-
-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Figure out a way to update only the vulnerable deps #66
Comments
Keep in mind that sometimes, fixing the vulnerable dep requires bumping
something as well (either a dep of the vulnerable dep, or the inverse).
…On Wed, Nov 1, 2023 at 2:12 PM William Woodruff ***@***.***> wrote:
We currently bump all resources just to get at a single vulnerable
dependency, which (1) produces large diffs and (2) introduces risks of
breakage, both in CI and in built bottles.
We should really only bump the vulnerable dep. Maybe we can do that by
using constraints files
<https://pip.pypa.io/en/stable/user_guide/#constraints-files>?
—
Reply to this email directly, view it on GitHub
<#66>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBHGSS4ITHI2MTN2RRTYCK3LNAVCNFSM6AAAAAA6Z4S3PKVHI2DSMVQWIX3LMV43ASLTON2WKOZRHE3TGMJSGA3DSOA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
Ah yeah, good point. Blindly using constraints would probably then cause us to miss some upgrades. I'll think about this some more. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
This is still active.
…On Thu, Jun 13, 2024 at 8:19 PM github-actions[bot] ***@***.***> wrote:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: ***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
We currently bump all resources just to get at a single vulnerable dependency, which (1) produces large diffs and (2) introduces risks of breakage, both in CI and in built bottles.
We should really only bump the vulnerable dep. Maybe we can do that by using constraints files?
The text was updated successfully, but these errors were encountered: