decide on what recommendations from python package audit to implement #3940
Labels
Dependencies
Pull requests that update a dependency file
Security: general
General security concern or issue
Work: Back-end
Milestone
Recommendations from #3782
Suggest creating a separate issue for the following issues as appropriate.
python@3.7.4
:config.yml
tocircleci/python:3.7.4-buster
requirements.txt
withgevent==1.4.0
requirements-dev.txt
to removepandas
manage.py
to remove functions (or comment) that rely onpandas
(these functions are not currently used elsewhere)runtime.txt
withpython-3.7.4
marshmallow-pagination
as its requirements are not routinely maintained for our purposes and has implications for generating transitive dependenciesfecgov/marshmallow-pagination
fork has been created with requirements updated (we can at low cost maintain this fork, or incorporate it into our codebase)apispec
is of particular interest as it is likely necessary to modify the codebase to mitigate backwards incompatibility--there is an issue open for this)requirements.in
(and,requirements-dev.in
, for example) and usepip-compile --output-file requirements.txt requirements.in
so that transitive dependencies are then specified inrequirements.txt
. This allows for deterministic builds and avoids the potential for build fails due to problems in dependent packages, but will need to be incorporated into the workflow. This approach is analogous to committingpackage-lock.json
, pinning the transitiveNode
dependencies.pandas
,marshmallow-pagination
,rdbms-subsetter
See reference implementation in PR #3931
Completion critera
The text was updated successfully, but these errors were encountered: