Version Pinning Dependencies

[ibejohn818]

A recent issue with dependency ecsda 0.14.0 (https://github.com/warner/python-ecdsa/issues/159) caused fatal errors with sshpubkeys library.

To mitigate this type of issue with dependencies I suggest pinning to specific versions VS minimum versions. https://github.com/ojarva/python-sshpubkeys/blob/master/setup.py#L35 IE: == operator vs >=

Also, since this is a public project, a service like https://pyup.io/ can be used to continually monitor dependencies.

Thanks -JH

[tomato42]

version pinning would also make the dependency resolution not automatically pick up a new release when there's a security fix, like with https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3

given that only the newest released version is supported and ecdsa promises API stability, I would strongly suggest against depending on specific version

[ibejohn818]

That is why I suggest using pyup.io since this is a public project it would be free of charge. It monitors updates/CV's and automatically PR's updates for the maintainer to approve

[ojarva]

Hi,

Thank you for opening this issue. I'm on vacation until end of this month with no access to Github. I'll get back to this and other open issues at the beginning of December.

On Thu, Nov 7, 2019, 09:15 John Hardy notifications@github.com wrote:

That is why I suggest using pyup.io since this is a public project it would be free of charge. It monitors updates/CV's and automatically PR's update for the maintainer to approve

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ojarva/python-sshpubkeys/issues/69?email_source=notifications&email_token=AAI7RRMODLDOUCHKT5FYYRTQSM6ZBA5CNFSM4JJ6MQXKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDIFVPQ#issuecomment-550525630, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAI7RRP6YZTXN46S6SRJE7LQSM6ZBANCNFSM4JJ6MQXA .