Why is this important?
Most of the code for modern applications is coming from third-party libraries. This is great because it speeds up development. However, there is no guarantee that third-party libraries are secure and of high quality.
As a result, over 750 vulnerabilities were reported in Python packages.
Check out this video for a high-level explanation:
Updating Vulnerable Libraries
Option A: Manually update the packages
Look at the vulnerable package in the GuardRails PR comment.
Upgrade to the latest version of the affected package by running:
Install a specific non-vulnerable version pip install aiohttp==0.16.3 Upgrade a specific package to the latest version pip install aiohttp Update the requirements.txt pip freeze > requirements.txt
Test to verify that the upgrade doesn't break the app.
Ship it 🚢 and relax 🌴
Option B: When no update is available
- Look at the vulnerable package in the GuardRails PR comment.
- If no update is available then you have 3 choices:
- Remove the package if it's not needed
- Replace the package with another one that doesn't contain vulnerabilities
- Take a closer look at the vulnerability details and create a PR patching it.
- Test to verify that your actions don't break the app.
- Ship it 🚢 and relax 🌴