- Fixed dependencies ( requirements.txt modified ) #25
Conversation
ssaavedra
changed the title
|
Woops, right, some dependencies are quite outdated (cryptography is even insecure right now) Apropos, a full list of the dependencies' state can be tracked at: https://requires.io/github/gpul-org/xea-core/requirements/?branch=master I think it's best if you put a version boundary instead of leaving it unversioned. Mostly because if we want to update a dependency that some of us have already downloaded, if it does not have a minimum version boundary it will not download the latest version. And some issues might arise if some of us have different library versions (and we won't even know that's the root cause of such an issue). Example: I have cryptography==1.4.0 downloaded in the virtualenv. I'm happy to merge this as is, I'm just writing to see what you think about it. |
In fact, I just submitted a PR to merge a badge about that in the README, so that it's easier to keep track of this whenever we get outdated again. It's #27 |
|
I think it's a good idea to put an exact version number ;) In fact, i think that at this moment could be interesting to update all dependencies (in the frontend we will earn a lot of time if we update react-bootstrap now because we don't have too much components) |
|
@castrinho8 Either an exact version or at least a boundary (e.g., not fix it to "patch" versions but only "minor"). In pip you can specify that with the
That's a different issue and a different PR with different package managers. I agree, but that should be discussed elsewhere. |
|
Related: gpul-org/xea-web#11 |
|
I am agree with you. The best options is use the exact version, or as you said, at least a boundary. |
|
Ping? Please, could you put a version boundary here, so we can get your first commit pushed? ;-) |
|
It should be ready now. Could you check it? |
No description provided.