A curated database of insecure Python packages
What is Safety DB?
Safety DB is a database of known security vulnerabilities in Python packages. The data is made available by pyup.io and synced with this repository once per month. Most of the entries are found by filtering CVEs and changelogs for certain keywords and then manually reviewing them.
- Safety CI is a deep GitHub integration that's available on pyup.io. It checks your commits and Pull Requests.
- Safety is a command line tool that checks virtualenvironments and requirement files either locally or on a CI server.
- Safety Django is a package for Django that warns you in the admin area if your installed Django release is insecure.
- Safety Bar (alpha) is a macOS menubar application.
- A pre-commit hook by Lucas Cimon.
pipenv checkrelies on
safetyand Safety-DB to check for known vulnerabilities in locked components
- your tool?
pip install safety-db
from safety_db import INSECURE, INSECURE_FULL
What is this not?
This is not a hall of shame, or a list of packages to avoid. The package maintainers show a great responsibility by documenting and fixing security issues in such a way that they can be listed here. That's extremely valuable when considering using a package in production.
Using this data
- There's a small website available that lets you browse the data: https://pyupio.github.io/safety-db/
Check out the
- insecure.json contains just the package name and all insecure releases as a plain list.
- insecure_full.json additionally contains the CVE description and URLs, or the relevant part of the changelog.
The database is licensed under CC BY-NC-SA 4.0. This allows you to use the data in any non commercial project as long as you link back to this repo. If you need a license for a commercial project, please contact firstname.lastname@example.org.
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Hashes for safety_db-2021.7.17-py2.py3-none-any.whl