-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate pinning sub dependencies #3
Comments
Another thing I just noticed FastAPI has
but the requirements.txt is now being updated by dependabot - so it wont care when it should. Pip would probably complain during the build though. |
Also see #10 (comment). Some dependencies may come from just the OS its being installed on (in this case it seems its an optional one https://stackoverflow.com/questions/70731019/is-it-impossible-developing-with-fastapi-uvloop-windows) but there could be cases where one requirements file for all OS's doesn't work. |
On #13, it could be tested by looking at the unit test CI. (Once some unit tests are added) |
It does complain see: #24 |
Today had this repo picking up a starlette cve: https://avd.aquasec.com/nvd/2024/cve-2024-47874/. ims-api did not show the same due to github not seeing it as a dependency, but it was picked up by Trivy on Harbor (which is where I first noticed it). |
#71 worked successfully without having to recreate the pip env/manually edit the requirements to ensure all versions were compatible with each other like a lot of the others due to pydantic having a newer version that fastapi didn't support. |
On ims-api and ldap-jwt-auth we don't pin sub-dependencies. There are cases where this could cause issues e.g. docker builds installing different dependencies when tags are pushed, or depndabot failing to notify us of security issues. However using a requirments.txt also has issues e.g. when sub dependencies are added/removed in new versions leading to an invalid requirements.txt. Equally where others suggest using poetry, we are not very keen on it complicating setup.
In #2 I am adding a requirements.txt to test it out, but we should re-evaluate this later and decide whether to revert the change, find a different solution or apply it to ims-api and ldap-jwt-auth.
The text was updated successfully, but these errors were encountered: