@@ -49,6 +49,9 @@ without compiled extensions
4949We will only bump these dependencies as we need new features or the old
5050versions no longer support our minimum NumPy or Python.
5151
52+ We should work around bugs in our dependencies when practical.
53+
54+
5255Test and documentation dependencies
5356===================================
5457
@@ -58,8 +61,10 @@ support for old versions. However, we need to be careful to not
5861over-run what down-stream packagers support (as most of the run the
5962tests and build the documentation as part of the packaging process).
6063
61- We will support at least minor versions of the development
62- dependencies released in the 12 months prior to our planned release.
64+ We will support at least minor versions of the development dependencies
65+ released in the 12 months prior to our planned release. Specific versions that
66+ are known to be buggy may be excluded from support using the finest-grained
67+ filtering that is practical.
6368
6469We will only bump these as needed or versions no longer support our
6570minimum Python and NumPy.
@@ -76,6 +81,19 @@ In the case of GUI frameworks for which we rely on Python bindings being
7681available, we will also drop support for bindings so old that they don't
7782support any Python version that we support.
7883
84+ Security Issues in Dependencies
85+ ===============================
86+
87+ In most cases we should not adjust the versions supported based on CVEs to our
88+ dependencies. We are a library not an application and the version constraints
89+ on our dependencies indicate what will work (not what is wise to use). Users
90+ and packagers can install newer versions of the dependencies their discretion
91+ and evaluation of risk and impact. In contrast, if we were to adjust our
92+ minimum supported version it is very hard for a user to override our judgment.
93+
94+ If Matplotlib aids in exploiting the underlying vulnerability we should treat
95+ that as a critical bug in Matplotlib.
96+
7997.. _list-of-dependency-min-versions :
8098
8199List of dependency versions
0 commit comments