You must log in or # to comment.
I’m just going to brain fart this in here. why is it
pip freeze, if it doesn’t stop dependencies from updating or whatever?https://pip.pypa.io/en/latest/reference/requirements-file-format/
Looking at the format it supports bare, pinned, or version ranges.
I imagine ranges are preferred for libraries as you’d hit version conflicts if the same dependency showed up twice with different pinned versions in the dependency tree.
https://pip.pypa.io/en/stable/topics/dependency-resolution/#backtracking
The post suggests that during backtracking the maximum version considered for any dependency must be a certain age to reduce the attack surface of malicious releases assuming the vulnerability will be caught within the desired window.
