Skip to content

jenngile/dependency-hell

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
.devcontainer
.devcontainer
 
 
.gitattributes
.gitattributes
 
 
README.md
README.md
 
 
main.py
main.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Surviving Dependency Hell: The TensorFlow Upgrade Challenge

The Challenge

  • Welcome to dependency hell. One upgrade can break everything.
  • Your project needs a security update, but conflicting dependencies stand in the way.
  • TensorFlow, NumPy, and other libraries all have strict version requirements.
  • Your goal: Reduce conflicts and improve security without breaking the project.

Note: There is no real code in this repository. In the real world you would have to ALSO deal with potential breaking changes in the code and not just version constraints.

What You Have

  • A requirements.txt file full of conflicting dependencies.
  • TensorFlow, NumPy, and other packages that don't always play nicely together.
  • An OSV scanner to detect vulnerabilities.
  • 15 minutes to minimize conflicts while keeping the project functional.

What You Don’t Have

  • A clean upgrade path.
  • An easy fix.
  • A guarantee that upgrading one thing won’t break something else.

The Process

  1. Set up your environment:

    python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

  2. Run the Endor Scan to check for vulnerabilities:

    • Initialize Endor Labs Run the following command to authenticate with Endor Labs and set up your environment:
    ./endorctl init --auth-mode <mode> --headless-mode
  • Replace with your preferred authentication mode (e.g., google, github, etc.).
./endorctl scan --quick-scan

  1. Upgrade TensorFlow to 2.14.0 in the requirements.txt file:

    tensorflow==2.14.0

    Then run the following commands to install your dependencies:

    pip install --force-reinstall -r requirements.txt

  2. Solve conflicts manually:

    • Check error messages—they often tell you which packages have conflicts.
    • Modify requirements.txt —try adjusting package versions to find a working set.
    • Use pip install --upgrade <package> carefully—some dependencies need manual intervention to align with the correct versions.
    • Look for alternative versions—sometimes upgrading a package incrementally helps resolve issues.
    • Check the dependency chain—a package may depend on an outdated version of another, causing conflicts.
    • Test frequently—after each change, verify that your application still works.
    • Try to use ChatGPT (that counts as manual nowadays)

  3. The person who reduces vulnerabilities the most in 15 minutes wins.

Make sure to check your work by running:

./endorctl scan --quick-scan

What This Teaches You

  • Dependency hell is real.
  • Security upgrades can introduce more problems than they fix.
  • Manifest-based SCA tools don’t always show the full picture.
  • Developers deal with this daily—security needs to understand the struggle before demanding upgrades.

This is a real-world challenge. Good luck.

About

An example of an upgrade with multiple version constraints.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Python 100.0%