chore(deps): update dependency psycopg2-binary to v2.9.11#1446
chore(deps): update dependency psycopg2-binary to v2.9.11#1446renovate-bot wants to merge 1 commit intoGoogleCloudPlatform:v1from
Conversation
forking-renovate
bot
added
the
automerge
renovate-bot
added
the
automerge
|
/gcbrun |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the psycopg2-binary dependency to version 2.9.11 in both the guestbook and hello-world Django services. The reviewer recommends switching from psycopg2-binary to the source distribution psycopg2 for production environments to ensure better security and compatibility with system libraries, noting that this change requires adding build dependencies like postgresql-dev to the Dockerfile.
| @@ -1,3 +1,3 @@ | |||
| Django==4.2.9 | |||
| psycopg2-binary==2.9.9 | |||
| psycopg2-binary==2.9.11 | |||
There was a problem hiding this comment.
For production environments, it is strongly recommended to use psycopg2 instead of psycopg2-binary. The psycopg2-binary package is meant for development and testing, as it comes with its own pre-compiled dependencies which may not be up-to-date with security patches or compatible with the system libraries.
Using the source distribution (psycopg2) ensures that it's compiled against the system's libraries in the Docker image, which is safer and more reliable for production.
This will require adding build dependencies to your Dockerfile. For an Alpine-based image, you would need to add something like this before installing the requirements:
RUN apk add --no-cache postgresql-dev gcc musl-devpsycopg2==2.9.11
References
- The
psycopg2-binarypackage is intended for development and testing purposes, not for production use. For production, the source distributionpsycopg2should be used to ensure it is built against the system's trusted libraries, avoiding potential security vulnerabilities or incompatibilities from bundled dependencies.
| Django==4.2.10 | ||
| requests==2.31.0 | ||
| psycopg2-binary==2.9.9 | ||
| psycopg2-binary==2.9.11 |
There was a problem hiding this comment.
For production environments, it is strongly recommended to use psycopg2 instead of psycopg2-binary. The psycopg2-binary package is meant for development and testing, as it comes with its own pre-compiled dependencies which may not be up-to-date with security patches or compatible with the system libraries.
Using the source distribution (psycopg2) ensures that it's compiled against the system's libraries in the Docker image, which is safer and more reliable for production.
This will require adding build dependencies to your Dockerfile. For an Alpine-based image, you would need to add something like this before installing the requirements:
RUN apk add --no-cache postgresql-dev gcc musl-devpsycopg2==2.9.11
References
- The
psycopg2-binarypackage is intended for development and testing purposes, not for production use. For production, the source distributionpsycopg2should be used to ensure it is built against the system's trusted libraries, avoiding potential security vulnerabilities or incompatibilities from bundled dependencies.
gcf-merge-on-green
bot
removed
the
automerge
2 participants
This PR contains the following updates:
==2.9.9→==2.9.11Release Notes
psycopg/psycopg2 (psycopg2-binary)
v2.9.11Compare Source
v2.9.10Compare Source
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.