Should I update Python modules?

Question

I'm developing a personal program and sometimes I think it would be a good idea to update the Python modules used in the program but I don't want the program to stop working because of updated functions on the updated modules or something like that. So, since when I started making the program (1 year ago), I've never updated the modules and keep all the installers inside one of the folders of the program to be able to install the correct version of each one (with an automatic installer I made to be faster when installing them). Am I doing right or is this a bad idea? I just don't want to have to reprogram many things in my program if the functions, classes,... of the modules are updated. Does this happen or they will always work? Btw, I'm a Python beginner.

Answer 1

You should definitely look into updating your modules if they have known vulnerabilities. A quick Google of tools that might help you with this turned out a couple of interesting hits:

• OWASP Dependency Check
• safety
• OSS Index

Typically open source software use semantic versioning (or semver) to provide some idea on how upgrading to a specific version will affect you. Specifically the guidelines for what "part" of the version to change depends on how backwards-compatible the change is going to be:

Given a version number MAJOR.MINOR.PATCH, increment the:

• MAJOR version when you make incompatible API changes,
• MINOR version when you add functionality in a backwards-compatible manner, and
• PATCH version when you make backwards-compatible bug fixes.

Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.

But then again, this will always be left to the discretion of the author of the module so I suggest that you start taking time to write unit tests for your code. This way, you'll quickly be able to see if an upgrade to one of the modules will break your code. This should be a good starting point for a list of tools that may help you with writing your tests.

If you do decide to upgrade, make sure that you are following good practices in making sure that you specify the correct versions of your dependencies properly and colidyre's answer should help you with that.

Answer 2

Updating the modules can of course lead to corrupt code in your project. The module may of course have rewritten functions or classes, removed deprecated code, etc. in another version.

One possible approach would be to create a virtual environment for the project, as already proposed by roganjosh. Here is a helpful link: http://docs.python-guide.org/en/latest/dev/virtualenvs/ .

In this virtual environment you can record your modules in the current versions in a requirements file. This is often done and I think it is also a good practice. An additional advantage of this is that by simply changing the version number in the requirements file you can try out whether a newer version crashes your program or not (of course you can certainly also read the module's documentation, "breaking changes" or similar). Another disadvantage is that the project can only be updated at great expense at some point (too many changes at once). You could then successively update one module after the other and see whether project code needs to be changed here and there.

If you just want to run your project and there are no security concerns, then it's probably enough to fix the versions and that's it.