add bottom pin for gitpython

[bollwyvl]

References

• walks back (parts of) #296/#297
• https://github.com/conda-forge/conda-lock-feedstock/pull/39#pullrequestreview-1252081067

Changes

• [x] restore gitpython as a hard dep
  • [x] adds bottom pin to avoid CVE-2022-24439
• [ ] remove the lazy import

  • kind of inclined to keep it lazy

Alternatives

• keep this as an optional dependency, as it's a relatively niche metadata option that incurs three additional dependencies

[netlify[bot]]

✅ Deploy Preview for conda-lock ready!

Name	Link
🔨 Latest commit	ebaf1de8d36deb7697a05bb28c1bf131d665c454
🔍 Latest deploy log	https://app.netlify.com/sites/conda-lock/deploys/63c6dd88ef686d00085c3b1f
😎 Deploy Preview	https://deploy-preview-318--conda-lock.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[mariusvniekerk]

Do we need to wait for the CVE to be reported as fixed?

[bollwyvl]

Do we need to wait for the CVE to be reported as fixed?

Yeah, I guess to close the loop, it probably makes sense to wait for updated findings.

[maresb]

This was modified on Feb 6th to have an up to (excluding) pin:

I'm guessing this makes it ready to merge?

BTW, since we have a sensible error message, I'm not opposed to the alternative of keeping gitpython optional.

[netlify[bot]]

✅ Deploy Preview for conda-lock ready!

Name	Link
🔨 Latest commit	f51f6b315b0a3c3118f3b956c7823a0a357a3cc2
🔍 Latest deploy log	https://app.netlify.com/sites/conda-lock/deploys/63eeaf587d025700084c6c75
😎 Deploy Preview	https://deploy-preview-318--conda-lock.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.