Seth LarsonMay 7

Hey #Python library maintainers! đź‘‹ I sometimes see pull requests from well-meaning users about bumping minimum versions of dependencies to "fix security vulnerabilities". Here's a resource you can link to about why this strategy doesn't work in practice:

https://sethmlarson.dev/library-version-specifiers-not-for-vulnerabilities

#python #security #oss #opensource #vulnerability

Library dependency version specifiers aren't for fixing vulnerabilities

Let's say you are the maintainer of a Python library that depends on another Python library like “urllib3”. Because you want to make sure users receive a compatible version of urllib3 you add a ve...

sethmlarson.dev
Show threadAdam Johnson  
@sethmlarson @hugovk Nice one, thanks for the write up I can send to folks.
May 8 at 4:21pmWeb