 has upgraded its urllib3 dependency to a newer version range, now requiring >=1.26.12 and <2. This update corrects the earlier version range of >=1.26.18,<2, and addresses security concerns linked to CVE-2023-45803.
https://github.com/descarteslabs/descarteslabs-python/commit/7ad8fd2aadc4c10799b19bd4637f56d867dbf374
Latest version: 3.1.0
Descartes Labs Python Client
Due to a number of breaking changes, the version has been bumped to 3.0.0. However, the vast majority
of typical use patterns in typical user code will not require changes. Please review the specifics
below.
Catalog
- The `tags` attributes on Catalog objects can now contain up to 32 elements, each up to 1000 characters long.
But why would you even want to go there?
- *Breaking Change*: Derived bands, never supported in the AWS environment and catalog products, have been
removed.
- The new `Blob.delete_many` method may be used to delete large numbers of blobs efficiently.
- The `Blob.get_or_create` method didn't allow supplying `storage_type`, `namespace`, or `name` parameters.
Now it works as expected, either returning a saved Blob from the Catalog, or an unsaved blob that
you can use to upload and save its data.
- Image methods `ndarray` and `download` no longer pass the image's default geocontext geometry as a cutline.
This is to avoid problems when trying to raster a complete single image in its native CRS and resolution
where imperfect geometries (due to a simplistic projection to EPSG:4326) can cause some boundary pixels
to be masked. When passing in an explicit `GeoContext` to these methods, consider whether any cutline
geometry is required or not, to avoid these issues.
Compute
- `Function` and `Job` objects now have a new `environment` attribute which can be used to define environment
variables for the jobs when they are run.
- *Breaking Change*: The `Function.map` method previously had no bound on how many jobs could be created at one time.
This led to operational problems with very large numbers of jobs. Now it submits jobs in batches (up to 1000
jobs per batch) to avoid request timeouts, and is more robust on retryable errors so that duplicate jobs are not
submitted accidently. There is still no bound on how many jobs you may create with a single call to `Function.map`.
Additionally, since it is possible that some jobs may be successfully submitted, and others not, the return
value, while still behaving as a list of `Job`s, is now a `JobBulkCreateResult` object which has a `is_success`
and an `error` property which can be used to determine if all submissions were successful, what errors may
have occurred, and what jobs have actually been created. Only if the first batch fails hard will the method
raise an exception.
- The `Job.statistics` member is now typed as a `JobStatistics` object.
- The efficiency of deleting many jobs at once has been significantly improved using `Function.delete` and
`Function.delete_jobs`. It is still possible to encounter request timeouts with very large numbers of jobs;
workarounds are now documented in the API documentation for the `Function.delete_jobs` method.
- The `ComputeClient.check_credentials` method has been added, so that the client can determine if valid
user credentials have already been registered with the Compute service.
Vector
- The Vector client library, previously available as the `descarteslabs-vector` package on PyPI, has
now been integrated into the Descartes Labs Python Client (this package). It should no longer be
installed separately.
- Visualization support (`ipyleaflet.Map`) is enabled when `ipyleaflet` is available. It is not
installed by default, but can be installed manually, or by installing the `descarteslabs` python
client with the `viz` extra (e.g. `pip install descarteslabs[viz]`). Note that in order to be
compatible with jupyterlab notebooks, the `visualize()` method no longer returns the layer, it
just adds it to the supplied map.
- The Vector package now has a `VectorClient` API client, with the usual support for `get_default_client()`
and `set_default_client()`. Most constructors and methods now accept an optional `client=` parameter
if you need to use something other than the default client.
- Configuration is now accomplished using the standard `descarteslabs.config` package. In particular,
the `vector_url` setting is used to specify the default Vector host. The `VECTOR_API_HOST` environment
variable is no longer consulted.
- Vector client methods now raise standard `descarteslabs.exceptions` Exception classes rather than
the `descarteslabs.vector.vector_exceptions` classes of the old client.
- The `is_spatial=` parameter previously accepted by many methods and functions is now deprecated
and ignored. It is not required because existing type information always determines if an operation
is spatial or not. Warnings will be generated if it is used.
- Be advised that feature upload and download (query) do not currently support or impose any limits,
and thus allow operations so large and slow that timeouts or other failures may occur. A future
version will implement limits and batching, so that large operations can be supported reliably.
Until then, the user may wish to implement their own batching were possible to avoid encountering
network limits and timeouts.
General
- The old client version v1.12.1 is reaching end of life and will longer be supported as of February 2024.
You can expect the version to stop working at any point after that as legacy backend support is turned off.
- *Breaking Change*: The deprecated `Scenes` client API has been removed.
- *Breaking Change*: The deprecated `Metadata` client API has been removed.
- The minimum required version of `urllib3` has been bumped to 1.26.18 to address a security vulnerability.
- The minimum required version of `shapely` has been bumped to 2.0.0 to address thread safety issues.
- Python 3.7, formerly deprecated, is no longer supported.
- Python 3.12 is not yet officially supported due to the lack of support from `blosc`. However, if you
are able to provide a functional `blosc` on your own, then 3.12 should work.
- Urllib3 2.X is now supported.
- Geopandas, Pydantic, and PyArrow have been added as core dependencies to support the Vector client.
- For those users of the `clear_client_state` function (not common), the bands cache for the Catalog client
is now cleared also.
(note that these release notes are duplicated from the non-public v3.0.0rc0)
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application