sethmlarson.dev

Archives
Log in
Subscribe
May 7, 2026

Library dependency version specifiers aren't for fixing vulnerabilities

Hey Python library maintainers! ๐Ÿ‘‹ I sometimes see pull requests from well-meaning users about bumping minimum versions of dependencies to "fix security vulnerabilities". Here's a resource you can link to about why this strategy doesn't work in practice:

Library dependency version specifiers aren't for fixing vulnerabilities โ€” Seth Larson

Let's say you are the maintainer of a Python library that depends on another Python library like โ€œurllib3โ€. Because you want to make sure users receive a compatible version of urllib3 you add a ve...

Don't miss what's next. Subscribe to sethmlarson.dev:
โ† Newer How much โ€œSuper Marioโ€ per year? Older โ†’ The Frog for Whom the Bell Tolls

Add a comment:

You're not signed in. Posting this comment will subscribe you to this newsletter with the email address you enter below.
Share this email:
Share on Hacker News Share on Reddit Share via email Share on Mastodon Share on Bluesky
sethmlarson.dev
Bluesky
Mastodon
Powered by Buttondown, the easiest way to start and grow your newsletter.