FelixSchwarz
commented
1 year ago Apart from forking Zeep, which I don't want to do, there is no recourse but to wait it out which is very counterproductive.
Recommend updating Zeep's dependencies to include "==" versions for all dependencies so that a stable release can be obtained.
Just a personal opinion but I think that is not a good idea for an open source library like zeep. Scanning code without looking at the deployed environment is just security charade from my point of view.
If you want repeatable deployments, in my opinion you should either
- only install versions from custom repos (= hosting all dependencies in a private repo) or
- you need to create a custom requirements.txt file containing also dependency hashes, not just versions.
Please provide the following information:
The problem is that my company uses Nexus to scan for vulnerabilities and one check that is enabled is "minimum age policy". When dependencies have no version specified or a ">=" version, pip pulls the latest dependency version even if Zeep itself is unchanged. This leads to an indeterminate runtime and also breaks our pipelines when new versions of Zeep's dependencies are released.
Apart from forking Zeep, which I don't want to do, there is no recourse but to wait it out which is very counterproductive.
Recommend updating Zeep's dependencies to include "==" versions for all dependencies so that a stable release can be obtained.
For example, instead of this insetup.py:
Use this instead: