Closed brownsarahm closed 4 years ago
cegme
commented
4 years ago @brownsarahm @Shine226 When developing wiggum, if you need to install a new package have you been relying on the requirements.txt file? If you don't primarily use the Pipfile, I can make a dependency so when the requirements.txt file changes, the Pipfile and Pipfile.lock are updated.
cegme
commented
4 years ago I fixed the current security issue in commit 51d14b32d2d33add11282f069ead593274d71c81 . I can add an action to update requirements and Pipfile when we establish a workflow.
brownsarahm
commented
4 years ago I use the requirements.txt. And, I've seen more success with the automatic PRs for security issues updating that file than the other two. (which I don't understand, but have experienced repeatedly.
cegme
commented
4 years ago The Pipfile.lock generated diffs so I have to run a `pipenv lock`` when changing version. If the lock file wasn't versioned security updateds would probably be automatic. I don't think we need the lock unless there are strict version requirements or security concerns for Wiggum. One solution is to remove it.
cegme
commented
4 years ago This was solved by removing the Pipfie.lock. Closed
brownsarahm
commented
4 years ago Do the pipfile and docker containers update automatically?
cegme
commented
4 years ago The Pipfile should auto repair security updates. The
The Pipfile does need to be sync with the requirements.txt when new dependencies are added.
The Dockerfile just specifies an install based on whatever is in the current wiggum.
At this point we could remove the Pipfile and only use the requirements.txt.
can we fix the pipfile, pipfile.lock and docker fiels so that we don't have to update so many separate places for security (and there's fewer separate copies of the notification) like could those be auto generated by travis from the requirements.txt maybe?
while working on this, can possibly address #163 as well