⬆️ [#93] Upgrade django to 4.2.17 #94
Conversation
stevenbal
force-pushed
the
issue/93-security-patches
branch
from
0365e6a to
fcffb5d
Compare
stevenbal
changed the title
|
There are several dependencies of dependencies that have vulnerabilities (e.g. flower->tornado, django->jinja2), but since we don't explicitly pin them here, I guess will upgrade them in each project with |
|
Now that I'm thinking about it, this does make this package feel kind of pointless, should I maybe pin these dependencies to the latest security release in open-api-framework as well? I could put them under a separate section to indicate that they are dependencies of dependencies? What do you think @annashamray? |
|
Do you want to put them into optional dependencies? |
|
I don't know if adding them to optional would be too useful right now, since they are already included implicitly (because we pin the dependency that installs it). Once we fix #67 they should be moved to the dependency group that installs that dependency though |
|
@stevenbal I agree and it feels like we would manage dependencies for external libraries I'll approve this PR but not sure if we can effectively do something to django deps in OAF |
that's indeed why I'm hesitant to do it this way. I'll check the libraries that have affected dependencies can be upgraded to silence these issues, if not I'll just upgrade them in the projects themselves |
Fixes #93 partially
TODO:
Changes