[TODO] Reduce requirements to bare minimum #3
Comments
|
Also, pinning the version of every package with pip freeze often means that more secure package versions can't be installed. For example, this project currently has Pillow 10.1.0 pinned but Pillow 10.2.0 fixes an arbitrary code execution bug. When using a simpler requirements.txt with only directly used packages pinned, pip is able to figure out that 10.2.0 can be installed without risking breakage, and installs it. |
|
I do have a question here. Since pip does not check for version mismatches (resolve dependencies conflicts) dont you think, it might be problematic if the |
|
The latest pip does check for version mismatches, I believe that was added in pip 24. We also don't need to leave the version requirements blank, but it could be useful to set a minimum version so make pip's dependency resolving easier. |
In order to be able to test any changes effectively in CI, the time taken to install dependencies needs to be reduced. It took me 2-3 minutes just to install the dependencies, so it could easily take 5+ minutes on a GitHub Actions runner. I'm planning to use pipdeptree and other tools to help reduce the requirements.txt file to a minimum, in order to remove extraneous packages leftover in peoples' environments that get output with freeze. This should also help us remove packages that may pose a security risk, letting us be confident that the app is secure.
The text was updated successfully, but these errors were encountered: