A handful of package dependencies are running versions with known issues and need to be updated.
In looking at that list a bit more, I came across multiple dependencies where the only reference to them in the codebase was a lock/toml file (eg uv.lock or package-lock.json). It made me wonder:
- Are we pinning transitive dependencies? (If so, do we want to be doing that?)
- Given the iterations on this codebase, are we accidentally carrying around dependencies we're no longer using?
Option 3) User error and I just couldn't find the references is also very valid :) but wanted to open this Issue to confirm before just jumping right into updates.
Packages I was playing with as examples:
- pillow
- dnspython
- jinja2
- minimatch
- qs
A handful of package dependencies are running versions with known issues and need to be updated.
In looking at that list a bit more, I came across multiple dependencies where the only reference to them in the codebase was a lock/toml file (eg uv.lock or package-lock.json). It made me wonder:
Option 3) User error and I just couldn't find the references is also very valid :) but wanted to open this Issue to confirm before just jumping right into updates.
Packages I was playing with as examples: