-
Notifications
You must be signed in to change notification settings - Fork 4
Dependencies
👉 Decision document about how we manage dependencies
Each Python app should have:
-
requirements.txt- pinned versions of all production dependencies -
requirements.in- main / top-level dependencies, used to generaterequirements.txt -
requirements_for_test.txt- additional dependencies for dev / test
requirements.txt is generated from the requirements.in in order to pin versions of all nested dependencies. If requirements.in has been changed, run make freeze-requirements to regenerate it.
Note: for Dockerised apps, you'll need to do ./scripts/run_with_docker.sh make freeze-requirements instead.
Currently we do this as-and-when. We should prioritise dependencies with security vulnerabilities.
We have pa weekly job that audits Production packages for security vulnerabilities](https://github.com/alphagov/notifications-aws/pull/1096):
- Check the output in Concourse to see which packages have vulnerabilities.
- Make a PR to update affected packages to a patched version.
If the packages are listed in package.json, update the versions there and then run npm install to update the lockfile. For sub-dependencies, there's unfortunately no easy way to tell NPM to "update just this package and anything that conflicts with it":
- Try updating just the affected packages in
package-lock.jsonand then runnpm cito see if there are any conflicts. - If you see conflicts with other packages, it's usually safe to just run a dumb
npm install, which will update everything.
Currently we do this as-and-when. We should prioritise dependencies with security vulnerabilities.