My work as the Security Developer-in-Residence at the Python Software Foundation is sponsored
by Alpha-Omega. Thanks to Alpha-Omega for supporting
security in the Python ecosystem.
I pub...
Looking at the format it supports bare, pinned, or version ranges.
I imagine ranges are preferred for libraries as you’d hit version conflicts if the same dependency showed up twice with different pinned versions in the dependency tree.
The post suggests that during backtracking the maximum version considered for any dependency must be a certain age to reduce the attack surface of malicious releases assuming the vulnerability will be caught within the desired window.
https://pip.pypa.io/en/latest/reference/requirements-file-format/
Looking at the format it supports bare, pinned, or version ranges.
I imagine ranges are preferred for libraries as you’d hit version conflicts if the same dependency showed up twice with different pinned versions in the dependency tree.
https://pip.pypa.io/en/stable/topics/dependency-resolution/#backtracking
The post suggests that during backtracking the maximum version considered for any dependency must be a certain age to reduce the attack surface of malicious releases assuming the vulnerability will be caught within the desired window.