fix: remove lower-constraints.txt to resolve 41 Dependabot alerts#142
Merged
Conversation
Delete lower-constraints.txt and its tox env. This file pinned ancient package versions for lower-bound CI testing that was never run (no Zuul, GHA only runs default tox env). Dependabot flagged 41 CVEs against these floor versions that were never installed in production. The remaining 13 alerts require version bumps in the shared sapcc/requirements constraints file (urllib3 2.x, cryptography 46.x, GitPython 3.1.47+, requests 2.33.0, idna 3.15, webob 1.8.10). Also fix tox envlist to use py3 instead of py39 to match CI.
d4983b6 to
cad8f59
Compare
trouaux
approved these changes
Jun 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
lower-constraints.txtand the[testenv:lower-constraints]section fromtox.inienvlistfrompy39topy3to match CI configurationWhy remove instead of update?
python-package.yml) runstox(default env) andtox -e lint, nevertox -e lower-constraintshacking>=8.0.0doesn't exist on public PyPIsapcc/requirementsrepo has the same problem — 270 alerts, all from test fixture files with 2017-era pinsRemaining alerts (13)
These require bumps in the shared sapcc/requirements constraints file:
Test plan