How to Automatically Keep Your Python Packages Up to Date With pip-review
Wed Nov 11, 2020, last updated Thu Mar 24, 2022 - Jim Deibele
One way to install packages is via Pip.
pip install django
Pip will install not only the program you want but anything else it depends on. Further, you can use pip to upgrade a program and its dependencies.
pip install --upgrade django
I’d set up a cron job that would do this:
pip install --upgrade django requests pytz certifi httplib2
Eventually I added a second and third line. But there’s a better way: use pip-review
pip-review will look over all of your installed packages and automatically upgrade them. It will report conflicts, where one package requires a version less than or equal to X and another package will require a version greater than X.
What happens then? Well, if you need Package A, you install it with pip and it installs the dependencies that Package A needs, even if it means Package B won’t install. Then you reverse when you need Package B.
To get out of this situation, you should contact the package maintainer and see about getting the requirements updated. Usually it’s a simple matter of them testing a later version of the package they had pinned (meaning they said version < X or = X).
Remember that this is probably an unpaid side project for the maintainer! They’re going to need to test and update on their schedule, not yours.
Here’s actual output on my system from yesterday:
pip-review --auto --verbose Collecting asgiref==3.3.1 Downloading asgiref-3.3.1-py3-none-any.whl (19 kB) Collecting certifi==2020.11.8 Downloading certifi-2020.11.8-py2.py3-none-any.whl (155 kB) |████████████████████████████████| 155 kB 622 kB/s Collecting parso==0.8.0 Using cached parso-0.8.0-py2.py3-none-any.whl (93 kB) Installing collected packages: asgiref, certifi, parso Attempting uninstall: asgiref Found existing installation: asgiref 3.3.0 Uninstalling asgiref-3.3.0: Successfully uninstalled asgiref-3.3.0 Attempting uninstall: certifi Found existing installation: certifi 2020.6.20 Uninstalling certifi-2020.6.20: Successfully uninstalled certifi-2020.6.20 Attempting uninstall: parso Found existing installation: parso 0.7.1 Uninstalling parso-0.7.1: Successfully uninstalled parso-0.7.1 ERROR: After October 2020 you may experience errors when installing or updating packages. This is because pip will change the way that it resolves dependency conflicts. We recommend you use --use-feature=2020-resolver to test your packages with the new resolver before it becomes the default. lektor 3.2.0 requires Werkzeug<1, but you'll have werkzeug 1.0.1 which is incompatible. jedi 0.17.2 requires parso<0.8.0,>=0.7.0, but you'll have parso 0.8.0 which is incompatible. Successfully installed asgiref-3.3.1 certifi-2020.11.8 parso-0.8.0
I opened an issue on GitHub for Lektor, the maintainer found a dependency that didn’t require Werkzeug<1 and I expect it will be in the next version.
I need to do the same for Jedi. Again, it’ll be up to them whether it gets fixed or not. But at least I can alert them. And you should for packages you use.