OS Update Checker
Read-only, cross-platform package update checker. Auto-detects the available package manager, lists upgradable packages, fetches changelogs, and classifies risk (security, moderate, low). Designed to give enough context to approve or defer an upgrade confidently.
Supported Package Managers
| OS / Runtime | Package Manager |
|---|
| Debian / Ubuntu / Mint | INLINECODE0 |
| Fedora / RHEL 8+ / Rocky / Alma |
dnf |
| CentOS 7 / RHEL 7 |
yum |
| Arch / Manjaro / EndeavourOS |
pacman /
checkupdates |
| openSUSE Leap / Tumbleweed / SLES |
zypper |
| Alpine Linux |
apk |
| macOS / Linux (Homebrew) |
brew |
| Node.js (global npm packages) |
npm |
Usage
CODEBLOCK0
Risk Classification
- - 🔴 security — source repo contains a security indicator
- 🟡 moderate — critical package (kernel, openssh, openssl, sudo, curl, bash, etc.)
- 🟢 low — standard maintenance update
How It Works
- 1. Detects available package manager from PATH (
apt → dnf → yum → pacman → zypper → apk → brew) - Lists upgradable packages using the appropriate read-only command
- Validates each package name against a per-backend allowlist regex before any further use
- Fetches the most recent changelog entry per package (apt:
apt changelog; dnf/yum: rpm --changelog; others: package info) - Reports in text or JSON format
Security Design
- -
subprocess is used exclusively with shell=False — arguments are passed as a list, never interpolated into a shell string - Package names are validated against per-backend allowlist patterns before use in commands
- All exceptions are caught by specific type — no bare �INLINECODE20
- Read-only commands only — no installs, no writes, no service restarts
System Access
- - Commands (read-only):
apt list, apt changelog, dnf check-update, rpm -q --changelog, yum check-update, pacman -Qu, pacman -Si, zypper list-updates, zypper info, apk list, apk info, brew outdated, brew info, �INLINECODE34 - Network: Outbound HTTPS to distribution changelog servers (apt); outbound HTTPS to
registry.npmjs.org (npm); others use local package metadata - No file writes
Requirements
- - Python 3.10+
- One supported package manager available on PATH
OS Update Checker
只读、跨平台的软件包更新检查工具。自动检测可用的包管理器,列出可升级的软件包,获取更新日志,并对风险进行分类(安全、中等、低)。旨在提供足够的上下文信息,让您能够自信地批准或推迟升级。
支持的包管理器
| 操作系统/运行时 | 包管理器 |
|---|
| Debian / Ubuntu / Mint | apt |
| Fedora / RHEL 8+ / Rocky / Alma |
dnf |
| CentOS 7 / RHEL 7 | yum |
| Arch / Manjaro / EndeavourOS | pacman / checkupdates |
| openSUSE Leap / Tumbleweed / SLES | zypper |
| Alpine Linux | apk |
| macOS / Linux (Homebrew) | brew |
| Node.js (全局 npm 包) | npm |
使用方法
bash
带更新日志的人类可读摘要(自动检测操作系统)
python3 scripts/check_updates.py
JSON 输出(适用于仪表盘、定时任务、集成)
python3 scripts/check_updates.py --format json
跳过更新日志,仅快速统计
python3 scripts/check_updates.py --no-changelog
风险分类
- - 🔴 安全 — 源仓库包含安全指示
- 🟡 中等 — 关键软件包(内核、openssh、openssl、sudo、curl、bash 等)
- 🟢 低 — 标准维护更新
工作原理
- 1. 检测 PATH 中可用的包管理器(apt → dnf → yum → pacman → zypper → apk → brew)
- 列出 使用适当的只读命令可升级的软件包
- 验证 每个软件包名称是否符合后端允许列表的正则表达式,然后才进一步使用
- 获取 每个软件包的最新更新日志条目(apt:apt changelog;dnf/yum:rpm --changelog;其他:软件包信息)
- 报告 以文本或 JSON 格式输出
安全设计
- - subprocess 仅使用 shell=False — 参数以列表形式传递,从不插入到 shell 字符串中
- 在命令中使用前,软件包名称会根据后端允许列表模式进行验证
- 所有异常均按特定类型捕获 — 没有裸 except
- 仅执行只读命令 — 不安装、不写入、不重启服务
系统访问
- - 命令(只读): apt list、apt changelog、dnf check-update、rpm -q --changelog、yum check-update、pacman -Qu、pacman -Si、zypper list-updates、zypper info、apk list、apk info、brew outdated、brew info、npm outdated -g --json
- 网络: 出站 HTTPS 连接到发行版更新日志服务器(apt);出站 HTTPS 连接到 registry.npmjs.org(npm);其他使用本地软件包元数据
- 不写入文件
要求
- - Python 3.10+
- PATH 中存在一个受支持的包管理器
