@@ -49,7 +49,7 @@ without compiled extensions
4949We will only bump these dependencies as we need new features or the old
5050versions no longer support our minimum NumPy or Python.
5151
52- We should work around bugs in our dependencies when practical.
52+ We will work around bugs in our dependencies when practical.
5353
5454
5555Test and documentation dependencies
@@ -81,15 +81,16 @@ In the case of GUI frameworks for which we rely on Python bindings being
8181available, we will also drop support for bindings so old that they don't
8282support any Python version that we support.
8383
84- Security Issues in Dependencies
84+ Security issues in dependencies
8585===============================
8686
87- In most cases we should not adjust the versions supported based on CVEs to our
88- dependencies. We are a library not an application and the version constraints
89- on our dependencies indicate what will work (not what is wise to use). Users
90- and packagers can install newer versions of the dependencies their discretion
91- and evaluation of risk and impact. In contrast, if we were to adjust our
92- minimum supported version it is very hard for a user to override our judgment.
87+ Generally, we do not adjust the supported versions of dependencies based on
88+ security vulnerabilities. We are a library not an application
89+ and the version constraints on our dependencies indicate what will work (not
90+ what is wise to use). Users and packagers can install newer versions of the
91+ dependencies at their discretion and evaluation of risk and impact. In
92+ contrast, if we were to adjust our minimum supported version it is very hard
93+ for a user to override our judgment.
9394
9495If Matplotlib aids in exploiting the underlying vulnerability we should treat
9596that as a critical bug in Matplotlib.
0 commit comments