Jarek Potiuk

Isn't "A file format to record Python dependencies for installation reproducibility" https://peps.python.org/pep-0751/ kind of what you want to achieve @tim-win ? I believe support for it is coming, and it's...

> No! I'm working for less requirements files, not more! Surely,. you can use screwdriver to get nail in the wall, but generally using hammer is better.

It would be great to have that in dependabot. Apache Airlfow uses "build-system.requires" with custom "failing canary build" approach - but having a dependabot create pull request for that would...

Yep. I can confirm it works.

Ok. It looks like it's somewhat related to https://github.com/pypa/pip/pull/13625 - have not found it, also the old https://github.com/pypa/pip/issues/6257 that described the ask, but the currrent PR does not have the...

Also this issue does not allow anyone who would like to use k8s client to upgrafde to 2.6.0 that contains fixes to important vulnerabilities Specifically those two which are assessed...

> Note that urllib3 just released a version 2.6.1 that restores the removed methods as a short-term fix. Yep. Also there is an issue in openapi-generator that I opened, which...

> If (again as a shortish-term measure) the `urllib3` line in `requirements.txt` were to include a `!=2.6.0` constraint, I think that could save people some pain. I suggested the urllib3...

> Please provide a working version with urllib3 version !=2.6.0 asap. I am not allowed to deploy our tooling container with high CVE scores, which basically is the cornerstone of...

> But kubernetes still requires other versions : kubernetes 33.1.0 has this (and it works fine at least in airflow tests with urrlib 2.6.1+): > Requires-Dist: urllib3>=1.24.2 But of course...