-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pinning dependencies per OSSF security practices and coverting to ASCII #1582
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM,
I checked that these version numbers are the current versions of these libraries.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Edit: See below
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These dependencies actually seem impossible to fulfill based on the CI failure:
The user requested sphinx==4.4.0
breathe 4.9.1 depends on Sphinx>=1.4
sphinx-book-theme 1.1.2 depends on sphinx>=5
Would increasing the required sphinx version resolve this?
That may have unintended consequences. May be best to figure out which version of these was currently being used prior to this PR and just use those version numbers. |
sphinxcontrib_qthelp<1.0.6 | ||
sphinxcontrib-serializinghtml<1.1.10 | ||
|
||
sphinx_book_theme==1.1.2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at another PR, it looks like this is correct (after rolling back to versions which work):
sphinx_book_theme==1.0.1
sphinx-tabs==3.4.5
sphinx-prompt==1.5.0
sphinx_substitution_extensions==2022.2.16
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. The version numbers I selected had been pulled from a previous PR, but I'm not able to find that PR now. Looking at the PR from depandabot earlier today I do see that it used the same version numbers you've listed above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it initially tries the numbers you originally had, but then backs them off later in the script due to dependencies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies recommends explicitly pinning dependencies to reduce several security risks.
Line endings in the file were inconsistent so I converted them all to ASCII instead of a mix of CR and CRLF line endings.