craig-rueda commented on PR #22934: URL: https://github.com/apache/superset/pull/22934#issuecomment-1416182639
> > This is probably not a great idea as it will lead to non deterministic builds. IMO we should be conscious about bumping the PY version, even if it's just a patch > > The fact that we don't really have resources to actively follow patch releases to upstream Python, pinning to a minor seems like a lesser bad vs being exposed to vulns due to being pinned on an old patch version. But if this is not a shared concern I'm happy to bump to the latest patch. I think it depends on context. In most orgs, I'm sure folks will want to control the patch version themselves, so they're probably going to control patch versions themselves, so will likely NOT want to use this image. One of the hardest things to debug are problems that arise from some "auto" patch version bumping somewhere that affects other libs, etc. (think `package-lock.json`) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
