Below is my
requirements.txt. Notice the comparison operators. Whenever I push to my Heroku dyno, a buildpack is triggered which parses the
requirements.txt and sequentially installs each package with the exact version number specified. Most of the package versions installed are “grandfathered” when I initialized the installation, meaning they are frozen in time. But naturally, as package maintainers add features and patch vulnerabilities as they increment each release, I am missing out on these updates thus putting my website at risk of exploitation. So if I change the comparison operator from “Equal” (
==) to “Greater than or equal to” (
>=), every time I deploy changes to my Heroku Dyno, the buildpack will grab the latest and highest release for each package. The benefit of this approach is that I will get all the latest security patches. But with this approach, I have two concerns:
- If I set Django to >= 3.2., pip would upgrade to Django v4.0 which is not what I want. I’d rather just have pip install the latest (highest) Django 3.2.x stable release but not below Django v4.x. My question is: How do I get pip to build the latest Django v3.2.x within these parameters inside
- I figure another potential problem with this approach is that new bleeding edge packages (even those marked stable by their maintainers) could break backwards compatibility, causing administration headaches juggling cumbersome potential compatibility issues down the road as I maintain my website.
What other security best practices are worth considering in this context?
When I Google
requirements.txt django there are many outdated Stack Overflow threads. When I search the official Django docs for
requirements.txt nothing comes up.
Here is my
Django==3.2.5 asgiref==3.3.2 attrs==20.3.0 certifi==2020.12.5 chardet==4.0.0 dj-database-url==0.5.0 django-environ==0.4.5 django-heroku==0.3.1 gunicorn==20.0.4 heroku==0.1.4 idna==2.10 iniconfig==1.1.1 Pillow==8.3.2 pluggy==0.13.1 psycopg2==2.9.1 py==1.10.0 pytest==6.2.1 python-dateutil==1.5 python-decouple==3.4 python-dotenv==0.15.0 pytz==2021.1 requests==2.25.1 sqlparse==0.4.2 toml==0.10.2 urllib3==1.26.5 whitenoise==5.2.0