June 08, 2017

Analyzing Django requirement files on GitHub

Django is the most popular Python web framework. It is now almost 12 years old and is used on all kinds of different projects. From small to super large, from heavy content sites to pure API backends.

On pyup.io we really care about requirement files and dependencies. Thankfully, GitHubs data is available at BigQuery which allows us to run a query giving us access to all requirement files across public repos.*

Let's take a look at how Django is being used.

*The full dataset is available at pyupio/github-requirements. It contains all raw requirement files, a pre-processed index and the numbers for Django.

Django developers pin their requirements

Pinned or freezed requirements (Django==1.8.12) make builds predictable and deterministic. Since Django is mainly used to build end products and new major releases may contain breaking API changes, it makes sense to tell pip exactly what to install.

That's how most Django developers see it: 64% pin their requirements.

Ranged requirements (Django>=1.8,<1.9) with 24% is the second most used option. This prevents problems with new major releases but comes with a couple of problems. Builds are no longer deterministic and you can't tell which version is currently running on your servers from looking at the requirements file alone.

Unpinned requirements are unpopular, only 11% are

Django 1.8 is the most popular major release

Django 1.8 is the old LTS release and is the most widely used with 24%. A good choice for older projects, it still receives security updates until at least April 2018.

A bit worrisome are the 1.9 (14%), 1.7 (13%) and 1.6 (13%) releases on the second, third and fourth place. All of them are no longer receiving security updates, 1.7 and 1.6 went EOL over 2 years ago.

Only 2% of all Django projects are on a secure release

Among all projects, more than 60% use a Django release with one or more known security vulnerabilities. Only 2% are using a secure Django release.

On the remaining part of more than 30% it's unclear what exactly is going to be installed. That's because the Django release is either unpinned or has a range.

The Django core developers handle security issues exceptionally well. All of them have a CVE assigned and security patches are announced through multiple channels. If you are using Django in one of your projects, make sure to update regularly. If you don't want to use the latest features, stay on one of the LTS releases and keep an eye out for updates.

At pyup.io, we have multiple tools that can help you with that. The Safety command line tool warns you if you are using a dependency with known security vulnerabilities. If you are using GitHub, check out Safety CI or configure the pyup-bot to only send you security updates.

Dot Zero releases are popular

The top 10 of all Django releases contains three Dot zero releases: 1.8 on the first place, 1.7 on fourth and 1.9 on the tenth. The second most popular release is Django 1.6.5, closely followed by 1.8.4 on the third place.

The latest LTS release, 1.8.18, comes in at 49th. The latest stable release, 1.11.2, at 107th. The latest oldstable, 1.10.7, at 51th and finally the latest old-oldstable, 1.9.13, at 83rd.


All in all, it was pretty interesting to take a look at the raw numbers for a framework as mature as Django. The security chart is a bit shocking, but the chart isn't counting project activity in. It would be interesting to see how this would look like for projects segmented by a certain age and activity threshold. There are probably not so many active projects out there still using Django 1.4.

There are still some interesting questions left for a follow-up post on this. Anything I've missed? Contact me at jay@pyup.io.