frozen requirements in docker
Use frozen requirements in docker to fix dependencies (to prevent FOSSA scan for detecting transitive dependency changes). If requirements.txt or requirements_dev.txt contains newer requirements version it will override the frozen requirements.
Merge request reports
Activity
I'm a bit puzzled to have both requirements.txt and frozenrequirements.txt installed. (+ It's not related to your changes but I think it should not install requirements_dev.txt).
Moreover I'm a bit concern that this change is just motivated so far as a workaround/fix to the fossa scan. What's about a deeper elaboration about dependencies lock/freeze. How it's integrated in our delivery process (so far it's manual, right ?) ? Could tools such as peotry, pipenv or other to help us here?
Edited by Yannick
Thank you for your comment Yannick. frozenrequirements allow to freeze the transitive dependency. Like this we control the version of all components. frozenrequirements should be updated each time a new dependency is added/removed/updated in requirements.txt. (The build pipeline generates an artefact with the content of the pip freeze). Then for the requirements_dev.txt, I agree it should not be included in the docker image. (Let's create a new ticket for this)
Ok you updated the NOTICE and added the frozen requirements to the docker image. Regarding removing the dev requirements from the docker image, the "all requirements" artifact that's used to upload the "frozen requirements" is generated after the compile-and-unit-tests phase, so it will include these dependencies in the docker image anyway right ?
mentioned in commit e70e979b
changed milestone to %M6 - Release 0.9