As an extension of @leandron 's comment above, we should apply the same to packages we install and use as part of TVM - at the bare minimum we should have tools to check packages haven't notified of major vulnerabilities and basic static analysis tools to catch easy to spot vulnerable code. As part of this we need some kind of mechanism for locking versions and performing updates on them regularly (I remember @areusch was keen on `poetry` at one point :wink:).
-- Reply to this email directly or view it on GitHub: https://github.com/apache/tvm-rfcs/pull/54#issuecomment-1029930458 You are receiving this because you are subscribed to this thread. Message ID: <apache/tvm-rfcs/pull/54/c1029930...@github.com>
