0

Using pip list, I have just discovered that I have pycrypto installed in a container running in production. Since this library hasn't been updated since 2013 and has at least one un-patched CVE, I'd like to figure out what package I'm installing that is installing this as a dependency, because it's probably outdated and unmaintained as well. My requirements.txt has 60 dependencies (and pycrypto is not one of them), so I don't want to check them all manually.

Is there a way to do this or do I have to spin up a new Ubuntu install, install my dependencies one by one and see which one adds pycrypto?

Boris Verkhovskiy
  • 14,854
  • 11
  • 100
  • 103
  • have you tried `pip show`? if you go the route of having to check each dependency manually, you may not have to fully install each package. There are a number of SO questions about listing dependencies of a package without installing, for example: https://stackoverflow.com/questions/11147667/is-there-a-way-to-list-pip-dependencies-requirements , https://stackoverflow.com/questions/9232568/identifying-the-dependency-relationship-for-python-packages-installed-with-pip – chris Sep 29 '20 at 19:22
  • https://stackoverflow.com/search?q=%5Bpip%5D+reverse+dependencies – phd Sep 29 '20 at 20:08

0 Answers0