@@ -49,6 +49,9 @@ without compiled extensions
4949We will only bump these dependencies as we need new features or the old
5050versions no longer support our minimum NumPy or Python.
5151
52+ We will work around bugs in our dependencies when practical.
53+
54+
5255Test and documentation dependencies
5356===================================
5457
@@ -58,8 +61,10 @@ support for old versions. However, we need to be careful to not
5861over-run what down-stream packagers support (as most of the run the
5962tests and build the documentation as part of the packaging process).
6063
61- We will support at least minor versions of the development
62- dependencies released in the 12 months prior to our planned release.
64+ We will support at least minor versions of the development dependencies
65+ released in the 12 months prior to our planned release. Specific versions that
66+ are known to be buggy may be excluded from support using the finest-grained
67+ filtering that is practical.
6368
6469We will only bump these as needed or versions no longer support our
6570minimum Python and NumPy.
@@ -76,6 +81,20 @@ In the case of GUI frameworks for which we rely on Python bindings being
7681available, we will also drop support for bindings so old that they don't
7782support any Python version that we support.
7883
84+ Security issues in dependencies
85+ ===============================
86+
87+ Generally, we do not adjust the supported versions of dependencies based on
88+ security vulnerabilities. We are a library not an application
89+ and the version constraints on our dependencies indicate what will work (not
90+ what is wise to use). Users and packagers can install newer versions of the
91+ dependencies at their discretion and evaluation of risk and impact. In
92+ contrast, if we were to adjust our minimum supported version it is very hard
93+ for a user to override our judgment.
94+
95+ If Matplotlib aids in exploiting the underlying vulnerability we should treat
96+ that as a critical bug in Matplotlib.
97+
7998.. _list-of-dependency-min-versions :
8099
81100List of dependency versions
0 commit comments