Programming

26746 readers

295 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Follow the programming.dev instance rules
Keep content related to programming in some way
If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago

MODERATORS

snowe@programming.dev

Ategon@programming.dev

UlrikHD@programming.dev

bugsmith@programming.dev

Spyro@programming.dev

pip v26.1 adds support for relative dependency cooldowns (sethmlarson.dev)

submitted 1 day ago by robalex@programming.dev to c/programming@programming.dev

2 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] sloppy_diffuser@sh.itjust.works 3 points 1 day ago

https://pip.pypa.io/en/latest/reference/requirements-file-format/

Looking at the format it supports bare, pinned, or version ranges.

I imagine ranges are preferred for libraries as you'd hit version conflicts if the same dependency showed up twice with different pinned versions in the dependency tree.

https://pip.pypa.io/en/stable/topics/dependency-resolution/#backtracking

The post suggests that during backtracking the maximum version considered for any dependency must be a certain age to reduce the attack surface of malicious releases assuming the vulnerability will be caught within the desired window.