I’ve got security requirements that want all of my meltano plugins dependencies get scanned after a

meltano install

this obviously produces a load of security vulnerabilities when doing an image scan. Does

meltano install

try to install the latest possible version of every plugin’s dependencies? Is the only way to solve these security vulnerability to submit updates/PRs to each individual plugin’s repo?

Hi! Meltano uses pip under the hood. This is what it has to say:

Once pip has the set of requirements to satisfy, it chooses which version of each requirement to install using the simple rule that the latest version that satisfies the given constraints will be installed (but see here for an exception regarding pre-release versions). Where more than one source of the chosen version is available, it is assumed that any source is acceptable (as otherwise the versions would differ).

So yeah, if a plugin has an upper bound on a dependency, one option is to fork the repo. I also think you could get away with installing the main package with one pip invocation, then installing the dependency you want with a newer but unsupported version in a second pip invocation. However Meltano doesn't support that use case with a clean interface, so you'd have to use the

pip

executable available in the plugin venv.

interesting workaround I hadn’t thought of, maybe I’ll give it a shot

Another idea - I thought it might be useful to run your own hub and always install / update from there: https://medium.com/@rfrankel_8960/a-private-meltano-hub-for-enterprise-users-b23c324632d0 There are still the pip issues with this approach, but you'd probably fork a plugin for everything your enterprise cares about and each part of the company / each project could update as and when they need