Incorrect dependabot security alert due to constraints files

RamonvdW · April 6, 2021, 7:42pm

Hello,

PIP allows to configure constraints files (see User Guide - pip documentation v21.0.1), but dependabot seems to confuse them for requirements.txt like files.

I use the constraints to allow upgrades to the latest minor (3.0.x), but never step over to the next major (3.1).

constraints.txt:

# stick to django 3.0 for now
django<3.1

requirements.in:

# required pip packages
-c constraints.txt
# web framework
Django

The proposal Dependabot gives: “Upgrade django to version 3.1.6 or later”
The justification: Vulnerable versions: >= 3.1, < 3.1.6; Patched version: 3.1.6

So I am not using a vunerable version, but it thinks I do.

What can I do to avoid these false positives?

Ramon

ernest-phillips · April 15, 2021, 12:13am

Hi @RamonvdW ,

Thanks for bringing this up to the community. I am not sure if it was our intention to use Constraints files in the same way Requirements files are. I will need to do some digging here.

To your point, it doesn’t appear to be useful to treat these files like requirements.

ernest-phillips · April 15, 2021, 4:52pm

Hi @RamonvdW

Are you able to provide a link to a repository where this is happening?

RamonvdW · April 15, 2021, 6:24pm

Hello,

My nhbapps repo has this issue.

Ramon

RamonvdW · April 16, 2021, 7:38pm

Hello,

This project also has the issue with dependabot false-positives on the contraints.txt file: https://github.com/RamonvdW/dof/

This directory contains the requirements and constraints files: https://github.com/RamonvdW/dof/tree/master/dof/requirements

Just wondering: would it help if I rename constraints.txt to constraints.in ?

Ramon