dpgaspar commented on PR #27187: URL: https://github.com/apache/superset/pull/27187#issuecomment-1959101804
> @nigzak it seems like `numexpr` is an indirect dependency: > > ``` > $ git grep numexpr > requirements/base.txt:numexpr==2.8.4 > requirements/base.txt: # numexpr > ``` > > To ensure that CVE is addressed for all situations (and not just CI etc. which leverage the pinned/frozen dependencies) we should add the necessary bump to `setup.py`. This should _likely_ be done by updating the `pandas` constraints given that's the package which is depending on it. Adding the constraint to `setup.py` is more complete, yet when applied as a global rule for indirect dependencies can cause hard to fix and unexpected problems with our extra packages. Also as time passes we will probably end up with a huge setup.py with lot's of indirect dependency constraints that will be hard to manage. My take here is that we should keep `setup.py` restricted to direct dependencies only, and open exceptions for breaking changes only. Then add these constraints on `requirements/*.in`. Users that use `pip install apache-superset` will get the latest packages when possible, or manage their dependencies on their own `requirements` file(s). Our requirements will ensure CI and an up to date docker image(s) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
