The number of dependencies for Frappe is increasing. How about integrating a dependency check to make sure we are using secure versions of each dependency?
I tested pyup.io. it took about 5 minutes to setup.
- From the website, I logged in with github
- I pointed it at my forked Frappe (test) repo (GitHub - felixvarghese/frappe: Full Stack Web Framework in Python & JS. Used to build ERPNext)
- It went to work and showed outdated dependencies.
When it goes to work, it does the following
- It will pin all unpinned pip dependencies to the current version (in my repo, you’ll see the automatic pull requests generated to do this task)
- When there is an update for a dependency, it will send a PR automatically also also show a changelog. Maintainer can then decide to merge or not…
- If a dependency has a known security vulnerability, it will notify in Pull Requests (Safety CI - Security for your Python dependencies)
Its free for Open Source Projects. Unfortunately, it doesn’t handle npm though.
If this seems like a good idea, whoever has access to the account that integrates codacy and travis with the frappe repo would need to do the setup.