Figure out a way to update only the vulnerable deps

[woodruffw]

We currently bump all resources just to get at a single vulnerable dependency, which (1) produces large diffs and (2) introduces risks of breakage, both in CI and in built bottles.

We should really only bump the vulnerable dep. Maybe we can do that by using constraints files?

[alex]

Keep in mind that sometimes, fixing the vulnerable dep requires bumping something as well (either a dep of the vulnerable dep, or the inverse).

…

On Wed, Nov 1, 2023 at 2:12 PM William Woodruff ***@***.***> wrote: We currently bump all resources just to get at a single vulnerable dependency, which (1) produces large diffs and (2) introduces risks of breakage, both in CI and in built bottles. We should really only bump the vulnerable dep. Maybe we can do that by using constraints files <https://pip.pypa.io/en/stable/user_guide/#constraints-files>? — Reply to this email directly, view it on GitHub <#66>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBHGSS4ITHI2MTN2RRTYCK3LNAVCNFSM6AAAAAA6Z4S3PKVHI2DSMVQWIX3LMV43ASLTON2WKOZRHE3TGMJSGA3DSOA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

[woodruffw]

Ah yeah, good point. Blindly using constraints would probably then cause us to miss some upgrades. I'll think about this some more.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[alex]

This is still active.

…

On Thu, Jun 13, 2024 at 8:19 PM github-actions[bot] ***@***.***> wrote: This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: ***@***.***>

-- All that is necessary for evil to succeed is for good people to do nothing.