Skip to content

[Feat]: Update supported-version policy / security #192

Description

@rosspeili

Feature Description

Retire the current three-band policy (< 0.2.6 unsupported, 0.2.6–0.3.0 no fixes, >= 0.3.1 supported) and align code + docs with:

Installed version Security support CLI advisory
>= 0.3.5 Supported — security reports accepted and patched Silent
0.3.0 – 0.3.4 No security fixes; upgrade recommended Silent
<= 0.2.9 (e.g. 0.2.9, 0.2.6) Unsupported One dim stderr message at CLI startup

Files to update

  • skillware/version_policy.pyMIN_UNSUPPORTED, MIN_SECURITY_SUPPORTED, UPGRADE_TARGET (and any helper logic if a middle band needs explicit handling)
  • SECURITY.md — supported-versions table
  • tests/test_version_policy.py — threshold assertions and advisory message (>= 0.3.5)
  • docs/usage/cli.mdVersion advisory section (currently documents 0.2.6 / 0.3.1)

Note: pyproject.toml only holds the package release version (0.3.9); policy constants stay in version_policy.py unless maintainers decide to document them elsewhere.

Add CHANGELOG.md entry under [Unreleased] when merged.

Rationale

Project is on 0.3.9. The 0.3.1 security floor is outdated. Tightening bands reflects real support intent: patch only recent releases (0.3.5+), treat 0.3.0–0.3.4 as legacy without security backports, and warn only on end-of-life installs (0.2.9 and below).

Implementation Idea

In version_policy.py:

  • MIN_UNSUPPORTED = Version("0.3.0") → advisory when installed < 0.3.0 (covers 0.2.9 and earlier)
  • MIN_SECURITY_SUPPORTED = Version("0.3.5") → document in SECURITY.md; no CLI spam for 0.3.0–0.3.4
  • UPGRADE_TARGET = "0.3.5"

Keep should_emit_unsupported_advisory() as installed < MIN_UNSUPPORTED only.

Update tests/test_version_policy.py for 0.2.9 (advisory), 0.3.0 / 0.3.4 (silent), 0.3.5+ (silent), and assert upgrade message references >=0.3.5.

Mirror the table in SECURITY.md and the Version advisory section in docs/usage/cli.md.

Metadata

Metadata

Assignees

No one assigned

    Labels

    core frameworkChanges to loader, env, or base classes.enhancementNew feature or requestsecuritySecurity vulnerabilities or constitution updates.

    Type

    Fields

    No fields configured for Task.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions