Library dependency version specifiers aren't for fixing vulnerabilities

Let's say you are the maintainer of a Python library that depends on another Python library like “urllib3”. Because you want to make sure users receive a compatible version of urllib3 you add a version specifier that restricts the version to the current “major” version so users know that older versions aren't compatible. This is what your pyproject.toml might look like: [project] name = "example-library" dependencies = [ "urllib3>=2", ] Now let's say that urllib3 publishes a vulnerability that affects “version 2.6.2 and earlier” and is fixed in version 2.6.3. Later you receive this pull request from a concerned user that changes the minimum version from 2 to 2.6.3 to “disallow installing a vulnerable version or urllib3”: [project] name = "example-library" dependencies = [ - "urllib3>=2", + "urllib3>=2.6.3", ] You probably should not accept this pull request. Version ranges for libraries are meant to be used for compatibility, not for security vulnerabilities. This is a key difference…