– Monitor Vulnerable Project Dependencies is a framework that allow user to monitor requirements of projects and notify whenever a dependency is outdated. This by tracking security updates for all the dependencies of a project and make the project marked in red as unsecure in case there are a known vulnerability. - Monitor Python Project Vulnerable Dependencies – Monitor Python Project Vulnerable Dependencies

Security advisories are tracked through several means: changelogs, cve database, and manual monitoring of packages that had vulnerabilities disclosed. Each advisory is manually verified, so it can take a handful of hours for notifications to be sent. looks for dependencies in the files matching:

  • req*.txt or req*.pip,
  • requirements/*.txt or requirements/*.pip,
  • buildout.cfg, versions.cfg,
  • tox.ini,
  • Pipfile, Pipfile.lock.

There are three types of notifications supported, all opt-in:

  • badges – provides badges to track projects status. These sleek looking badges were generated using the awesome snippets of code (in Markdown, Textile, RDoc, Html and reStructuredText) ready to be copy-pasted in project’s README file.
  • Emails – Easily control the scope (outdated or insecure) and frequency (daily, weekly or monthly) to avoid getting too many emails.
  • pull-requests (GitHub only) – GitHub users can opt-in to receiving pull-requests: instead of manually bumping your requirements, just accept the pull-request.

You can read more and try it for free with GitHub or BitBucket repository over here:

Notify of
Inline Feedbacks
View all comments