Unnecessary pinned versions in install_requires and insecure Pillow version
nikhilh-20 opened this issue · comments
Is your feature request related to a problem? Please describe.
While using pyattck
, I noticed that the install_requires
points to the requirements file having pinned library versions. This is a departure from best practice. Refer to https://packaging.python.org/discussions/install-requires-vs-requirements/
It is not considered best practice to use install_requires to pin dependencies to specific versions, or to specify sub-dependencies (i.e. dependencies of your dependencies). This is overly-restrictive, and prevents the user from gaining the benefit of dependency upgrades.
The current pinned version of Pillow==8.2.0 has several vulnerabilities which have been fixed in the latest version. I'm not able to pin Pillow to 8.4.0 because pyattck pins it to 8.2.0. Vulnerabilities:
- https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow
- https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html#security
Describe the solution you'd like
The more urgent request would be to allow Pillow>=8.2.0
. Overall, it would be nice to remove pinned versions.