The most secure and maintainable dependency is a lack of dependency.
We currently have 2 unconditional dependencies:
I believe, but didn't verify, that first is only needed for some datastax stuff we can get rid of, and second only for serverless cloud we can also get rid of.
For dev dependencies, we can:
We also have optional dependencies:
[project.optional-dependencies]
graph = ['gremlinpython>=3.7.4,<4']
cle = ['cryptography>=42.0']
compress-lz4 = ['lz4']
compress-snappy = ['python-snappy']
auth-kerberos = [
'kerberos; platform_system != "Windows"',
'winkerberos; platform_system == "Windows"',
]
graph can be removed, its datastax-specific. Not sure what to do about others. Pinning them to specific version will make usage painful if user has some other package with incompatible bounds.
Even without addressing this last issue, other measures I proposed should decrease our risk quite a bit.
The most secure and maintainable dependency is a lack of dependency.
We currently have 2 unconditional dependencies:
I believe, but didn't verify, that first is only needed for some datastax stuff we can get rid of, and second only for serverless cloud we can also get rid of.
For dev dependencies, we can:
uv.lockand update it conciouslyexclude-neweroption from uv: https://docs.astral.sh/uv/reference/settings/#exclude-newer . This would prevent quickly-detected package takeovers from affecting us. Not a comprehensive solution, but a nice hardening.We also have optional dependencies:
graphcan be removed, its datastax-specific. Not sure what to do about others. Pinning them to specific version will make usage painful if user has some other package with incompatible bounds.Even without addressing this last issue, other measures I proposed should decrease our risk quite a bit.