The most impactful dependency issues across all charms. Fixing these first yields the highest return — each affects dozens of charms simultaneously.
Pinned to >=2.18.4, >=1.1.0. 6 known vulnerabilities (CVE-2014-1830, CVE-2024-47081, CVE-2024-35195). Latest: 2.32.5.
Upper bound pin restricts to older versions with known CVEs.
Pinned to >=1.1.1,<2.0.0, ~= 5.9.5. 1 known vulnerabilities (CVE-2019-18874). Latest: 7.2.2.
cinder-lvm
Pinned to <3.4. 6 known vulnerabilities (GHSA-39hc-v87j-747x, CVE-2023-50782, GHSA-5cpq-8wj7-hf2v). Latest: 46.0.5.
charm-tools has an indirect dependency to cryptography. Newer versions require a Rust compiler to build, see
Each charm scored 0-100 based on dependency health. Red = critical CVE exposure or severe conflicts. Click any charm to see its specific issues and source repository.
Issues organized by severity. Each card shows the affected package, root cause, impact, and number of charms that benefit from fixing it.
Pinned to >=2.18.4, >=1.1.0. 6 known vulnerabilities (CVE-2014-1830, CVE-2024-47081, CVE-2024-35195). Latest: 2.32.5.
Upper bound pin restricts to older versions with known CVEs.
Patch files: test-requirements.txt
test-requirements.txt
via 1 transitive sources
Pinned to >=1.1.1,<2.0.0, ~= 5.9.5. 1 known vulnerabilities (CVE-2019-18874). Latest: 7.2.2.
cinder-lvm
Patch files: test-requirements.txt
test-requirements.txt
via 2 transitive sources
Pinned to <3.4. 6 known vulnerabilities (GHSA-39hc-v87j-747x, CVE-2023-50782, GHSA-5cpq-8wj7-hf2v). Latest: 46.0.5.
charm-tools has an indirect dependency to cryptography. Newer versions require a Rust compiler to bu
Patch files: requirements.txt
test-requirements.txt
via 1 transitive sources
Different charms pin ops to incompatible ranges (>= 1.2.0, >= 1.5.0). Breaks unified environments.
Each charm pinned independently to different upper bounds.
Patch files: requirements.txt
test-requirements.txt
Different charms pin charm_tools to incompatible ranges (>=2.4.4, ==2.8.3). Breaks unified environments.
Each charm pinned independently to different upper bounds.
Patch files: test-requirements.txt
requirements.txt
Pinned to <50.0.0, <82. 4 known vulnerabilities (CVE-2013-1633, CVE-2025-47273, CVE-2024-6345). Latest: 82.0.1.
requirements.txt
Patch files: requirements.txt
test-requirements.txt
via 3 transitive sources
Different charms pin netaddr to incompatible ranges (>0.7.16,<0.8.0, >=0.7.12,!=0.7.16). Breaks unified environments.
Strange import error with newer netaddr:
Patch files: requirements.txt
requirements.txt
via 5 transitive sources
Different charms pin jsonschema to incompatible ranges (<4.18.0, <=4.10). Breaks unified environments.
The dependency is present as we test various inputs to config options (including invalid ones) which
Patch files: requirements.txt
test-requirements.txt
Pinned to <=22.0.0. 5 known vulnerabilities (CVE-2018-1000808, CVE-2026-27459, CVE-2013-4314). Latest: 26.0.0.
icey: pyopenssl 22 introduces a requirement on newer OpenSSL which causes test failures. Pin pyopens
Patch files: src-test-requirements.txt
test-requirements.txt
via 1 transitive sources
Different charms pin python_cinderclient to incompatible ranges (>=1.4.0,<2.0, >=1.4.0,<5.0.0). Breaks unified environme
Each charm pinned independently to different upper bounds.
Patch files: src-test-requirements.txt
src-test-requirements.txt
via 2 transitive sources
Different charms pin pika to incompatible ranges (>=0.10.0,<1.0). Breaks unified environments.
Each charm pinned independently to different upper bounds.
Patch files: src-test-requirements.txt
src-test-requirements.txt
via 1 transitive sources
Different charms pin gnocchiclient to incompatible ranges (>=3.1.0,<3.2.0). Breaks unified environments.
Each charm pinned independently to different upper bounds.
Patch files: src-test-requirements.txt
src-test-requirements.txt
via 1 transitive sources
Unpinned git dependency (master) across 98 charms. Breaking changes propagate instantly.
No branch pin — tracks latest master.
Unpinned git dependency (master) across 97 charms. Breaking changes propagate instantly.
No branch pin — tracks latest master.
Pinned to >=2.2.4,<=2.4.1, >=2.2.4 but latest is 7.3.0. Multiple major versions behind.
Upper bound pin from older release, not updated since.
Patch files: test-requirements.txt
test-requirements.txt
via 2 transitive sources
Unpinned git dependency (master) across 83 charms. Breaking changes propagate instantly.
No branch pin — tracks latest master.
Pinned to ==5.6.0, !=2.1.0,>=2.0.0 but latest is 7.0.3. Multiple major versions behind.
vault
Patch files: test-requirements.txt
test-requirements.txt
via 2 transitive sources
Unpinned git dependency (master) across 43 charms. Breaking changes propagate instantly.
No branch pin — tracks latest master.
Unpinned git dependency (master) across 24 charms. Breaking changes propagate instantly.
No branch pin — tracks latest master.
Unpinned git dependency (master) across 22 charms. Breaking changes propagate instantly.
No branch pin — tracks latest master.
Unpinned git dependency (master) across 15 charms. Breaking changes propagate instantly.
No branch pin — tracks latest master.
Unpinned git dependency (master) across 9 charms. Breaking changes propagate instantly.
No branch pin — tracks latest master.
Pinned to >=1.7.1,<2.0, >=1.7.1 but latest is 5.8.0. Multiple major versions behind.
keystone-k8s
Patch files: src-test-requirements.txt
src-test-requirements.txt
via 2 transitive sources
Unpinned git dependency (master) across 7 charms. Breaking changes propagate instantly.
No branch pin — tracks latest master.
Pinned to >=1.5,<2.0, >=1.5 but latest is 6.4.0. Multiple major versions behind.
Upper bound pin from older release, not updated since.
Patch files: src-test-requirements.txt
src-test-requirements.txt
via 2 transitive sources
Pinned to >=0.8.0,<1.0, >=0.8.0 but latest is 5.1.0. Multiple major versions behind.
Upper bound pin from older release, not updated since.
Patch files: src-test-requirements.txt
src-test-requirements.txt
via 2 transitive sources
Pinned to >=3.1.0,<4.0, >=3.1.0 but latest is 11.8.0. Multiple major versions behind.
Upper bound pin from older release, not updated since.
Patch files: src-test-requirements.txt
src-test-requirements.txt
via 2 transitive sources
Exact pin ==2.1.1, ==2.4.0 prevents receiving updates. Latest: 3.4.0.
Pinned to exact version for reproducible builds.
Patch files: test-requirements.txt
test-requirements.txt
Exact pin <4.0.0, ==5.1.0 prevents receiving updates. Latest: 6.7.2.
oslo.i18n dropped py35 support
Patch files: test-requirements.txt
test-requirements.txt
Exact pin ==0.3.0 prevents receiving updates. Latest: 4.2.0.
Pinned to exact version for reproducible builds.
Patch files: build-requirements.txt
Exact pin ==8.0.1 prevents receiving updates. Latest: 8.0.2.
Pinned to exact version for reproducible builds.
Patch files: requirements.txt
Exact pin ==3.0.0 prevents receiving updates. Latest: 4.10.0.
Pinned to exact version for reproducible builds.
Patch files: requirements.txt
requirements.txt
Exact pin ==0.10.12 prevents receiving updates. Latest: 0.19.1.
Pinned to exact version for reproducible builds.
Patch files: requirements.txt
requirements.txt