Here are the answers to some of the most common questions we hear from our customers.

General Questions

Our free plan is for non-commercial, open-source projects. You can create a PyUp account and add your public GitHub repositories, in addition to using our free Safety CLI and PyUp CLI tools to manage dependencies.

However, if you are using PyUp for a commercial project, or if you want to gain access to our real-time, up-to-date vulnerability database, then you will need a paid PyUp account.

Our free Safety DB can be used for non-commercial, open-source projects and is updated once a month.

PyUp’s commercial Safety database, on the other hand, is updated as soon as new vulnerabilities are discovered. If you are on a paid plan using our GitHub integration, or using our command-line tools with your API Key, then you will gain access to this commercial database.

If you are working on a commercial project, then you must open a paid business account. This will give you an API key with which you can use the Safety command line tool. Pricing starts at $99 USD per month (paid yearly) or $119 USD per month (paid monthly).

No; you must open a paid business account and use the commercial Safety database.

Requests for support can be submitted by email to support@pyup.io. If necessary, a phone call or video conference call can follow. As an enterprise customer, all your requests for support will get the highest priority. PyUp has staff in various time zones across the globe, so response should be fast.

For CI environments, the recommended way to use PyUp Safety is to pip install it before any other package and then run it against a static requirements file.

Seventy-nine percent of the vulnerabilities in our database come from monitoring the changelogs of two hundred and forty thousand Python libraries on pypi.org (and counting). The initial identification is automated, and the subsequent assessment is manual.

The other twenty-one percent of the vulnerabilities in our database are Python-specific CVEs that we get from MITRE. These end up in our database by default; no manual assessment takes place, although the process is monitored by PyUp staff.

Python vulnerabilities that are OS-specific presently do not get included in our database.

PyUp does not receive any private data from its PyUp Safety users other than their IP address and the time that they request an up-to-date copy of the entire PyUp Safety database. The PyUp Safety client locally checks against this up-to-date copy and then reports which dependencies have known vulnerabilities. From PyUp's view, this process can be described as "pull" and "on demand".

There is also the "push" and "continuous" option, which stores an up-to-date, on-premises copy of the entire PyUp vulnerabilities database on the server of a customer whenever a new vulnerability is added by PyUp staff. With this option, no requests are ever received by PyUp.

All PyUp data is stored on an “us-east-2” AWS instance, located in Ohio.

Pricing & Accounts

Yes; we offer custom licensing and SLAs, as well as on-premises versions of PyUp and our commercial vulnerability database. Please contact us at enterprise@pyup.io to discuss our enterprise accounts.

We do not give discounts to for-profit startups. If you are running a nonprofit, please get in touch with us at support@pyup.io to discuss potential discounts. And if you are running an open-source, non-commercial project, then PyUp is completely free.

PyUp is free for projects that are open-source and non-commercial and can use our basic GitHub integration, GitHub Safety CI, and free security database. Other projects (those that are commercial, require an API key or our commercial-grade security database, and so on) will require a paid account.

Yes. All plans are pro-rated, so you can switch or cancel at any time.


No; you must open a paid business account and use the commercial Safety database.

Yes. If you want access to our live, up-to-date, commercial-grade vulnerability database for reselling purposes (e.g. you plan to sell this service to your own customers), please get in touch with us at support@pyup.io.

Custom agreements are offered for our enterprise customers based on their needs and based on what we can reasonably offer. PyUp makes no promises about never missing a vulnerability, but can discuss an agreement around remedying issues (such as missing vulnerabilities) within one business day.

Dependency Best Practices

No. Dependencies are written by people like you, and they may change an API, introduce new bugs, or pull in new dependencies. Rather than automating these processes, you should at least read the change log carefully and test your code against the new release.

When you are using very old releases, you'll have a hard time tracking down what the problem is when things break. The problem will get really bad when your very old dependency pulls in other dependencies that you rely on and expects them to be newer than what you are currently using. Then, this other dependency may break your code somewhere else, so you'll need to track that problem down, too. This can lead to a tangled mess very quickly, so it's generally a good idea to update frequently.

If you are building a project as an end product, then yes.

But if you are building a third-party library that others will rely on, then no.


Learn more about our Safety and PyUp command-line tools by reading our documentation.

Contact Us

For general support, get in touch with us at support@pyup.io. If you have questions about our enterprise solutions, get in touch at enterprise@pyup.io.

Ready to get started?

Create an account now

Create an account