Open pzelnip opened 4 years ago
domdfcoding
commented
3 years ago Along the same lines, Safety skips requirements with only a lower bound (e.g. idna>=2.5), which is the standard way of specifying dependencies for libraries. I would expect Safety to warn about any issues present in, for this example, idna 2.5 and later in the same way it would if the requirement was idna==2.5.
dylanpulver
commented
1 month ago Hi @pzelnip and @domdfcoding,
Thank you for bringing up this issue and for your patience as we reviewed it.
We believe that support for partly pinned dependencies, such as specifying Django<2.3, has been addressed in the current implementation of Safety. The recent versions should now correctly handle and report vulnerabilities for the latest patch versions within the specified range, as requested.
To confirm this, please try running Safety with the latest version and your current requirements file setup. If you encounter any issues or find that the problem persists, do let us know with specific details, and we will investigate further.
Thank you again for your contribution and for helping us improve Safety!
Best Regards, The Safety Team
Description
For Django I want to run the latest LTS version, which (currently) means anything less than 2.3. Putting this into a requirements.txt file:
Gives me that, but if I do that then Safety reports:
Ideally I'd like it to report if there is any vulnerability for the current latest 2.2.x release (ie if there is a known CVE on the latest LTS version of Django, I'd want to know, even if there's little I could do about it).
While this specific example is Django, I could think of other dependencies where I'd like to let the patch version "float", but still be alerted if the latest patch version has an open CVE.
What I Did
Ended up pinning Django to a specific LTS version, but this means now instead of getting security updates as soon as they're available, I have to see the failed safety run indicating there's an open CVE and then update.