Closed juhoinkinen closed 5 months ago
juhoinkinen
commented
7 months ago I don't see a reason to have patch-level pinning of dependencies. I propose to pin only the minor version levels:
connexion 2.14.2 -> 2.14.*
fasttext 0.9.2 -> 0.9.*
lmdb 1.4.1 -> 1.4.*
yake 0.4.5 -> 0.4.*
This should be done in a separate PR/issue, possibly with the issue #747.
juhoinkinen
commented
7 months ago Gunicorn is about to set up a security policy too, either via SECURITY.md or the Security advisories / Private Vulnerability Reporting: https://github.com/benoitc/gunicorn/issues/3106
We could wait and see what their solution will be.
codecov[bot]
commented
5 months ago All modified and coverable lines are covered by tests :white_check_mark:
Comparison is base (
a501e53) 99.67% compared to head (f4046c2) 99.67%. Report is 5 commits behind head on main.:exclamation: Current head f4046c2 differs from pull request most recent head 058fd63. Consider uploading reports for the commit 058fd63 to get more accurate results
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
juhoinkinen
commented
5 months ago I asked for a review from ChatGPT and addressed the good comments.
But this is actually not true; there are the following patch level version pinnings:
- connexion 2.14.2
- fasttext 0.9.2
- lmdb 1.4.1
- yake 0.4.5
For this, I reworded the relevant part: "...note that most of the dependencies of a given Annif release are pinned only on minor version level...".
sonarcloud[bot]
commented
5 months ago 
Quality Gate passedKudos, no new issues were introduced!
0 New issues
0 Security Hotspots
No data about Coverage
No data about Duplication
It is a good practice to inform how to report vulnerabilities, which is what
SECURITY.mdfile is for.~I have worded this in
SECURITY.mdfile:~ ~> However, the dependencies of a given Annif release are pinned only on minor version level~~But this is actually not true;~ [Edited this part to include a true statement.] There are the following patch level version pinnings:
2.14.20.9.21.4.10.4.5Right now I don't remember why they are pinned to patch level. Need to check that. It would be good that all (security) patches of dependencies could be applied without the need to update Annif version. Does some of these dependencies have such a backward compatibility policy that conflicts with Annif's policy?
~Also reword the bottom list.~ [Done.]
Also at the moment Annif repo has Security advisories enabled (I enabled it when looking at this security reporting a while ago), which allows anyone to give a report via navigating to the Security tab in this repo. Having two reporting ways (finto-posti email and this reporting) can be confusing, so maybe the Security advisories functionality should be disabled.