Upgrade pygments to 2.7.4 #40
Conversation
Addresses CVE-2021-27291
vxfield
left a comment
vxfield
left a comment
There was a problem hiding this comment.
Shouldn't we try to always use the latest version of these packages instead of pinning to a specific version?
This way if there are new security fixes we the packages we will automatically pick them. There is a risk of breaking changes, but then we can address them as they come, right?
|
@guenp and @vxfield its usually a bad idea to pin to an exact version (with ==) in setup.py/setup.cfg. It makes it much harder to deploy the package together with other packages having a requirement on the same package. I would suggest that you do In QCoDeS we are using dependabot to keep the requirements that we perform most of the actual ci testing against (in requirements.txt) up to date and automatically open new pull requests when a new package is released. Meanwhile the requirements in setup.py/setup.cfg are normally the minimum supported versions of the required packages. In qcodes we are using requirements-builder to create an additional ci job that test against these. By being flexible on your enforced requirements you make it easier to deploy your package together with other packages. |
|
Thanks @jenshnielsen, those are great ideas. I've created a new issue for setting up dependabot: #41. Jens' suggestion should fix the build error as well. |
|
Now the build issue is unrelated to this PR but an issue with building the qsharp-runtime on Mac... |
anjbur
left a comment
anjbur
left a comment
There was a problem hiding this comment.
Confirmed that this resolves the Component Governance flags, looks good to me!
|
Restarted pipeline after microsoft/qsharp-runtime#623 was merged |
Addresses CVE-2021-27291 and CVE-2021-20270