asf-tooling commented on issue #1133:
URL:
https://github.com/apache/tooling-trusted-releases/issues/1133#issuecomment-4407490544
<!-- gofannon-issue-triage-bot v2 -->
**Automated triage** — analyzed at `main@751c2146`
**Type:** `refactor` • **Classification:** `actionable` •
**Confidence:** `low`
**Application domain(s):** `sbom_management`, `automated_checks`
### Summary
The issue reports that `ldap3==2.10.2rc3` (a release candidate) is used as a
production dependency in `pip-audit.requirements` line 148, without documented
justification. The concern is that RC versions may have unclear security patch
processes. The architecture confirms LDAP is a core subsystem (`atr/ldap.py`,
`atr/principal.py`, `atr/cache.py`), so `ldap3` is indeed a meaningful
dependency. However, no source files were provided for review, so I cannot
verify the current state of the dependency pinning or whether this has already
been addressed.
### Where new code would go
- `pip-audit.requirements` — line 148 (per issue)
The issue claims ldap3==2.10.2rc3 is pinned here; this is where the
version would be changed to stable or kept with documentation
- `DEPENDENCIES.md` — new file
If the RC is kept, the issue proposes documenting justification in a new
DEPENDENCIES.md file
- `scripts/check_prerelease_deps.py` — new file
Optional automated pre-release detection script proposed in Option C
### Proposed approach
Since no source files were provided for inspection, I cannot verify the
current state of `pip-audit.requirements` or determine why `ldap3==2.10.2rc3`
was chosen over the stable `2.9.1`. The most pragmatic approach would be Option
A (use stable version) if testing confirms no regressions, since the stable
branch receives predictable security patches. If the RC is required for
specific functionality (e.g., async support, bug fixes not in 2.9.x), then
Option B (document justification) should be implemented.
A maintainer should first check whether `atr/ldap.py` uses any features
exclusive to ldap3 2.10.x (such as asyncio support or specific connection pool
improvements). If no 2.10-specific features are used, downgrade to stable. If
they are, document the dependency in a `DEPENDENCIES.md` or inline comment
explaining the rationale.
### Open questions
- What specific features from ldap3 2.10.x (if any) does atr/ldap.py rely on
that are not available in stable 2.9.1?
- Is `pip-audit.requirements` a separate file from the main dependency
specification (e.g., pyproject.toml), and does changing it affect the actual
deployed dependency?
- Has ldap3 2.10.x been released as stable since this issue was filed? (The
RC was published some time ago and upstream release status is unclear)
- Does the project already have a dependency policy documented elsewhere
that covers pre-release usage?
### Related issues
This issue appears related to: #1132.
_Both concern dependency management policies and security requirements, with
#1132 about undocumented policy enforcement and #1133 about pre-release
dependencies in production_
---
*Draft from a triage agent. A human reviewer should validate before merging
any change. The agent did not run tests or verify diffs apply.*
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
