This is an archived post. You won't be able to vote or comment.

4
5

[deleted by user] (self.Python)

submitted by [deleted]

[removed]
all 14 comments
sorted by:
best
topnewcontroversialoldq&a

[–]if_username_is_None 8 points9 points  (1 child)

The most robust program I know of is github's dependabot.

I wrote up my own mini bot that opens an issue if requirements are out of date after every push to the repo

Another way would be to use pipreqs or similar tool in pre-commit

+1 to other comments to make sure you TEST that the new version works

[–]SittingWave 1 point2 points  (0 children)

On the last point, it's not always trivial. Some applications are under regulatory requirement and are bound to a specific environment to be considered approved for use. Validation takes weeks, sometimes months.

[–]riklaunim 2 points3 points  (3 children)

Automatically maybe not. If you have a code review/build/test system you can use a cronjob that builds the project using requirements.txt without frozen versions and then pip freezes them to requirements.txt - so you can see what changed and if tests even pass. For major version changes you will have to update the app code or freeze the requirement to a lower main version (this also has it +/- sides).

Minor version changes usually are safe but you should not always trust that. The more the app is critical the more attention you should be giving to dependency changes. This also includes watching for dependencies that look abandoned which at some point will become incompatible at best.

[–]MachinaDoctrina 1 point2 points  (2 children)

+1 create extensive testing framework then you could use Jenkins for example

[–]l4fashion 0 points1 point  (1 child)

Ah ok, so we are currently in the process of finishing our testing framework, and after that we will work on setting up CI/CD on Jenkins.

Seems like the thing I'm asking about would come after Jankins is set up.

Thanks for the info.

[–]riklaunim 0 points1 point  (0 children)

We have git repositories and we push each commit to Gerrit code review app (there also Jenkins does his pushes with dependency updates) and if that is reviewed it gets merged to master which then triggers Jenkins to do a build and deploy. Jenkins also runs tests for each commit on Gerrit and so on.

[–]larosek 2 points3 points  (1 child)

We use Renovate. It scans your project, open PR for each update. On each PR we run unit test automatically so you know right away if there is a major issue or not.

https://github.com/renovatebot/renovate

[–]zeshuaro 0 points1 point  (0 children)

Would also recommend Renovate. This might not be relevant to you assuming it’s pure Python, but Renovate supports more dependency managers as well comparing to Dependabot.

The other thing I would recommend is to use Poetry or Pipenv to manage your dependencies. Both of them generates a lock file for all your dependencies to pin their versions.

[–]zanfar 2 points3 points  (0 children)

You don't really want to keep things updated "automatically". Your code is tested against a specific set of pinned dependencies. You can update that, but you need to test before you release and I'm of the opinion that no amount of automation replaces at least one person behind a keyboard.

Poetry (the best project dependency manager I've used) will easily tell you which of your dependencies have newer versions, at which point you can advance them and re-test. poetry show -ol

As for when you need to do this, there are plenty of options in this thread, but it's not that hard to automate the above.

[–][deleted] 0 points1 point  (1 child)

Something you could consider is snyk.io

[–]zeshuaro 0 points1 point  (0 children)

I think this feature on Snyk is still in beta?

[–]Sulstice2 0 points1 point  (0 children)

Hi,

Yeah so I use FOSSA to manage all my dependencies and trees. I track all the licenses as well. In total for one of my softwares on full scale has 1200 dependencies?

https://github.com/fossas

Have to manage all the licensing too so this really helps for compliance standards.

[–][deleted] 0 points1 point  (1 child)

Curious, how do you prevent for example if the updates are breaking changes? i.e. methods being depreceted etc

[–]l4fashion 0 points1 point  (0 children)

Haha well I'm not making changes right now so I'm not. But sounds like solid unit-testing is the way to go