Skip to content

Commit cebc4d8

Browse files
timhoffmtimhoffm
authored
Merge pull request matplotlib#28127 from tacaswell/doc/dep_vulns
GOV: write up policy on not updating req for CVEs in dependencies
2 parents ba7dbf3 + 60e37f4 commit cebc4d8

File tree

1 file changed

+21
-2
lines changed

1 file changed

+21
-2
lines changed

doc/devel/min_dep_policy.rst

Lines changed: 21 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,9 @@ without compiled extensions
4949
We will only bump these dependencies as we need new features or the old
5050
versions no longer support our minimum NumPy or Python.
5151

52+
We will work around bugs in our dependencies when practical.
53+
54+
5255
Test and documentation dependencies
5356
===================================
5457

@@ -58,8 +61,10 @@ support for old versions. However, we need to be careful to not
5861
over-run what down-stream packagers support (as most of the run the
5962
tests and build the documentation as part of the packaging process).
6063

61-
We will support at least minor versions of the development
62-
dependencies released in the 12 months prior to our planned release.
64+
We will support at least minor versions of the development dependencies
65+
released in the 12 months prior to our planned release. Specific versions that
66+
are known to be buggy may be excluded from support using the finest-grained
67+
filtering that is practical.
6368

6469
We will only bump these as needed or versions no longer support our
6570
minimum Python and NumPy.
@@ -76,6 +81,20 @@ In the case of GUI frameworks for which we rely on Python bindings being
7681
available, we will also drop support for bindings so old that they don't
7782
support any Python version that we support.
7883

84+
Security issues in dependencies
85+
===============================
86+
87+
Generally, we do not adjust the supported versions of dependencies based on
88+
security vulnerabilities. We are a library not an application
89+
and the version constraints on our dependencies indicate what will work (not
90+
what is wise to use). Users and packagers can install newer versions of the
91+
dependencies at their discretion and evaluation of risk and impact. In
92+
contrast, if we were to adjust our minimum supported version it is very hard
93+
for a user to override our judgment.
94+
95+
If Matplotlib aids in exploiting the underlying vulnerability we should treat
96+
that as a critical bug in Matplotlib.
97+
7998
.. _list-of-dependency-min-versions:
8099

81100
List of dependency versions

0 commit comments

Comments
 (0)