On 11/7/24 01:31, Lichtinger, Bernhard wrote:
Hi,
I am looking for some advice: If we use the virtualenv install method, how does one keep track of security updates for all the installed dependencies?
I can think of:
- Upgrade regularly all installed packages inside the virtualenv. This might break mailman3 if there are incompatible updates.
You can do in the venv
pip install --upgrade --upgrade-strategy eager mailman psycopg2-binary
mailman-web mailman-hyperkitty
I'm not sure if this will update dependencies if there are no updates to the named package, but in any case, incompatibilities should be avoided because if a newer version of a dependency in incompatible, the dependency should be pinned to a compatible version in the project's requirements.
- Try to track all dependencies and check if there are security updates published. This might be impossible to achieve.
It shouldn't be too difficult to script this.
Get the output from `pip freeze` in the venv
for each line split it on `==` into PACKAGE and VERSION
get https://pypi.org/rss/project/PACKAGE/releases.xml
find the first <title>VERSION</title> and compare that VERSION to
the VERSION from `pip freeze`
This won't tell you if the newer version is a security update, but it will tell you which packages have newer versions.
- Security updates are so rare, we do not need to bother. ;)
For the Mailman dependencies, this is probably true.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan