search

18F / tock

We use Tock to track and report our time at 18F
https://18f.gsa.gov/2015/05/21/TockingTime/
Other
120 stars 37 forks source link

Workaround to override zope sub-dependency #1660

Closed edwintorres closed 1 year ago

edwintorres commented 1 year ago

Description

As mentioned in https://github.com/18F/tock/pull/1658#issuecomment-1682936443 a sub-dependency is raising a flag on Snyk review.

For the record, forcing a pass for the snyk check since the vulnerability is in setuptools, which is already at the latest version -- indeed, the explicit fix is to Pin setuptools to version 65.5.1 ; iow, zope.event here is a false positive.

Introduced through zope.event@5.0
Fixed in setuptools@65.5.1

Tock use pipenv which do not provide a way to override that sub-dependency. But the maintainer offered a workaround.

This PR uses that workaround. A long-term fix to this issue could be the use of pyproject.toml, a new unified Python project settings file. But that option requires more exploratory work.

codecov-commenter commented 1 year ago

Codecov Report

Merging #1660 (6e8e811) into main (254be87) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #1660   +/-   ##
=======================================
  Coverage   94.17%   94.17%           
=======================================
  Files          66       66           
  Lines        4158     4158           
=======================================
  Hits         3916     3916           
  Misses        242      242

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more