search

Homebrew / brew-pip-audit

:clipboard: Bulk auditing Python dependencies in Homebrew with pip-audit
BSD 2-Clause "Simplified" License
11 stars 7 forks source link

Figure out a way to update only the vulnerable deps #66

Open woodruffw opened 10 months ago

woodruffw commented 10 months ago

We currently bump all resources just to get at a single vulnerable dependency, which (1) produces large diffs and (2) introduces risks of breakage, both in CI and in built bottles.

We should really only bump the vulnerable dep. Maybe we can do that by using constraints files?

alex commented 10 months ago

Keep in mind that sometimes, fixing the vulnerable dep requires bumping something as well (either a dep of the vulnerable dep, or the inverse).

On Wed, Nov 1, 2023 at 2:12 PM William Woodruff @.***> wrote:

We currently bump all resources just to get at a single vulnerable dependency, which (1) produces large diffs and (2) introduces risks of breakage, both in CI and in built bottles.

We should really only bump the vulnerable dep. Maybe we can do that by using constraints files https://pip.pypa.io/en/stable/user_guide/#constraints-files?

— Reply to this email directly, view it on GitHub https://github.com/Homebrew/brew-pip-audit/issues/66, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBHGSS4ITHI2MTN2RRTYCK3LNAVCNFSM6AAAAAA6Z4S3PKVHI2DSMVQWIX3LMV43ASLTON2WKOZRHE3TGMJSGA3DSOA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

woodruffw commented 10 months ago

Ah yeah, good point. Blindly using constraints would probably then cause us to miss some upgrades. I'll think about this some more.

github-actions[bot] commented 3 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

github-actions[bot] commented 2 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

alex commented 2 months ago

This is still active.

On Thu, Jun 13, 2024 at 8:19 PM github-actions[bot] @.***> wrote:

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>

-- All that is necessary for evil to succeed is for good people to do nothing.