deddit.petersanchez.com

pip v26.1 adds support for relative dependency cooldowns (sethmlarson.dev)
from robalex@programming.dev to programming@programming.dev on 29 Apr 02:17
https://programming.dev/post/49559738

#programming

threaded - newest

Skullgrid@lemmy.world on 29 Apr 04:20 collapse

I’m just going to brain fart this in here. why is it pip freeze , if it doesn’t stop dependencies from updating or whatever?

sloppy_diffuser@sh.itjust.works on 29 Apr 05:13 collapse

pip.pypa.io/en/…/requirements-file-format/

Looking at the format it supports bare, pinned, or version ranges.

I imagine ranges are preferred for libraries as you’d hit version conflicts if the same dependency showed up twice with different pinned versions in the dependency tree.

pip.pypa.io/en/stable/…/dependency-resolution/#ba…

The post suggests that during backtracking the maximum version considered for any dependency must be a certain age to reduce the attack surface of malicious releases assuming the vulnerability will be caught within the desired window.