Library dependency version specifiers aren't for fixing vulnerabilities

        May 7, 2026

Library dependency version specifiers aren't for fixing vulnerabilities

        Hey Python library maintainers! 👋 I sometimes see pull requests from well-meaning users about bumping minimum versions of dependencies to "fix security vulnerabilities". Here's a resource you can link to about why this strategy doesn't work in practice:

  Library dependency version specifiers aren't for fixing vulnerabilities — Seth Larson
 Let's say you are the maintainer of a Python library that depends on another 
Python library like “urllib3”.
Because you want to make sure users receive a compatible version
of urllib3 you add a ve...

                                Don't miss what's next. Subscribe to sethmlarson.dev:

            Email address (required)

          Add a comment:

    You're not signed in. Posting this comment will subscribe you to this newsletter with the email address you enter below.

                Share this email:

                                Share on Hacker News

                                Share on Reddit

                                Share via email

                                Share on Mastodon

                                Share on Bluesky

sethmlarson.dev

Library dependency version specifiers aren't for fixing vulnerabilities

Library dependency version specifiers aren't for fixing vulnerabilities — Seth Larson

Let's say you are the maintainer of a Python library that depends on another Python library like “urllib3”. Because you want to make sure users receive a compatible version of urllib3 you add a ve...

Add a comment: