I have been running a rather complicated Django application for about a year. It contains about 50 packages in the requirements file. Txt
Whenever I need a new package, I install it with pip, and then manually add it to the requirements.txt file with a fixed version:
SomeNewModule==1.2.3
This means that most of my packages are out of date after a year. I updated a couple of them manually when I needed a new feature.
I'm starting to think that there may be security fixes that I miss, but I do not want to update them all blindly, due to backward incompatibility.
Is there a standard best practice for this?
The general template for versions of python modules (and many other programs) is major.minor.patch where after the initial release versions of patches do not change api, minor releases can change api backwards in a compatible way, and major releases usually do not have backward compatibility.
therefore, if you have a module==x.y.z arelatively safe specification of requirements:
module==x.y.z a
module>=x.y.z,<x.y+1.0
note that although this will be normal, it is based on common practices and is not guaranteed to work, and it is more stable with more "organized" modules.
, , , , . , , python social auth, , x, . , . , dev.
, , . , , . , , , . , , , ! , , .
-, . Python, - , , , Python, , Python. , , .
, :
1) (, Nessus). - , Nessus , .
2) , , - . , . , , . , , , , . , , , , .
, , :
1) , - , . , , . Python C. ...
2) , , , .
, . , , .
,
. (: 2.45.1 → 2.56.1) . , - . (, 2.45.1 3.13.0), . - , 3.0 geckodriver 2.56. , , , .
, , , python, , , .
, , . make : virtualenv --python = ${PYTHON} env env/bin/pip install --upprade pip env/bin/pip --upprade setuptools wheel pip-tools
env/bin/pip, requirements.txt.
You are absolutely right. There will be a backward incompatibility problem. Do not upgrade packages to the last blindly. Most likely, you will have problems with the package / module / class / variable / key undefined / notFound. Especially you have a complex system. Even if you usepip install --upgrade somepackage
pip install --upgrade somepackage
This is a lesson from my real experience.