StazMay 10
Seth Larson

Hey #Python library maintainers! πŸ‘‹ I sometimes see pull requests from well-meaning users about bumping minimum versions of dependencies to "fix security vulnerabilities". Here's a resource you can link to about why this strategy doesn't work in practice:

https://sethmlarson.dev/library-version-specifiers-not-for-vulnerabilities

#python #security #oss #opensource #vulnerability

Library dependency version specifiers aren't for fixing vulnerabilities

Let's say you are the maintainer of a Python library that depends on another Python library like β€œurllib3”. Because you want to make sure users receive a compatible version of urllib3 you add a ve...

sethmlarson.dev
May 7 at 5:11pmWeb
Show threadDavid ZaslavskyMay 7
@sethmlarson Nice! This has been a bit of a pet peeve of mine too for a long time, but it's good to have a writeup from someone with credibility 😁
Show threadMiguel GrinbergMay 8
@sethmlarson Great article. Somewhat related, I also find that the practice of setting version upper bounds in library dependencies is more often causing problems for users than helping them.
Show threadAdam Johnson  May 8
@sethmlarson @hugovk Nice one, thanks for the write up I can send to folks.
Show threadMr. Lance E Sloan (IRL) πŸ‘€May 12
@sethmlarson
Cool sweatshirt you're wearing in that photo!