[MISC] Add minimum age directive for python deps#42
Conversation
|
Tested on: dragomirp/postgresql-operator#1 and dragomirp/postgresql-operator#2. |
carlcsaposs-canonical
left a comment
There was a problem hiding this comment.
In https://docs.google.com/document/d/1GsmPd7-0ONbm-Yk40WlyeZJCFNbfZhVumoUVUDst1aI/edit?tab=t.0, 1 week was recommended for dependency cooldowns
One concern I have is that we won't get CVE updates to bypass this cooldown for indirect dependencies (since renovate leaves that to the dependency manager)
Also, if we want to enforce dependency cooldowns I believe the dependency manager needs to be aware for it to apply to indirect dependencies (which is most of the surface area for supply chain attacks). Poetry and uv both support this, but they aren't aware of CVEs and so they do not bypass the cooldown for CVE fixes
From a security perspective, I don't think it's critical to deliver fixes immediately for 100% of CVEs (e.g. if they are low severity or impractical to exploit), but I wonder if that delay would violate any of our SLAs/commercial commitments
tl;dr would really like to have a dependency cooldown (it protects from a lot of attacks); worried about tooling limitations in regards to CVE fixes
|
I was investigating dependabot as an alternative, since it looks like it might handle indirect deps directly. didn't have an opportunity to test. but dependabot also drops support for python versions before our LTS period ends, e.g. https://github.blog/changelog/2026-05-19-upcoming-deprecation-of-python-3-9-for-dependabot/ |
IMHO 1 week is too long of a wait. Cooldowns should protect us from vulnerabilities that are discovered fairly rapidly. I'm not sure there will be a benefit in waiting for longer than a day.
I have draft PRs for cooldown in uv and poetry. CVEs should still be listed by dependabot as a security notices, so even if renovate doesn't trigger immediately on its own, we can trigger manually. Renovate should trigger based on the GH notices, but I'm not sure it does respect CVEs for indirect deps. As is, we usually update indirect dependencies once a week, so 1d cooldown shouldn't make a major difference for those. |
Add minimum age config for Pypi datasource.
Additional configs will be needed per repo to handle lock update PRs.