From e8e1e9194063aa27fb62cb10e7e9c5efb4c7f4c5 Mon Sep 17 00:00:00 2001 From: Chris Hill-Scott Date: Tue, 17 Mar 2026 13:52:01 +0000 Subject: [PATCH 1/2] Add a refreeze-requirements command MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This automates the process of refreezing our requirements, which updates dependencies which are either tranistory or not pinned to a specific version. Importantly it ignores versions which are less than 30 days old. This gives us a chance to avoid newly-released dependencies which have supply chain attacks, before they’ve been identified by security scanning tools. --- Makefile | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index c2305dc320..3bc52d3fbc 100644 --- a/Makefile +++ b/Makefile @@ -99,12 +99,16 @@ lint: ## Run static type checks ruff format --check . mypy +.PHONY: refreeze-requirements +refreeze-requirements: ## Upgrade unpinned requirements + EXTRA_UV_PIP_COMPILE_FLAGS="--upgrade --exclude-newer 30d" make freeze-requirements + .PHONY: freeze-requirements freeze-requirements: ## Pin all requirements including sub dependencies into requirements.txt - uv pip compile requirements.in -o requirements.txt + uv pip compile requirements.in -o requirements.txt $(EXTRA_UV_PIP_COMPILE_FLAGS) uv pip sync requirements.txt python -c "from notifications_utils.version_tools import copy_config; copy_config()" - uv pip compile requirements_for_test.in -o requirements_for_test.txt + uv pip compile requirements_for_test.in -o requirements_for_test.txt $(EXTRA_UV_PIP_COMPILE_FLAGS) uv pip sync requirements_for_test.txt .PHONY: bump-utils From cd49bb8de769caf6669fe744c363c2be92264a12 Mon Sep 17 00:00:00 2001 From: Chris Hill-Scott Date: Tue, 17 Mar 2026 14:44:13 +0000 Subject: [PATCH 2/2] Make number of days configurable --- Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 3bc52d3fbc..9a5498a228 100644 --- a/Makefile +++ b/Makefile @@ -10,6 +10,8 @@ GIT_COMMIT ?= $(shell git rev-parse HEAD) VIRTUALENV_ROOT := $(shell [ -z $$VIRTUAL_ENV ] && echo $$(pwd)/venv || echo $$VIRTUAL_ENV) PYTHON_EXECUTABLE_PREFIX := $(shell test -d "$${VIRTUALENV_ROOT}" && echo "$${VIRTUALENV_ROOT}/bin/" || echo "") +EXCLUDE_REQUIREMENTS_NEWER_THAN_DAYS ?= 30 + ## DEVELOPMENT @@ -101,7 +103,7 @@ lint: ## Run static type checks .PHONY: refreeze-requirements refreeze-requirements: ## Upgrade unpinned requirements - EXTRA_UV_PIP_COMPILE_FLAGS="--upgrade --exclude-newer 30d" make freeze-requirements + EXTRA_UV_PIP_COMPILE_FLAGS="--upgrade --exclude-newer $(EXCLUDE_REQUIREMENTS_NEWER_THAN_DAYS)d" make freeze-requirements .PHONY: freeze-requirements freeze-requirements: ## Pin all requirements including sub dependencies into requirements.txt