Accelerate release of 0.55 to no longer depend on versions of numpy with buffer overflow

[trimeta]

From versions 1.9.0 through 1.20, numpy had a buffer overflow: numpy/numpy#18939. This was fixed in numpy 1.21. numba supports numpy 1.21, per #7483, however this support is only in version 0.55RC: it is not in 0.54.1, the latest released version at time of submitting this issue. As of six days ago, GitHub has begun to open security alerts on all repos which depend on versions of numpy less than 1.21. However, if those repos also depend on (or expect at least some of their users to use) numba, they cannot fix this by upgrading their minimum numpy version to 1.21. The solution would be to release numba 0.55 quickly, since that will automatically solve this problem.

[esc]

@trimeta thank you for asking about this. We are currently in the release candidate phase and hope to stabilize the 0.55 release as soon as feasible. As discussed during the developer meeting last Tuesday (https://github.com/numba/numba/wiki/Minutes_2022_01_11): the plan is to release 0.55.0 RC2 next week, Thursday 20th January 2022. However, this obviously depends on first solving all issues in:

https://github.com/numba/numba/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Numba+0.55+RC2%22

After the RC2 it depends. If everything goes well, we can release a week or two later. If there are more release critical bugs however, those will have to be fixed first.

It is somewhat unfortunate, that this Numpy issue confronts us right in the middle of a release phase. 0.55.0 will add some significant new features and support for previously unsupported versions of our upstream dependencies. So, we will want to ensure that the release candidates are well tested and I am very hesitant to "rush" anything out of the door.

If you would like to help accelerate the release please consider looking at this issues in the milestone above and see if you can contribute anything --- and/or help test the release candidate on your own hardware and projects as outlined here:

https://numba.discourse.group/t/numba-0-55-0-rc1/1075

Thank you in advance for your understanding and patience!

[seibert]

The team talked this over, and we're going to truncate the release candidate cycle for 0.55.0 and get it released ASAP with the handful of known issues. There will be a 0.55.1 release shortly thereafter that addresses the remaining items in the 0.55 backlog.

[seibert]

(Also, thanks for raising this issue with us, as I don't think we initially appreciated the downstream impact of the NumPy CVE.)

[seibert]

Numba 0.55.0 (and corresponding llvmlite 0.38.0) has been released on PyPI. Conda packages are available in the numba channel now, and Anaconda / conda-forge will likely update in the coming week.