[llvm] Hashpin sensitive dependencies and configure dependabot to update them automatically (PR #75859)
Diogo Teles Sant'Anna via llvm-commits
llvm-commits at lists.llvm.org
Tue Dec 19 05:44:09 PST 2023
diogoteles08 wrote:
> We have several of these requirements.txt files scattered through out the repo, should we make this change with all of them?
Hi @tstellar! I'd say it depends on how the dependencies on the requirements.txt are used. It's recommended to use hash-checking installs for production run-time dependencies or dependencies used to build critical artifacts such as releases. But it might be debatable if it's worth it to hash-check every install of test or development dependencies.
The main point for this uncertainty is that, although hash-checking the installations are most secure, it's a bit more difficult to maintain, and it might also be useful to have some dependencies unpinned -- specially test dependencies, that could provide a wider range of versions tested. For the maintenance, Dependabot should be enough to keep your current dependencies updated and you shouldn't need to manually look for their hashes, but in case you want to start using a new dependency, you'd need to re-run the [pip-tools](https://pypi.org/project/pip-tools/2.0.0/) to generate the hashes for the new dependency.
https://github.com/llvm/llvm-project/pull/75859
More information about the llvm-commits
mailing list