Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade sqlalchemy >= 1.3.0 #335

Closed
wants to merge 1 commit into from
Closed

upgrade sqlalchemy >= 1.3.0 #335

wants to merge 1 commit into from

Conversation

heartsucker
Copy link
Contributor

Fixes #308

Unfortunately pipenv is annoying and won't let us upgrade a single package (which really goes back to #233), so all the dependencies got updated. This brings up the question: should we aggressively upgrade to keep dependencies up to date, or should we make the smallest diff possible each time?

If we don't like the fact that all packages got updated, we should two parts to the Pipfile sections dependencies and dev-dependencies

[dependencies]
### Dependencies

foo = "==1.2.3"
# must be >= 4.5.5 b/c CVE-xxx
bar = "==4.5.6"

### Transitive Dependencies

baz = "==9.8.7"
quux = "==2.4.6"

The way we did it before with all dependencies mixed together made it unclear what was actually a first-class dependency or not.

@redshiftzero redshiftzero mentioned this pull request May 14, 2019
Closed
redshiftzero
redshiftzero reviewed May 14, 2019
View reviewed changes
Pipfile.lock
"sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c",
"sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"
],
"version": "==1.12.0"
},
"sqlalchemy": {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the especially weird part about the pipenv behavior here is that it didn't actually update sqlalchemy

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lolwut.

@redshiftzero
Copy link
Contributor

closing this one in favor of #372 (returning us to pip-tools)

@heartsucker heartsucker deleted the upgrade-sqlalchemy branch May 15, 2019 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@redshiftzero redshiftzero redshiftzero left review comments

@sssoleileraaa sssoleileraaa Awaiting requested review from sssoleileraaa

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

update SQLAlchemy to 1.3.0 to mitigate CVE-2019-7548 and CVE-2019-7164
2 participants
@heartsucker @redshiftzero