@_chrismay We use pipenv for dependency management. Our "build" pipeline runs pipenv check after the sync, which uses the safety underneath if I am not mistaken. Builds fail if this check fails.
From there, it is usually easy to pipenv update, run unit tests and #ruff, fix failures, and commit the changes.
@_chrismay As a bonus, I have a module in our codebase that generates markdown documentation from code.
One of the classes in that framework is one that combs through the metadata of installed packages (and some data from the pipfile) to generate a human-readable "software inventory". For each package, it gives info like the version, license, description, authors. It also identifies whether this is a primary, dev, or secondary dependency.
@_chrismay There are tools like safety, pip-audit, and snyk that you can run on CI to get notified about vulnerable dependencies. And there are bots like dependabot that can automatically update dependencies and open PRs.
@_chrismay At work we use safety on CI and dependabot for automatic updates. I want to switch to pip-audit because it's free and the official PyPA tool, but my PR in pip-audit for poetry support wasn't accepted.
Add comment