Use Dependency Checker for Requirements?

The number of dependencies for Frappe is increasing. How about integrating a dependency check to make sure we are using secure versions of each dependency?

I tested it took about 5 minutes to setup.

  1. From the website, I logged in with github
  2. I pointed it at my forked Frappe (test) repo (GitHub - felixvarghese/frappe: Full Stack Web Framework in Python & JS. Used to build ERPNext)
  3. It went to work and showed outdated dependencies.

When it goes to work, it does the following

  1. It will pin all unpinned pip dependencies to the current version (in my repo, you’ll see the automatic pull requests generated to do this task)
  2. When there is an update for a dependency, it will send a PR automatically also also show a changelog. Maintainer can then decide to merge or not…
  3. If a dependency has a known security vulnerability, it will notify in Pull Requests (Safety CI - Security for your Python dependencies)

Its free for Open Source Projects. Unfortunately, it doesn’t handle npm though.

If this seems like a good idea, whoever has access to the account that integrates codacy and travis with the frappe repo would need to do the setup.


Thanks! @achillesrasquinha shall we add this?

Edit: @felix does it need a config file?

No configuration needed. It looks for .txt and .pip files with “requirements” in the file path or name, so we are covered for pip.

That doesn’t work for npm though, which is a different problem. I didn’t find anything to deal with npm that was as simple and powerful as this.

What about pipenv?

pipenv handles you almost everything out the box.