Skip to content

[MISC] Add minimum age directive for python deps#42

Open
dragomirp wants to merge 1 commit into
mainfrom
minimum-release-age
Open

[MISC] Add minimum age directive for python deps#42
dragomirp wants to merge 1 commit into
mainfrom
minimum-release-age

Conversation

@dragomirp

@dragomirp dragomirp commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Add minimum age config for Pypi datasource.

Additional configs will be needed per repo to handle lock update PRs.

@dragomirp

Copy link
Copy Markdown
Contributor Author

@dragomirp dragomirp marked this pull request as ready for review June 8, 2026 14:19

@carlcsaposs-canonical carlcsaposs-canonical left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In https://docs.google.com/document/d/1GsmPd7-0ONbm-Yk40WlyeZJCFNbfZhVumoUVUDst1aI/edit?tab=t.0, 1 week was recommended for dependency cooldowns

One concern I have is that we won't get CVE updates to bypass this cooldown for indirect dependencies (since renovate leaves that to the dependency manager)

Also, if we want to enforce dependency cooldowns I believe the dependency manager needs to be aware for it to apply to indirect dependencies (which is most of the surface area for supply chain attacks). Poetry and uv both support this, but they aren't aware of CVEs and so they do not bypass the cooldown for CVE fixes

From a security perspective, I don't think it's critical to deliver fixes immediately for 100% of CVEs (e.g. if they are low severity or impractical to exploit), but I wonder if that delay would violate any of our SLAs/commercial commitments

tl;dr would really like to have a dependency cooldown (it protects from a lot of attacks); worried about tooling limitations in regards to CVE fixes

@carlcsaposs-canonical

Copy link
Copy Markdown
Contributor

more info: https://docs.google.com/document/d/1GsmPd7-0ONbm-Yk40WlyeZJCFNbfZhVumoUVUDst1aI/edit?disco=AAAB2fTKue4

I was investigating dependabot as an alternative, since it looks like it might handle indirect deps directly. didn't have an opportunity to test. but dependabot also drops support for python versions before our LTS period ends, e.g. https://github.blog/changelog/2026-05-19-upcoming-deprecation-of-python-3-9-for-dependabot/

@dragomirp

Copy link
Copy Markdown
Contributor Author

In https://docs.google.com/document/d/1GsmPd7-0ONbm-Yk40WlyeZJCFNbfZhVumoUVUDst1aI/edit?tab=t.0, 1 week was recommended for dependency cooldowns

IMHO 1 week is too long of a wait. Cooldowns should protect us from vulnerabilities that are discovered fairly rapidly. I'm not sure there will be a benefit in waiting for longer than a day.

One concern I have is that we won't get CVE updates to bypass this cooldown for indirect dependencies (since renovate leaves that to the dependency manager)

Also, if we want to enforce dependency cooldowns I believe the dependency manager needs to be aware for it to apply to indirect dependencies (which is most of the surface area for supply chain attacks). Poetry and uv both support this, but they aren't aware of CVEs and so they do not bypass the cooldown for CVE fixes

From a security perspective, I don't think it's critical to deliver fixes immediately for 100% of CVEs (e.g. if they are low severity or impractical to exploit), but I wonder if that delay would violate any of our SLAs/commercial commitments

tl;dr would really like to have a dependency cooldown (it protects from a lot of attacks); worried about tooling limitations in regards to CVE fixes

I have draft PRs for cooldown in uv and poetry.

CVEs should still be listed by dependabot as a security notices, so even if renovate doesn't trigger immediately on its own, we can trigger manually. Renovate should trigger based on the GH notices, but I'm not sure it does respect CVEs for indirect deps. As is, we usually update indirect dependencies once a week, so 1d cooldown shouldn't make a major difference for those.

@taurus-forever taurus-forever left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dragomirp

Discussed with Carl in private. It is OK to go with 24 hours by default.
Signed from my side. Invited Mykola, Mehdi and Marc to avoid surprises.

Tnx!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants