pygradle icon indicating copy to clipboard operation
pygradle copied to clipboard
verified publisher icon linkedin

Exclude transitive dependency from requirements.txt

Open anjaneya17 opened this issue 4 years ago • 1 comments

Hi, Context: I am new to Python coding. numpy version 1.21.5 has a security vulnerability https://github.com/numpy/numpy/issues/18993. This dependency is a transitive dependency not a direct dependency. We are sure that in our code we are not using any functionality that requires this transitive dependency.

Request: Is there any way to configure the requirement.txt to exclude transitive dependency ? I see the issue is fixed in version 1.22.0* ---- unfortunately this is not in a stable release yet -- what is the time line for version 1.22.0 to become stable?

Please any help is really appreciated. Please do respond.

anjaneya17 avatar Dec 28 '21 21:12 anjaneya17

  1. 1.22.0 is released, so no workaround needed anymore
  2. This CVE is nonsensical

rgommers avatar Jan 04 '22 05:01 rgommers