Figure out a way to update only the vulnerable deps #66
Assignees
Comments
|
Keep in mind that sometimes, fixing the vulnerable dep requires bumping
something as well (either a dep of the vulnerable dep, or the inverse).
…On Wed, Nov 1, 2023 at 2:12 PM William Woodruff ***@***.***> wrote:
We currently bump all resources just to get at a single vulnerable
dependency, which (1) produces large diffs and (2) introduces risks of
breakage, both in CI and in built bottles.
We should really only bump the vulnerable dep. Maybe we can do that by
using constraints files
<https://pip.pypa.io/en/stable/user_guide/#constraints-files>?
—
Reply to this email directly, view it on GitHub
<#66>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBHGSS4ITHI2MTN2RRTYCK3LNAVCNFSM6AAAAAA6Z4S3PKVHI2DSMVQWIX3LMV43ASLTON2WKOZRHE3TGMJSGA3DSOA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
|
Ah yeah, good point. Blindly using constraints would probably then cause us to miss some upgrades. I'll think about this some more. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We currently bump all resources just to get at a single vulnerable dependency, which (1) produces large diffs and (2) introduces risks of breakage, both in CI and in built bottles.
We should really only bump the vulnerable dep. Maybe we can do that by using constraints files?
The text was updated successfully, but these errors were encountered: