pip v26.1 adds support for relative dependency cooldowns
1mon 20d ago by programming.dev/u/robalex in programming@programming.dev from sethmlarson.dev
I'm just going to brain fart this in here. why is it pip freeze , if it doesn't stop dependencies from updating or whatever?
https://pip.pypa.io/en/latest/reference/requirements-file-format/
Looking at the format it supports bare, pinned, or version ranges.
I imagine ranges are preferred for libraries as you'd hit version conflicts if the same dependency showed up twice with different pinned versions in the dependency tree.
https://pip.pypa.io/en/stable/topics/dependency-resolution/#backtracking
The post suggests that during backtracking the maximum version considered for any dependency must be a certain age to reduce the attack surface of malicious releases assuming the vulnerability will be caught within the desired window.