Protecting Python software supply chain

Pinning versions, hashes, and dependency graph

requests==2.1.0
flask
urllib3==1.25.2
xml2dict==0.2.2
$ pip-compile  --generate-hashes
#
# This file is autogenerated by pip-compile with python 3.9
# To update, run:
#
# pip-compile --generate-hashes
#
flask==2.0.1 \
--hash=sha256:1c4c257b1892aec1398784c6379... \
--hash=sha256:a6209ca15eb63fc9385f38e4527...
# via pysupplychaindemo (setup.py) (direct dependency)
# demo.py -> flaskjinja2==3.0.1 \
--hash=sha256:1f06f2da51e7b56b8f238affdd... \
--hash=sha256:703f484b47a6af502e743c9122...
# via flask (dependency of a dependency)
# demo.py -> flask -> jinja2markupsafe==2.0.1 \
--hash=sha256:01a9b8ea66f1658938f65b93a8... \
...
--hash=sha256:fa130dd50c57d53368c9d59395...
# via jinja2 (dependency of a dependency of a dependency)
# demo.py -> flask -> jinja2 -> markupsafexml2dict==0.2.2 \
--hash=sha256:20e4b48926ba3537b57587496c46d2...
# via pysupplychaindemo (setup.py) (direct dependency)
# demo.py -> xml2dict

Keeping the dependencies up-to-date and getting the security updates

Enabling Github’s dependency checker
Notification about vulnerable dependencies
Automatic pull requests created by PyUp and Github Dependabot
Sample pull request from PyUp to upgrade requests
Sample pull request from Github Dependabot to upgrade urllib3
Sometimes it’s possible that there is no fix available for a vulnerable library

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store