Updating vulnerable Python dependencies
Finding vulnerable dependencies
Safety-db is a database that keeps track of vulnerable python packages and version information. It is updated once a month. They also provide a tool called safety, that checks if the installed packages or packages in requirements.txt are identified as vulnerable using the safety-db.
pip install safety
Use safety to check all packages in the current virtual enviroment
Use safety to only check the dependencies listed in requirements.txt file
safety check -r requirements.txt
Safety shows a list of python packages that have a known vulnerability.
To update the dependencies we can use the pip-upgrade tool. pip-upgrade updates the dependency package to the latest version and also updates the requirements.txt file.
pip install pip-upgrader
Use pip-upgrader on a requirements.txt file
If the requirements.txt file is not provided, it expects to find it in the current directory.
Use pip-upgrader to update a specific package
pip-upgrade requirements.txt -p pillow
Check for regressions
Newer versions of dependencies may change the API that the application uses. So when updating dependencies, It is always a good idea to check if the application works correctly with the updated packages.
Author Abdun Nihaal