feat: codify CVE policy#570
Conversation
Signed-off-by: Callahan Kovacs <callahan.kovacs@canonical.com>
There was a problem hiding this comment.
Pull request overview
Codifies guidance for handling CVEs via comments in pyproject.toml, clarifying how applications vs libraries should manage vulnerable direct and transitive dependencies when using dependency-groups and uv constraints.
Changes:
- Adds policy guidance for CVEs in
[dependency-groups]. - Expands guidance for CVE avoidance in
[tool.uv].constraint-dependencies.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
bepri
left a comment
bepri
left a comment
There was a problem hiding this comment.
I'm not sure this sufficiently explains the policy. As I understand it, libraries should just do what we've been doing (bump the lockfile and move on with our lives), while applications should also:
- Pin direct dependencies in
project.dependencies - Pin optional dependencies in
dependency-groups - Pin indirect dependencies in
uv.tool.constraint-dependencies
I thought that the agreement was to use |
Signed-off-by: Callahan Kovacs <callahan.kovacs@canonical.com>
I don't recall that point, I mostly remembered Tiago mentioning that it gives a false sense of security since uv doesn't consider constraint-dependencies of dependencies when building a project. But with that in mind, yeah, I agree with you. |
I'm going to summon @lengau as well, as I think that was his idea. I think it would only affect the minimum-version CI job. |
Signed-off-by: Callahan Kovacs <callahan.kovacs@canonical.com>
Signed-off-by: Callahan Kovacs <callahan.kovacs@canonical.com>
Codifies our policy for handling CVEs in direct and transitive dependencies.
make lint && make test.