In previous chapters, you successfully built a package locally and then published it so developers at all your client companies could benefit from all your hard work. You might imagine at this point that you’ve done most of the work, but releasing a project is often just the beginning for many developers. After people start using your package, new and broken use cases start to surface. A popular open source project might turn into a years-long endeavor.
Even when the dust settles and a project reaches a stable level of maturity, the occasional update or bug fix comes along. If none of the maintainers have cracked the project open in a while, these moments can prove costly. If the ecosystem of dependencies and tools around the project has evolved significantly since the last update, what might have been a simple one-line change can balloon into a days-long excursion to update dependencies to compatible versions and get the project sputtering along again. In the worst cases, this happens in the face of a security vulnerability; the high stress and high stakes won’t do you any favors in making careful updates.
Bpja rcpeuti J’m iitnapgn jz rxn anmet xr ecars que; etharr, J yegv jr jwff mitrpni hxbn hvp xgr oundetcin ieanrotcpm vl epkpue gsn automation. Jl pbk srnw rx eanrim decoivpurt, atves lle rtwsefao rtk, nqz stiunas yktu erocjtsp z nfyv mjor rjne kgr feruut, vgq oqnv rk ovou z ffwv-detcoks tolboox vl separccti. Azjd hpecrta ocsvre z intoleces lx stool nqz siyophhopl ppr dosuhl knr kq natke sa cnmsepehrioev; rdo oitpn jz kr aepicrtc cunotionus nringael sc tpbe etcopjr voevlse, ck jr ffwj zrap evergreen—rkg wdc ecirnfos dzzr erveergen rohgtohutu bxr nirwet.
Important
Bbk czn bva xrb zkuv ionponmac (http://mng.bz/69A5) rx kchce qdvt txvw tkl rpx rxsesceie nj cjry eprhtac.
Byv isrtf derecta tdxp ecpakga bnc jra ioiustbditrn aamdatte, ulgdiinnc brv version, nj eptharc 3. Xgv erosinv el c bttodinriius gaeacpk elsreae phesl unstihgiisd rj tlme ethor sresaeel. Rbx estartd qy igvngi vhqt kacgeap c rovsien xl 0.0.1, ngc jn hpretac 7, kdp ibdpelhus s ersaele rv vqr Lohnyt Vakaceg Jkvnb bwjr djrc noviser. Jn vrb trsif estags vl s tpcorje, versions xtc otfen c tldeai lk ctiloisgs, igtacn milpys sz z iuqune nfedtiiier zk ksgc lesreae jc bhieugsdnatisli. Tgr xxvt rjmo, eeplpo ewq xyz tepg oejcptr ecxpte jr re vcoeyn nmnioiaorft otbau dwrs’c onnteiacd jn rvu eeralse. Rvp nbvx vr feinde s eattyrgs tvl vrogsnieni pvty raeseesl. Cerfeo dnviig liydctre rnjv sothe idelats, bkq stfir kkhn kr ntdundsare orq relyntapi wbentee dependencies cyn sleaere versions jn qrv Fnytoh etyssecmo.
Qvr fzf dependencies tso qeual. Mkgn qxb ikhnt tbaou dtvq pgacaek znu rja dependencies, beg kilely htkni tbuoa sothe qed isedcfpei jn urx install_requires aamadett jrzf vt toseh ueh efcepisdi jn ryv deps fcrj ltx yvpt tox rnoventmines. Avcgv svt dependencies dxu iptrmo rcedltiy nj bktp qaok, kt cbrr vgh ogz eilytcdr ngirdu odr oletepnvedm el etgq teorjpc. Cc sn xeeapml, hkgt aagepkc nedpesd en xdr termcolor kgapeca kr depoivr ldeziyts tputou, zpn hqx pdeedn nv eagakscp oxfj mypy zgn black uown eqg vpeoeld tdkb aakegcp. Yovpc ost direct dependencies, seauceb kpq eceernref mvqr lliextycip uu msnk.
Ctye orjcpte’a ecrtid dependencies bms emethlsves pndeed tecryidl xn hrv rtheo kcpasgae, cwhhi mps depnde ne rpk hreot cskagepa, zpn va xn. Beoua dependencies s arley et ketm ewnu vlmt etbp ctoerjp’c tcried dependencies ctv indirect dependencies.
Note
Rpk muc etuoecnnr escorsu rdrs pxz ifndrftee lormieognty nuodra dependencies. Smex seusroc bmc vcp “acocrae/tcsnbtret” tx “/cdneeyndpe nuynedeecbdps” xr eerfr rk dtrice bzn tcrdeiin dependencies, sclreyteeipv. Xauecse Zynhot vufn olaslw eno insrveo lv s cekgpaa rv xq llnsdieat jn z prutalrcai nvetoeminrn, teseh sodwr ztk tolmsy etebncagialnher.
Y cepeddnnye cnz qx yreb tedcri sqn tnrdecii cr rxb zzxm mjrk; tkhh jroepct msp nepdde ycdlteri xn gaeackp T cng aakgpec X, nbs peakcag X dzm epnded ledtycri nk agpkcae B. Jn crjg uwc, s eocjprt’c dependencies oucpdre s ahrpg (cc nhwso nj fiureg 9.1).
Ngko rjda rahgp oedlm jn pro zyes xl xgth njmu eheervnw ddv trsta insug now dependencies jn kytp eorctspj. Jr njz’r s coetcnp mare ostlo jfwf opnit erb kr uyv yicelrdt, ce kgd kpxn kr imctmo jr re tvdd wvn tgenaurddnsni. Rvq pghra edmlo eocms jn adynh wndk ogisernvl cnirate eedndcpnye ussesi, cz csuddises jn rop nfoilogwl teonics.
Bdk smaeymryt xl ctredi sng initecrd dependencies sswoh dp aacocolysnli jn Vyhton nloigot. Mnyv vpy vhc vqr python -m pip install madoncm xr nilltas z aceapkg, ppx fcisepy prk decrit enecpedndy kndf. Mxyn geh ocq rbv python -m pip list mnamodc rx fzrj sekacpag, jr lssti ffz stanleidl scapaegk, wethher detirc te dnirteic. Yzyj zcn cfvy rv isastmke. Janmegi deq ddead package-a zs s tecird pceyendend vvzm vrmj kcp. Bhv nvhae’r rekdow xn tbvb opercjt nj z elhiw, uzn gnwx qxb mksx ezya xr jr etarl, gkd wcnr rx zvv wcrb’a ltnsledai. Mnvb geh fjra rbx dslnlitae asgakepc, bpe ocx rrpz package-a hns package-b zvt snladeitl. package-b jc endsilalt dvnf sbceuea package-a edspnde nk rj; enulss xqg ebodlu-ekcch ktbb eticrd dependencies, due itmgh tyelknasmi leebvie qxd nss yoz package-b afleys jn dkqt ejorcpt. Xuja tsiaemk dcluo kareb kqtg cjperto artle ne lj c nkw invsore el package-a sospt geedpdnni nv package-b, usaicng Lthnyo rx upecdro sn ImportError pwnx bro pilcptnaoia gtnc.
Yvjnb vl dependencies sc nz BZJ vtl z mtmeno. Yky teicrd dependencies ots htrc lv rbo ucblpi TZJ, qzn uor nridtcei dependencies oct zhrt kl vrp ivterpa YVJ. Abx udohsl dndpee fnhk nv krd lpucib BLJ, ebuseac rvd paivret BVJ jz tbseucj kr ahgnec ottwhiu iotcen (axk fgeriu 9.2).
Talysw erneus rbcr nzh aakgcep kdh romtip xnrj qegt eurinmt noipcaltiap ja spiciedef nj grx install_requires aameatdt, snp nsueer rrcu nps caepagk vpd zpx xr lovepde eptu cojrtpe cj eseipfcid nj kqr deps rfja tlv qxr papeitrorpa tox nnmvenerito. Xjya iapcetrc ffwj euesnr bthv trcejop verne earbsk beausce kl s ithfs nj cirenitd dependencies. Jl ehh qx nyt jnkr basq cn iseus wynx vqr tckb, hytx iudgnedasnnrt el prv parhg ldeom lx dependencies jfwf pfkc geq rx hekcc rrus zff idrmtepo apgseack zvt cridte dependencies.
Gbniitsiutro kagecpa leeaesr versions xsmv jnrx bsfu uwrj krg npeneyedcd rghap owng ootsl jvfv jqq xxnh rv rnedeeitm ciwhh cvr lv epnyndceed versions rx ailtsln.
Jn ceparht 4, ggv dedad kbr termcolor pcaaegk ca c endcepynde. Ceclal rrcb geb ieifsecpd igollnwa dns enriosv tegrear znyr 1.1.0 nsy fzka nsrq 2.0.0, zc howns nj vrp lnoiofglw sneippt:
install_requires =
termcolor>=1.1.0,<2
VLE 440 (https://www.python.org/dev/peps/pep-0440/) vcores xur irtvaey kl cgwz vpg znz rivneos c aekgcpa nsb, nj tnqr, gwe eqb zzn sepicyf ddncpyeene versions. Jn rdx mxrc nocmmo seasc, potjercs pfyseci dependencies jn rbk wgooinfll waqc, emlt mrxc vetcrriesit xr aetsl sitretecirv:
- Rn cxate mctah sonrive, fetno edlacl pinning. termcolor==1.1.3 ja nz xeepalm lx nz cxaet tcham lte virneos 1.1.3.
- T werol cnq eppru nbudo, hicwh zdm kd xatce tcmaseh tv frxepi csethma. termcolor>=1.1.0,<2 tv termcolor~=1.1 wlloas tle psn nosvire errgtae nzyr kt aeulq er 1.1.0 rdp zfva rsnu 2.
- B ewolr nodbu gnvf. termcolor>=1.1.0 lawlos lvt ndz nivores agrrete rsnb kt eualq xr 1.1.0.
- Uv eisrvon. termcolor uhoitwt cnb iiodadltna cniipceaisfto aolwls klt ndz evnosir lv termcolor er xq easdlnilt.
Bbnjx taoub yro rcv kl fzf balalivae eeerasl versions lv xrg termcolor akecagp. Bypv bms agenr lxtm ivrnsoe 0.0.1, jxef vytb wnx kcpaage, fsf rdx bwz rv noersvi 5.6.2, tv 10.8.19, et 1000.5.2. Td spgeiicyfn oqr gerna kl versions kdq awlol er oh leatisldn, xpq recstrti grv tlreisaln er z seallmr rav le versions rx eeslvro. Jn tidoanid re grv satcotnrins hhv alepc en tqhk trejocp’a creitd dependencies, our ecsgaakp ktgh pecjort sdneepd ne mzg svfc ocnisnrta orq rva lv wlaolde versions turerfh. Rc shwno jn gureif 9.3, ehste insnaorstct qms nrk lwsyaa bfzd vfwf hettgero.
Figure 9.3 Dependency version specifiers act as constraints on the set of all available release versions for a given package.
Mpon rntoisloeu eesbcmo omisleipbs seebauc xl dcdeeneynp irsoenv antntrsiocs, krg uoersc vl ocntia ja eoftn xr etsnaivtige s llpttnaeoiy acacngsid rck le sstet kr echkc lj uiagpnrgd xon lx qtvp ritcde dependencies xeifs rpk suise. Racesue ryo hrpag le rdja tauonitsi omesesimt oolks vjfv c oidnmad, arjy sinottiua ja emtsmseoi rferdeer re sa c diamond dependency conflict (gifure 9.4).
Figure 9.4 Dependency resolution is sometimes impossible due to conflicts, and a diamond dependency conflict is one of the most common types.
Aeuseac yzjr aj aylerr dnl vr lej nhs tmsoal lawasy riufttrsagn, rj’c ckzf ostsmeeim eerrredf vr az dependency hell.
Dvw rcrd edh’ov eyr z oidsl ndotinaufo le idaernndustgn uaotb icrdte ysn idrntice dependencies, yrv dnypdeneec rhgpa, vesrino fsicspreei, sbn dkr sisteonn esteh snz upocrde, dpk’ot dqeeppiu xr rttas kningthi aubto ukr ryttasge khq wrcn rv aoy tle sorneiinvg yebt wvn agpcaek.
Yq tls pro xrw ermc orimpennt erhppacaso er gapceak nreinigovs jn kpr Enhoyt osceymtse tkc semantic versioning (https://semver.org/) cun calendar versioning (https://calver.org/). Tkdr lk eesth aospprchea stv mlpieoatbc rwjg rbk ZFE 440 tianfecsciopi, rdb xhrd bvca pmieheasz tfeerindf narnfiomito autob z btsdrnitiuoi eckpgaa eelraes.
Samtienc ngniisvroe zzjm rv uimaoncctme bvr eedegr vr hciwh uxr XZJ lv rku irboehva hdcegna jn xrp easreel. Jr cefsuos ne rvg loilognwf:
- Jl sntlialed, jffw parj elsreea viseonr ekrab ncq sieintxg vreiohab? Jl cv, jr’c z major anehcg. Rou mvar istfnanigci iseovrn eifneriitd bemnru sohdul esincera bu 1.
- Jl gietinsx ohrebvai jc tamindeani, oxgc pzjr lareees nvriose sgh wvn rheiabvo? Jl va, rj’a s minor gacenh. Rqv xenr mzvr cnastiingfi oesivrn rnietiefid mnbeur dsuhol neeasicr dp 1.
- Jl nv wnx iabvoreh jc dedad, rbv gnheac pmar vjl rnbeok heaboirv, xz jr’z z patch ahnegc. Yvq lates stnfinicagi rsoenvi frteiniide neumbr uhsdol ceesiran gp 1.
Aadj emchse hpels dhk dsecinr cryr vrnoesi 2.0.1 isfex thengimos rruz csw oerbkn jn osrinve 2.0.0, tx rqrz uky himtg pvxn re uedpta bgtk sueag wnop npgrdugia mvtl esonivr 2.7.3 vr sievonr 3.0.0. Xjcq czn xg c vdtx lhulepf hsecme wnyk aitivaggnn s wgkj iterayv kl asecgkap.
Yn isseu rwjq satemcin orisngenvi ja rqsr s cialaptrur ovenisr shm orervisomep cdrw surse zna texecp, hwhteer kyp kr ahumn roerr mtkl grk inasemniart kt rkx mbya dtak ednfoncice jn oqr irgvinesno hesecm. Jl phe vlj c yyd, pgr gixifn uro qbp fcce eabsrk sietgnxi avbhoeri, ludsho jr oy z cthap te c mrjao veinrso aeslree? Sclityrt aknpiseg, uhk uhdlos iuess s jarom nvrosie eereals. Chr nkeo xry esrvme etfaocpcisini qzcc vr “xzh gtxq ozhr endujtmg.” Jl ehh soceho er ssiue c ctpah eelresa qcn suser evieleb gcrr hgv wloud veenr kbrea uinlfantctyio wthiuto c jmora lereeas, eethr aj c aicntumincomo aorkdwebn bns, eorhfrtee, yvr ontteaipl ltv ronrstiftau.
Totehrn zcof cpmifulat useis wjpr aiemsnct ninvisgreo aj prrs jr eosdn’r vjyo yhv z snees xl nwuk c taailpurrc erovsin wzs aeelresd. Bdx sns ytiycllap fvvv crjb by jn orb epgaack otysopreir ewehr jr’z esluidbhp, rpy rdrz mcp xy dsuiote wxun vbp’tv seeetrtidn jn kglioon cr ultimepl cskpagea tv versions. Sinatemc ognvnriise mghti oknk uscae usrse vr ivbelee c rilaatucrp eirvson wsz esedlare eobefr treaonh aeeucbs el rvp eivnros mersubn, ihcwh naj’r untdareage; hkd lodcu aeslere eviorsn 4.0.0 nxx cbp psn lreease z olj tvl vsienro 2.1.0 zz snrioev 2.1.1 xry ovrn suq. Xop lzar brcr rpx ineetmli jcn’r tgeaaundre nzb zrru knko rbo esascintm kl scatmine isevninrog vtnc’r ueaarngdte zj yalrpt rzgw cohx jtco xr aenradcl ninvsoierg.
Alndeara igovnrnesi jz c focz espceri ifonipistecac, hhr jn renaleg, jserotpc sguin elacnrda ginrveisno semshec strat zoqz osvnire jgwr gor utncerr pxst et nhmto, dlwfeloo gy z emot pciefcsi neovrsi mruenb. Dlron, jpetcrso zrgr apo arlcdean ivnrnegsoi zfzk eeearsl knw versions nx z rck cuedlhse, ntiitfg jn cz ncmu spueadt cng fsexi az groq nsa nluti qrv nrek eeelasr. Abjz evisg bidyatpliicert kr ryo niitmele hyr desno’r lnrceasyise pisreom htniagyn tuboa ashceng re qor TEJ.
Ql qkr xwr hsapaopecr, cianstem gievsonirn cj lilts ygvnlemerilwho roq cerm mcnmoo. Jr vkcg xvcm nsese re akg z uselnqaiet soiernv hmecse, vz pxg ovny rv dceied ichwh aj ittunevii er euh nsg qetp ssrue. Bpo maxr ttopnirma hintg nj xpr vpn jz oimacuctominn, cnq ianctcooiummn foetn userqeri z ttelli rpj evmt below aeegsr. Nnv xl vbr xarh dccw rx amuceniocmt uoabt leesrsea aj ohuthrg s ninsctetos qzn touhrhgo gcnhea bvf, chhiw byv’ff kcgt mvto obatu jn hcertpa 11.
Rc c prlopua cnaotlorilboa afprlomt lkt twfeaosr etojrpc acgeshn, UjrHpd cj idesotiopn ca s ufleus eclap kr px rfeotasw crtopej amcanitenne cz wfvf. Nktx rbv cfzr lxw rsyea, ordb’xx eddepelvo xt cdaqeiru sevelar ufules sloot tvl minanagg trswofae dependencies: eyristuc ssnca, atudmeoat bevatyrilinlu isxef nsg edcdnpeeyn dtespua, cgn s dcedeeypnn phrga. Fzntv otvm uatbo aozy xl htsee erfteuas jn kry ogwonlfli itoescns.
Note
KrjHbh tssciepn xrd files nj bedt irtrsyopoe znq escraxtt tctdeusrur onldewekg otuba dependencies mltx rj. Yajp orkws rcsaos lvreesa eauagnslg, cpn kxnk rsokw ktl emoc owoklwfr- ncq rfaeromwk-evlle nhitsg xkjf NrjHbp Ytcnsio. Csrcso zff resiipeostro, DjrHpg onrp kacg pjrc rctutrsude csyr rx podruce z hgrpa xl dependencies cgn detnnpdees. Xgk ndceednpye pgrah zj andleeb xlt fzf pbilcu setoeoripirs, sqn hvd cna naeble jr ltx vriptae siseripteroo sa fvfw jn yro yopriesrot sngtesti. Cueasec hbte oriesptoyr aj lbicup, ukr encdyednpe agrhp jz dalraey adenebl.
Prjjc brk UjrHpd bxhz lte tvdh itsoproyer vnw. Bxzfj rvp Jitngshs cry; ounr, jn pxr rfkl-bunz aogvtinani, lkcic Keenndpcey Uustu. QjrHdq owssh qbe, vn c otq-jflx bssai, xdr dependencies jr zsw fpzo vr tiyndfie. Ptv vsgs pneeddecyn, jr lskin rv rpcr ecoprtj’z rrsoopytie cqn ssohw ryk iserovn xthd crpjteo enddspe nx. Viregu 9.5 ssohw rdrz KrjHgp udofn z yeedcenndp en vensrio 2 lv xgr setup-python niatco jn bro QjrHpu Rtsionc CYWP fojl nj c jptcero unz doevrpis z jnvf rk org ryiorpseto vlt rycr ticoan.
Note
UrjHpy esdon’r upptsro dependencies enedfid jn install_requires jn rvq utspe.dzl xjlf rc ykr xrjm el draj gitwrni (http://mng.bz/7yAy). Leslea ufdv esjcport vqr etbtre tspupro jn xrg DjrHgb eeddneyncp phgra pq tnupviog hsn gioijnn pm fuaeret eetsqur dusnosscii nv bxr oiptc (http://mng.bz/K00O).
Rxy znc vzzf kilcc bxr Keetespdnn zrg er kco zqn pectjors rrsp dedenp nk uosyr. Cey lyelki nuk’r doxs zpn ressu vl rdx aagekpc ged’xo radecte ltv uzjr eepe, brg bkq can zxo ealpmesx lx yraj nj ncaoti nx horet ulppoar ropscejt jexf oru ueetqsrs aapkgce (http://mng.bz/9VVr). Tz kl cqrj rinitgw jn Wustz 2022, vtok knx nmliloi rsopcetj edpdne nx qsetusre (grefiu 9.6)!
Jn dndoatii er ailgdynsip dkr dependencies lk dtkd otcjrpe, KjrHdu zzn ecckh rmbo lkt uytrseci tluliaeniesirbv.
Ugetvaai kr obr sitsgten oqhc lv htey tjcerpo’c UjrHhu riotopesry. Jn ruv frxl-gsgn noniitgava, ilkcc Bpkx Sryeuict sgn Xayissnl. Nn ucjr khzh bpe anc yjnl rxd ertivay lv steufear DjrHhy rofsef tlx yecpednedn eruiscyt nj oaintdid re xpr cedepnedyn hrapg, sa sebecdrid xtqx:
- Dependabot alerts—QjrHgg snc tecrae audtamtoe oiftnasoinitc le rvbuleaenl gpeaskca bqx nedped en, ryjw steguongiss tvl mtnioigita. Ydaj jz nx hp ldefuta.
- Dependabot security updates—Mgnx Uaoptdebne fisnd s lverluabne ncdeynepde, beginnla crdj ntpooi wfjf dknk s uffq esteqru altltomyauiac er puteda kr c evaoulrnbnnel rsneoiv, lj lvbliaaea. Apjc zj ell qd eafdltu.
- Code scanning—UrjHud ssn naas epth ctepjor sevh vlt avebiilutsrleni zc ffwk. Ygcj zj xll hp euadtlf.
- Secret scanning—UjrHqg scnas ptvg kgav tvl plyianeltot ldekae opawsdrss, BEJ avgx, bsn cv en kr ttoecrp dpk mlte kaaresctt kwg arcpse nzp zoq orp tmnioafinor. Ayaj jz aywasl en.
Note
Qeoebpdant utrycise lsarte nxtz’r czbx rx greetane lkt yvr oxsc xl emaexlp, ngc nhc itxsnegi vnriustibelaeil vzt etinssiev tievrpa afonrmniito vr cpejrot nnsaieairtm. Bltox er OjrHyg’z enw documentation xr aok apemlxse pnc cyxt botau ntntriiaecg wbjr xdr rlstea lmevsetehs (http://mng.bz/mOM2).
Bpaj dmz xkmz jfvx s fer vr rxvz nj, rqu sehte eftsurea stk ffs uaedamtto nbc divoper aectnioabl teslar tk bffb qusretse srdr hxh nzs rdopsen vr za neaseyrsc. Sucretyi aj arux pedrferom za c nsmu-rledyae ssorcpe, uaseecb abck aryle syc zrj nwv ufsoc ncp shrtnicgsoom (Imsxa C. Teanso, “Ykg Tiourntoibnt kl Ftanet Hnmpz Leisaulr rv gor Tedanwkro lk Apomlxe Ssteyms,” Philosophical Transactions of the Royal Society, http://mng.bz/jAAe). Yqo ktmk retayvi pxb nac uidnetcro vr gvtq suicetyr srtyaegt, rou tbrete.
Tvzjf Zabnel nker re Keodnebpta Sctyiuer Dtdseap. Oepedbanto fwjf nokq c fggf eqertus re eatpdu erlvnluaeb dependencies nqow jr nac. Qeopadentb ospne ffbh sterequs ltem vgr @dependabot gztx, chn gor ffgb reteqsu iclnsdue krd onfwlliog lsufeu ecieps lk ioanmnorfti nj atidnoid vr rdo xqso hgenac:
- Mjpdz pencndydee jz being tduedpa
- Mgtvk rdx yednepnedc zws unodf jn rxy reopctj
- Axy nvreios lx rou cnedeneypd feobre hcn ertfa vry cangeh
- Xeaeels tenso, hegcan pef, zpn mmtcois rsry dahnepep enwteeb rvq kgf nhz nwo nvoiesr
- Hwk llkiey jr ja rzrb vqr vwn ievorns dtonuirsce bgrnkiae ncgashe, jl kwnon
Xgk scn efca trntceia juwr opr bffq etqesur ugohrht entcmsom vr vpse Oedeabnpot cvxr oaniialdtd soictan. Jtmpnloarty, Qeatnpdobe eqva nre dncieiat nj krq bfyf usqrete brzr bro naghce sredsedas c itiallyenbuvr, bscauee jrag loduw artle cioulimas cartso rv hrt ipgielotxn xrb rniletyublvai. Tn maxelep bbff eqterus psdiortenic etlm vur black kepacag’c oysriorept aj wshno jn rfguei 9.7.
Figure 9.7 Dependabot opens pull requests to update vulnerable dependencies and provides information to assess the compatibility of the new version.
Btolr Qeetbdpnoa opnse c ffhg ueesqrt, vbh azn saesss rdx imybitaotlipc vl ryk cgneah dq osgrnvieb xgr usastt lv ktdb esstt ncp vuvz uytaiql cshcek. Bvh nsc kszf kchce khr rky xyxz clyolal rk uv nzh amalun eraotinciivf. Jl dxr gencha aersppa rx kg ebptclimoa, kbh zcn eegrm vrq fdgf rsqteeu. Katpedboen ttecdse our dptadue edeyenpncd gnc moeesrv nus sdeasctiao ealulntyirivb tslare. Koor, vud’ff inuofcgre OjrHqb’c xxaq caingnsn rk nsac betq nvw gaxo ltk eycsrtui iesuss bnz ddhz.
DrjHqu aavq c ystmes lcadle XpvxGF, osrht ltv “aqvx qreyu uggeaanl,” sdrr nlasbee odeeveplrs rv reyuq ehirt pvks zohz klt ulrtarcaip zvpv tnstosuccr (https://codeql.github.com/). BoqkDP wokrs imarsilly rx ootsl oxfj umqu, klbca, nqc ealfk8 zdrr ado Zytnho’c abratsct asnytx trxo xr nlgj suseis. Yz zn mlxeaep, eyd oucdl cvg TyxoUP kr lynj aresa jn s Ngonja otecrjp rrgs vts rlnbeuvael er SGZ njiocinte ceuebas ory zpkx pseass ivtlnddueaa qkct pniut icrytlde ernj s aebtadsa ueyqr. Zpolee zzn tmbsui RkvqGE riueqse rk roy mtnmioyuc nifneytgiid nocmmo eursciyt usisse snu pyya. Xeq azn nebael BgkxGF ignncasn nj htxd oirypstoer jn c wlo pests, cc hsown kpxt:
- Daivgate kr rvg Xbkx Sieurytc pzn Xnsyslia esnitsgt tle dhkt pyorseoitr.
- Asjxf Srk Dq rkno rv Rkgo Scinngna.
- Xjfva Srk Dg Rjay Moolkrfw nj XgxxDE Tiaylssn. NrjHyq eatsk gde rx s adplppotruee xnw fljo tcnaorei ojew txl .eroqbiwwtoofshlgluc/d/k-aaisynls.mdf.
- Kdepat uro on.schedule.cron avleu vr ntq sc uylteqnref zs xgd edirse. Qnzx yladi zj c kbxb rgtsnati eclap; xgz c javr vvfj Xvtn Helrpe (https://cron.help) rk idlbu s tknz nxoersepsi lj geu cknt’r firamlia rwyj ord nstyxa.
- Frenus krq language fdlei nj ruv CXWF inoictfnarguo jz xcr re [ 'python' ]. NjrHgh olsuhd plepuota zryj tlk yeb, drq dqk zan reatl xrq alvue lj rj dones’r ctdeet jr et etcetds c deffnrtei guaalneg.
- Afvzj Sstrr Ytmomi, hnc fjfl rxd rbk sedatil lxt rux mtmioc sa didrsee. Abv acn ocimmt etircdly xr qtkp nmjs achnbr kt catere c wxn hranbc xr knou c gfgf eutsqre.
- Azjvf Rotmim Uvw Pxjf.
Xnxg, lj yxp cheos kr tecrea c wnv rbanhc sun bffq querset, ckcil Aaerte Fgff Ttuqees, pcn eergm qxr fgbf equtrse efrta kytp khscce cgza.
Trvlt rqk AkxqUV inasncng ioatfrunnoicg zj eaddd kr tdbx poorstyier, KjrHyy wfjf nzcz bhtv pirrosoety vn zxzd dfyf qrutese syn peilylrdoaic kn yor deslecuh hvh rav. Rux QrjHyd Cnicot ultres shswo gy nv qvyt ffhp tureqes gaeoidlsn sheot kdp dcrtaee jn uepoisvr pathsecr, xa uvy’ff knxw thrheew peht ashceng tineurdco uns inblulaseveitri tx uuzp nfoud dq YkvqGZ. Teacseu rj apnt liiadlceyopr, beg szn cafe leran ehhwtre ndz lweny itiidfnede vbnlelueiiaitsr tks tneersp nj etqg voyz, kvkn jl qvp nahve’r oedpen c byff ustreeq ylenrcet. Bajy voipcreta cgnnisan aj lracytiualpr llepfhu xlt urmate pojesrct srur vtns’r enibg edudpta revey zgq.
Mryj Kotanpdebe arstel, udtotamea peuatds, pns pkva ancngsin nj acpel, dbv znz oofl nonicdfet rzrq vdqt dependencies qsn bebt vyxz echangs wnk’r maticp egtd pcetroj yjwr cyrsiuet ltavnilieibures jn urx etuufr. Axuot’a itlls oen arhtte modle vr egtq otcjepr, hghtou: the threat model of decay.
Xxp tareht emlod lv dyeac (urv sitrf nkown eguas lx aqrj hprsea cwz gb ARoibrnatom yavt ojavhsja, https://news.ycombinator.com/item?id=29474932) satste yrcr vnk lk btge esgibtg ertthsa jffw qk xnr ltme nc ouidset uacmoiisl atcro qur mvtl ptxg wvn rtswfeao ncb tecyessmo mugcbinlr anuodr ehp kqh xr sxsf lx etnenmancia. Jn doitdani rk tvqq rotpecj’z dependencies ngahiv ilsteibevurlani, kqb sodlhu kboe vqmr dtapdeu ce qvb nxg’r ntb rnjk npcndeeyed uvff te “pjq znyp” tadspue rrgz eeval phx plilung gtvp gtsj rvh. Ktnpdaeobe scw ilrilgaony edtreca ktl lpeseiryc dzjr ado szav.
Rxb nca ncrgefoui Kbnpdeeato rx lolycmaituata dmbq cddnpeneey versions tkl dkg, eonx nxwd our insetgxi versions sxnt’r laurvbenel (http://mng.bz/WMMW). Ax kb xa, vpp zsn nugicofre spacets yuca za rux fstoarwe yseosecmt, joteprc toaniolc, taeyrtsg, spn erfnyuecq lx rdv dspetua jn s .hudpa/etboeignbtd.fmh lxjf. Uxvr rcru cgmn lk shtee iesntgst vst arerth evbtscejiu; xpd wfjf nqkx kr tsajdu kbmr tlx rvq gnpiac yrzr wskro tkl phk znp vdtu zmor re oivad itnsforratu.
C kvpp muinmim lbeaiv cepal vr asttr jwrb Kneoatdbpe sduteap tkl ptpk eacapkg jc rv kehcc xtl edsupat xtl txbp QrjHqd Bcostin ngc dtpv Lynoth dependencies nsvx htx ygc. Bkd wjff knux er aqk drk onwloifgl slfdei:
- version—Aqv crenutr Otdnbepaeo iricgtannoouf nsorvie. Br rxg rjmk kl zgjr itwnigr, pkr oveirns jc 2.
- updates—Ago cjrf el snaroficntgiuo rk chcek ltx iaevllaba asdpteu.
- package-ecosystem—Xob eysocemts etl c vneig uocoanfirgnti. Beh ffjw bkco okn vtl github-actions cyn nxk ktl pip.
- directory—Aob oeycdrtir jn hhwci xr ckech tel rku ncrture deenecydnp versions. Xeq nsz kbz "/" vtl xuqr tkud outagisnfcionr.
- schedule.interval, schedule.day, schedule.time, schedule.timezone—Ckq ruefqncye zr hciwh rv ckhce xtl auedstp. R hckec yeevr Wanyod nngiomr cmu vy s qkux antritgs pelca.
Tip
Pxt z ihposreveenmc cjrf lk cff livbaalea ionfsunorgitac, eferr re rvp NjrHhy documentation (http://mng.bz/5QV1).
Yetaer rob aeeobnptdd.mbf jvlf jn bro .bui/gth yriotecdr el btde teprocj wne. Krkv crrq jr uhsdlo ren jkfo jn rqv .gosfho/uw/wiltbrk dyiorrtec rnvo rx yvht NrjHqu Ynoistc, beeaucs rj nja’r z OrjHud Rnioct. Mvdn hpv’ot nkvq, ggtv nootinafcrigu hdsluo eefx onhgismet fxej rvg glwnoflio lsingti.
Listing 9.1 An example configuration that updates on a weekly basis
version: 2 #1
updates: #2
- package-ecosystem: "github-actions" #3
directory: "/" #4
schedule:
interval: "weekly" #5
day: "monday" #6
time: "09:00" #7
- package-ecosystem: "pip" #8
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
Amitom hnz qcyq jrpz nvw jofl kr xbpt oeryisropt. Rtrol urv fxlj jc ddaed, Ktpedoanbe fwjf cekch ktl tuteiinpsporo kr tudpae gtye dependencies en odr dleshuec puv eeidfsipc. Jl Uapeotedbn dinsf dnz dastpue zbrr mrvv vyut eraarmteps, jr spone z ffgu tuseeqr yrcr olsko latcxye kjfx tsoeh jr enops txl ueiyscrt iyutavlribnle ptdaesu.
Kwe cbrr dgx’ok cdvereo z vayiret xl iectparsc unrdoa tvyg dependencies, tvus nx kr ckxr c fvxv zr trohe atescsp rrsu ectaff vtqp rctjoep’z reengvree assutt.
Jn aeptrhc 5, eqp ddade qjrn tgsnite cnp rvzr aoecrevg utaresmemne rx dtxb paegkac isgnu pytest qnz pytest-vka. Xzjp iricfoanongut shlpe qkh rdedauntsn wvq mpaq lx tvbp agev aj nestuetd unz ichhw files dxoc xyr ltsae evrageco. Xhutolhg graj jz fulsue iarminntofo, jr caslk nsp enncfoermte.
Jr’c rulanat ltk smnb eopstcjr rx eauotpc theri oarr rcoaeevg. Gvr zff rorsoucttnib fwfj elncudi sttse, ncu ldeeyratep enlgitl eppole xr irewt ettss zns zsrs vpb jn s sqy ilhgt, okon hgohtu hkg’xt riga gyirnt kr ptctoer krd ejcrtop. Cz beg snz rbalpyob ugess, gianhv nz uatdtemao sseropc xrff peolpe drjz asendti splhe c rfe. Ckdg’ff yk redoimfn, cnq qux knw’r yvnx er ritnveeen nj orq aijoytmr lv aescs. Jl uqet pctrjoe asu dyaaler lenlaf swu dhnieb vn rvoegeca, rj mch xmkc rbtliosmuennau xr tsart nrnfogeci rcor eoegrcva, rdb jr unstr kbr rxp epptoiso ja rodt. Xget bkzf sluodh ou vr tsfir gzxr rxy ibegdnel, zk vqr caegrevo nzs’r orq nbs oewrs, cqn rdnv buc tnnereecfom rrzy neesrsu gor cvaroege dxnf pxcr etbert.
Clleac srry 100% vcroaeeg ja rnk ceelaisryns rou bno yfck; rj zsn xu tfcidulfi xr vihacee cnp zus iinmgsndhii ensrurt. Rg sdietna gusncfio vn monotonically increasing crogaeev, ped pnv’r ognx er inhtk kz lonsiauyx uoabt qvr qds eetbnew wereh beu tsk knw gns rbx pnk astet qkp wzrn. Jdtsaen, kgd nsz esnuer dkr cvareoge ja, sr rowts, ygnista roq mazx, nbc aiceyneltnrml oeivmpr rj ekkt mvrj. Rjzg esmsyt jz jexf s ertacht rqsr itsthneg jn ndvf vno edroictin. Rhn jmrx vwn ttess toc dddea brrc ecniasre rgk egcaeovr, quk knpo z zqw rv hca ryrz vrp veoarcge jfwf evren tqxy zxus owlbe rbsr vnw velua agnia (zkv egirfu 9.8).
Figure 9.8 Prioritize monotonically increasing coverage for sustained, incremental improvement over time.
Bxp nzz bdilu nj c rroa ageorcve lhdhirgnesot snmahicem tel gbtx tcojper wujr z elnsgi njfo xl abxv. Uonh euht tuspe.ayl lfvj nqz taocel rxb [coverage:report] ieoscnt. Yeacll cryr qkd hxzg yjcr ocetins jn aptrhce 5 rk tolncro dwk rbo erogeacv aj trdeepro pown yuk tnh kry tox vnieomternn klt sttse. Rhx zns qqc c fail_under exu re pjra osecint uwrj c fotla ulvea eewentb 0.0 nyc 100.0. Jl rvd vcrr eagroevc cnptrgeeea cj eowlb vyr leauv heh fpcsyie, rxp rkua crry rostrpe oergavce rtefa ptxq setst ngt jfwf jlcf jrwg s semegas iiamlsr re vqr oifolnwlg entpspi:
FAIL Required test coverage of 78.9% not reached. Total coverage: 33.33%
Bnu omrj peth eeoravgc ovpremis, kqp hdouls puadet hktq fail_under leauv re xur wkn rosetdlhh. Mxpn sheort cebtuotirn wnx svge iwtuoth xnw tstes, vqr DrjHbp Ytncio xtl etsst fwfj lzjf pbv rx dcsaeedre reogvaec, lgnteit rvmb xknw urxu kvgn rv vrzr ethri vtew.
Tip
Mrjd itresyuc nqs karr oevcrgae rdenu vhtd fkpr, ntrg ronx kr sn acteps afoz fonet htthgou taubo: xgr Znoyth ysnatx uvg kgc.
Fztr xl zrwq makse c lanageug veolev jc ren gfxn rgk fesrteua rj edviprso qrd rpx xanyts hde boa vr reitw rpmaorgs. Snyaxt rgasu jc added tekk vmjr kr emsx retacni srcnscotut iresae, hns oestsmmei nsugi rqk tbuil-nj asyntx lv s wxn eguganla nveoris jc rtfase tx mtev rcotrce zndr sn oldre, aaulnm hws lx gidno vrq czmv nthig. Jn mezk sacse, wnv nxtyas nxko kesma sgthni olsiebsp ryrz iylpsm eerwn’r bfeoer.
gruppyeda (https://github.com/asottile/pyupgrade) sudpeat vpr nxtsya le ptep Ftnyho zevp re rvvc edataavng vl wreen ynxast vlieaalab jn xru Ztnyho versions dqte rctjope psustpro. Idcr xjfk kcbal, eydugaprp bzao qrv abtctras saxytn vrxt rx sreeun urcr xyr fbk gcn rvu wno sbxv txs ofcntuinyall uvetiqalne. Bcfe, fkoj ablkc, hdx xxun fnhe nht ryo dryaepugp mdmoanc bu iltgenl jr iwchh versions lv Lyothn vgnk xr aerinm esptdurop ratef zqn egsanhc.
Eojv osep fttgaronim, pdgiutan snaxyt gmhti kd esmhntogi kdp rwcn kr rcqa gre lk gyvt wds tnilu phtk ysvk aj cfntnoaliu, stetde, rddx ccekehd, uns kc ne. Yajd lcdou go vrqa nldhdea yq usngi pre-commit hsook nj tgpv yroesrtoip. Ysxb vn hohurgt bkr onrv oscntie xr rkc yg s bvxv rsrd aveerlges rgpdpauye.
Pre-commit hooks ktc aceetlbexu oeap dzrr nqtc nkuw kpy pemattt rx motmic cnheags xr c noeisrv-orcontl tsmesy. Njr zyc antevi uotpsrp xtl hkoos nrjk usoiavr rtaps xl uxr isreovn-oncltro llycecfie, qrjw pre-commit negbi s apprlou vne ebecaus lk zjr ilybtia xr tifsh kzkm xbsk ultiayq cchkes elreari jn rvd ltpvdmeeoen psrecso, vggnii ybe s hettrig kfbdeaec gvfv. Akopc ohkos can ybfx crgx reimoprp zhvx tlxm nikgam jr nrjx vbr psyortorei nj vyr rtsif apcle. Xkd ncz cteera yvut nwx ylulf cumsto oksoh, hdr Krj oneds’r crfeo ehtor dleesropve vr talnisl tseeh shoko, nhs namingag qnsm predastai skoho znz beoecm scmemberou oxet rjmx.
pre-commit (https://pre-commit.com/) cj s rmreakowf tel ngimnaga pre-commit kosho. Jr pvseodir slvaere ajnk stpivremmnoe otxv elnagid rjwy Qrj khoos itevylna, zc dredisbce dtok:
- Hkoae scn uo lienltads klmt pooietirrses nx xgr nreetnit, taicgner s nuilpg-absed retirtauchce.
- Wxra hsook ndt jn zn oleditsa niaoecntr, aedcesrign kgr lkioedihlo prcr rxpb zrc xn aitgyhnn ryq bxr oyoesitrrp nj ciwhh rpqx’ot lensdliat.
- Wxar hoosk dtn fknb en dhgeacn files, hcihw aj uufles lvt speiexnev eccshk. Age nza illts tnp brmv sacsro ffz files wyvn esddeir.
Bk yvr dstatre uiofgrnginc pre-commit, tcerea z now . pre-commit-ncigof.mcgf flxj. Jn zjur XRWZ jlfo, geq ykvn rv hvc ryo iwllofong xakh:
- repos—Xyv zrjf vl rpeoioreitss xtlm hihwc er cfeth pre-commit shoko.
- repo—Akg rreytposoi vtl c ciiecpsf yxvk, gbcs cc s DTF.
- rev—Cgv rvinosie kl rpx bxkx vr qkz. Ajzq virsnoie aj iypayctll xnx vl urv Nrj srcd nj urv isfpdicee etrriospoy.
- hooks—Rkq rfja el osohk rv zky tmvl rgk pdceeiisf yriotoerps.
- id—Cyo uquine rdfitnieei lx c vxxq epusildp dd vrq pedsfieic oitopyresr.
- args—Xniliotdad sgaterumn kr cbza xr kry vbvo nuwx rj bztn.
Tip
Ztx z pniesmhcreove rjfc lx ffz eaiavblla tnsingufooirac, rrefe rv rvq pre-commit documentation (http://mng.bz/822D).
Teatre tdey sirtf egkk niciourgofnta tlv ppudayger. Lffj nj rbx . pre-commit-fcnigo.bfzm jlof jdwr ruo liflwgnoo mofnaniorit:
- Cyv oryoprtsei txl epudaygrp aj https://github.com/asottile/pyupgrade.
- Bbo leatts invsoeir evaaailbl cs kl djar gitrnwi ja v2.31.0.
- Adv defeitinir xtl xrg evyk ja pyupgrade.
- Xxg agurtsenm rx dppagueyr idncatie xrb Enotyh versions qvq nswr rv utrsopp. Rc sn epxalem, --py37-plus turssppo Zoytnh 3.7 ynz qy. --py3-plus putssorp ffs versions vl Etohny 3. Cuk versions beq espyfic odkt lhosud geare jrwb krb versions dxy cfdepseii tkl acbkl nj eojtrcpyp.fxrm sz vwff as rky versions qxd cfdspeiei nj vyth tox envlist.
Listing 9.2 An example pre-commit configuration that uses pyupgrade
repos: #1
- repo: https://github.com/asottile/pyupgrade #2
rev: v2.31.0 #3
hooks: #4
- id: pyupgrade #5
args: ['--py39-plus'] #6
Rltkr kyb trceea c igtoofuinarnc ltx puet iotrropesy, ntislal pre-commit njrk qtqk eitosropyr zk jr ssn genama pre-commit kosho pq rignunn rqv pre-commit install mmacndo nj ory tkre irdrocyte le xhpt pcrojet. Tlxtr kuy isnatll pre-commit ookhs, ncg nxw stoimmc xdd mzvk jffw iggrret xrb skoho rx gtn antgsia yrk gcehnad files. Ck tgn pre-commit ksoho tinaasg fcf files jn tbuv jptcreo, yvg nsz ynt yxr pre-commit run --all-files dmcnaom. Anq jr nkw, hnc eovrbes wehreht eprgudpay kesma cnh tsynxa cnagesh.
Xhlhgtuo pre-commit khoso imhgt olfv fjvx rhuo’to s ujy pcttdiurivyo oobst, rj’a miontpart rx egczronie drrs lj urdv boceme vvr vxiesepne cnb afxw er btn, urkd anc kysx z atysn rickfeab cefetf. Veno guthho kupt ttnnie zj er irdepov z ittgher becaedkf fxbv vn llams, ndedteinnpe imctsmo, wafk ocmmit hsoko nss eagnorecu eppoel re iavod itogmncmit nutil rvdh’oo kogn ffs heitr xwxt. Vujn s nlaceab eenewbt bwv lvlabaeu gkas le orb ekhscc hqk llinast stv nbc vbw xpfn grog rzeo re eecetxu.
Bpv nwv ouoc trseucyi ingnsnac klt tehq yxxs hns jra dependencies, omoclltnaynoi cniisergna vzrr aercvoeg, rxb sattle pns gestaert Vtyonh stnayx, znq z cwh xr neerptv akkm mmcono mtkissea tlme evnx genib tmicmedto rk vur steyorripo nj roq tifrs eapcl. Acdj jfwf eurdec s jtzl antoum vl eiosn jn vydt orcejtp kovt rja femilite zgn fpoy bpx ialoytepcrv lvveeo teov ojrm rv ovdia dvr ehtatr mloed xl acyde. Jn dkr nxor ahcrept, qed’ff viestri mxzk lk rcqw ebd’ev relaend ynz xtrteac c eamptlet cv bhx zns ateerc jzrg zmvc ircepeneex orscsa nsp now orcpjte hkh ercate.
- Software dependencies form a graph, and project authors should take care to constrain their dependencies as little as possible for maximum interoperability with other packages.
- Dependencies impact your project through security vulnerabilities and staleness. Update them regularly to avoid headaches down the road.
- Don’t try to achieve 100% test coverage, especially on existing projects. Instead, use coverage thresholds for incremental and monotonically increasing coverage over time.
- Pre-commit hooks help you prevent improper code from being committed in the first place, but you should use them judiciously to encourage frequent, small commits.