Updating vulnerable Python dependencies
Contents
Finding vulnerable dependencies
Safety-db is a database that keeps track of vulnerable python packages and version information. It is updated once a month. They also provide a tool called safety, that checks if the installed packages or packages in requirements.txt are identified as vulnerable using the safety-db.
-
Install safety
1
pip install safety
-
Use safety to check all packages in the current virtual enviroment
1
safety check
-
Use safety to only check the dependencies listed in requirements.txt file
1
safety check -r requirements.txt
Safety shows a list of python packages that have a known vulnerability.
|
|
Updating dependencies
To update the dependencies we can use the pip-upgrade tool. pip-upgrade updates the dependency package to the latest version and also updates the requirements.txt file.
-
Install pip-upgrader
1
pip install pip-upgrader
-
Use pip-upgrader on a requirements.txt file
1
pip-upgrade requirements.txt
If the requirements.txt file is not provided, it expects to find it in the current directory.
-
Use pip-upgrader to update a specific package
1
pip-upgrade requirements.txt -p pillow
Check for regressions
Newer versions of dependencies may change the API that the application uses. So when updating dependencies, It is always a good idea to check if the application works correctly with the updated packages.
References
Author Abdun Nihaal
LastMod 18-10-2021