Skip to content

Relax all pins using compatible version operator and re-freeze#5824

Merged
quis merged 7 commits into
mainfrom
relax-pins-re-freeze
Mar 17, 2026
Merged

Relax all pins using compatible version operator and re-freeze#5824
quis merged 7 commits into
mainfrom
relax-pins-re-freeze

Conversation

@quis

@quis quis commented Mar 3, 2026
edited
Loading

Copy link
Copy Markdown
Member

Using the compatible release operator means we can update our requirements by re-freezing, rather than manually updating quite arbitrary exact pins.

By setting the operator to only give us minor version updates we minimise the chance of introducing breaking changes when re-freezing.

Note that the new version of humanize now rounds to the nearest delta rather than always rounding down.

This is more accurate, but means updating a couple of our tests.

The change is the result of python-humanize/humanize#272

CrystalPea
CrystalPea reviewed Mar 6, 2026
View reviewed changes

@CrystalPea CrystalPea left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will automatically update patch versions, not minor versions, on refreeze, right?

@quis

quis commented Mar 6, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

@CrystalPea

fido2~=1.1 means the same as fido2>=1.1,<2

So we get version 1.2.0 (minor bump) but we do not get version 2.1.1 (the latest) because that is a major version bump with breaking changes.

@CrystalPea

CrystalPea commented Mar 6, 2026

Copy link
Copy Markdown
Contributor

@quis ohh, so we actually do do minor version bumps on re-freeze. Doesn't that make us vulnerable to supply-chain attacks, like the one in npm ecosystem recently?

@quis

quis commented Mar 6, 2026

Copy link
Copy Markdown
Member Author

There’s nothing stopping a supply chain attack being shipped in a patch version.

At least with the re-freezing strategy we can choose to not to do a re-freeze at the time we know there is a supply chain attack in the wild.

@CrystalPea

CrystalPea commented Mar 6, 2026

Copy link
Copy Markdown
Contributor

@quis true that!

@CrystalPea

CrystalPea commented Mar 6, 2026

Copy link
Copy Markdown
Contributor

@quis still it's a change I wouldn't do in a hurry - maybe we could discuss it on the tech catch up before we merge it?

@risicle

risicle commented Mar 6, 2026

Copy link
Copy Markdown
Member

We could discuss it again, but this sort of caution is essentially how we end up very far behind on dependencies and functionally ends up being the same thing as not maintaining our dependencies.

@CrystalPea

CrystalPea commented Mar 6, 2026

Copy link
Copy Markdown
Contributor

@risicle fair! If both you and @quis are on board, let's give it a go.

@risicle

risicle commented Mar 6, 2026

Copy link
Copy Markdown
Member

🤷 we've got to try it sometime.

@quis quis force-pushed the relax-pins-re-freeze branch from 72a6a43 to faec8bc Compare March 9, 2026 15:13
@quis

quis commented Mar 9, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

Add and run a refreeze-requirements command

17f326a and faec8bc

This automates the process of refreezing our requirements, which updates dependencies which are either tranistory or not pinned to a specific version.

Importantly it ignores versions which are less than 7 days old.

This gives us a chance to avoid newly-released dependencies which have supply chain attacks, before they’ve been identified by security scanning tools.

It would be better to go for a longer time period than 7 days. However at the moment this would mean downgrading dependencies to versions which have known vulnerabilities, which I think is the worse of two evils.

Add a dependency review PR check

655affe

Copies alphagov/notifications-api#4769

quis added 3 commits March 9, 2026 17:37
@quis
Bump ago to the latest version
66bce96
@quis
Relax requirements
86882c2 
Using the compatible release operator means we can update our
requirements by re-freezing, rather than manually updating quite
arbitrary exact pins.
@quis
Re-freeze requirements
0d627da 
Note that the new version of `humanize` now rounds to the nearesrt delta
rather than rounding down.

This is more accurate, but means updating a couple of our tests.

The change is https://github.com/python-humanize/humanize/pull/272/files
@quis quis force-pushed the relax-pins-re-freeze branch from 0934589 to 59e9edf Compare March 10, 2026 15:50
quis added 4 commits March 10, 2026 15:52
@quis
Add a refreeze-requirements command
aca1d63 
This automates the process of refreezing our requirements, which updates
dependencies which are either tranistory or not pinned to a specific
version.

Importantly it ignores versions which are less than 7 days old.

This gives us a chance to avoid newly-released dependencies which have
supply chain attacks, before they’ve been identified by security
scanning tools.

It would be better to go for a longer time period than 7 days. However
at the moment this would mean downgrading dependencies to versions which
have known vulnerabilities, which I think is the worse of two evils.
@quis
Run make refreeze-requirements
05b6f74
@quis
Restrict to 30d for subsequent invocations
f2e7c30
@quis
Add a dependency review PR check
1f87b25 
Copies https://github.com/alphagov/notifications-api/pull/4769/files
@quis quis force-pushed the relax-pins-re-freeze branch from 59e9edf to 1f87b25 Compare March 10, 2026 15:52
@quis quis merged commit 0bbf992 into main Mar 17, 2026
7 checks passed
@quis quis deleted the relax-pins-re-freeze branch March 17, 2026 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CrystalPea CrystalPea CrystalPea approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@quis @CrystalPea @risicle