potiuk commented on pull request #10665: URL: https://github.com/apache/airflow/pull/10665#issuecomment-684008648
BTW. The vulnerability scanner will likely still show those dependencies, if it is actually working (I would love to hear if it does). As explained, the dependencies in our project come from setup.py and unidecode is a transitive dependency (nothing changes by removing this file). So if it will stop unidecode as dependency, it means that it does not detect the "proper" ones.. FYI. Those "constraints" files for master are here https://github.com/apache/airflow/tree/constraints-master (you can see history of changes there) - they will show you the list of actual dependencies used by the project. They are refreshed automatically every time when master merge succeed. There are already 35 commits in there (1-2 changes a day). So if you want to have the latest "snapshot" of all dependencies used (including the transitive ones) you should look there (HEAD of "constraints-master" branch) in case the scanner is not able to do it from the "setup.py" automatically. More about it here: https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#pinned-constraint-files ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
