Open woodruffw opened 10 months ago
Keep in mind that sometimes, fixing the vulnerable dep requires bumping something as well (either a dep of the vulnerable dep, or the inverse).
On Wed, Nov 1, 2023 at 2:12 PM William Woodruff @.***> wrote:
We currently bump all resources just to get at a single vulnerable dependency, which (1) produces large diffs and (2) introduces risks of breakage, both in CI and in built bottles.
We should really only bump the vulnerable dep. Maybe we can do that by using constraints files https://pip.pypa.io/en/stable/user_guide/#constraints-files?
— Reply to this email directly, view it on GitHub https://github.com/Homebrew/brew-pip-audit/issues/66, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBHGSS4ITHI2MTN2RRTYCK3LNAVCNFSM6AAAAAA6Z4S3PKVHI2DSMVQWIX3LMV43ASLTON2WKOZRHE3TGMJSGA3DSOA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
-- All that is necessary for evil to succeed is for good people to do nothing.
Ah yeah, good point. Blindly using constraints would probably then cause us to miss some upgrades. I'll think about this some more.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
This is still active.
On Thu, Jun 13, 2024 at 8:19 PM github-actions[bot] @.***> wrote:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>
-- All that is necessary for evil to succeed is for good people to do nothing.
We currently bump all resources just to get at a single vulnerable dependency, which (1) produces large diffs and (2) introduces risks of breakage, both in CI and in built bottles.
We should really only bump the vulnerable dep. Maybe we can do that by using constraints files?