Skip to content

fix(deps): relax install_requires pins to compatible ranges (VC-53626)#197

Open
SahilWikhe-sw wants to merge 1 commit into
Venafi:masterfrom
SahilWikhe-sw:fix/VC-53626-install-requires-ranges
Open

fix(deps): relax install_requires pins to compatible ranges (VC-53626)#197
SahilWikhe-sw wants to merge 1 commit into
Venafi:masterfrom
SahilWikhe-sw:fix/VC-53626-install-requires-ranges

Conversation

@SahilWikhe-sw
Copy link
Copy Markdown

@SahilWikhe-sw SahilWikhe-sw commented Jun 4, 2026
edited
Loading

Summary

  • Replace hard-pinned (==) install_requires entries in setup.py with compatible-range constraints (>=current,<next-major) for all 6 deps.
  • Addresses VC-53626 (SC-006 / CWE-1395): hard pins on a published library prevent downstream consumers from upgrading transitive dependencies and cause resolver conflicts.
  • requirements.txt is left as exact pins (development reproducibility); only install_requires was changed.

Change

- install_requires=['requests==2.32.4', 'python-dateutil==2.8.2', 'six==1.17.0',
-                   'cryptography==45.0.7', 'ruamel.yaml==0.18.13', 'pynacl==1.5.0']
+ install_requires=['requests>=2.32.4,<3', 'python-dateutil>=2.8.2,<3', 'six>=1.17.0,<2',
+                   'cryptography>=45.0.7,<46', 'ruamel.yaml>=0.18.13,<0.19', 'pynacl>=1.5.0,<2']

Test plan

  • pip install --dry-run . resolves all ranges cleanly (verified locally)
  • Lower bounds preserve currently pinned floors — no downgrade for consumers already on these versions
  • CI pipeline passes

Jira: VC-53626

@SahilWikhe-sw
fix(deps): relax install_requires pins to compatible ranges
3322c76 
Addresses VC-53626 (SC-006 / CWE-1395): hard-pinned (==) install_requires
prevents downstream consumers from upgrading transitive deps. Replace ==
with >=current,<next-major ranges for all 6 install_requires entries.
requirements.txt retains exact pins for development reproducibility.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@luispresuelVenafi luispresuelVenafi Awaiting requested review from luispresuelVenafi luispresuelVenafi is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SahilWikhe-sw