joinmarket-clientserver
joinmarket-clientserver copied to clipboard
version pinning for dependencies / update notification bot
Joinmarket currently mostly uses unpinned/latest versions for its dependecies. Established best practice appears to be using version pinning to avoid accidentally breaking the application due changed behaviour of a dependency. (such as experienced in https://github.com/JoinMarket-Org/joinmarket-clientserver/commit/66875aed6e1596cec3eac5323eddabc45e3bafb2, introducing a vulnerability)
It may be desirable to start pinning versions and only manually bump those. To monitor dependencies for updates a bot such as https://github.com/pyupio/pyup could be used, which creates pull requests for available updates.