← All use cases
Developer & DevOpsJSONPath

PyPI Package Update Alerts

Watch any PyPI package and get notified the moment a new version is published - for security patches, version pinning, or upstream tracking.

Verid Use Cases·3 min read·Template: pypi-new-version

The scenario

A Python service in production depends on a small number of libraries that are security-sensitive (auth, crypto, ORM). When the maintainer ships a patch release you want to know inside the hour, not on the next Dependabot daily cycle. The same applies to ML stacks where the difference between torch==2.4 and torch==2.5 can be a multi-day investigation if surprised.

The problem

PyPI doesn't push notifications. RSS feeds for packages exist but they include yanked versions, prereleases, and post-releases - and they're awkward to plumb into Slack or your incident-management tool. pip list --outdated only runs when you run it.

How Verid solves it

The PyPI JSON API at https://pypi.org/pypi/{package}/json is public, unauthenticated, and stable. The info.version field is the latest published version. Verid polls, extracts it via JSONPath, and fires when it changes.

Build the monitor

Extraction config

{
  "method": "json_path",
  "fields": {
    "latest_version": "$.info.version",
    "summary": "$.info.summary",
    "yanked": "$.info.yanked"
  }
}

Predicate

To fire on any version change:

{ "type": "field_changes", "field": "latest_version" }

To skip yanked versions (which sometimes briefly become "latest" before being removed):

{
  "type": "composite",
  "operator": "AND",
  "conditions": [
    { "type": "field_changes", "field": "latest_version" },
    { "type": "field_equals", "field": "yanked", "value": false }
  ]
}

Create the monitor

Using the template:

curl -X POST https://api.verid.dev/v1/monitors/from-template/pypi-new-version \
  -H "Authorization: Bearer vrd_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "PyPI - django",
    "url": "https://pypi.org/pypi/django/json",
    "deliveries": [
      { "type": "discord", "webhookUrl": "https://discord.com/api/webhooks/..." }
    ]
  }'

SDK:

import { VeridClient } from '@verid.dev/sdk';

const client = new VeridClient({ apiKey: 'vrd_your_api_key' });

await client.monitors.createFromTemplate('pypi-new-version', {
  name: 'PyPI - django',
  url: 'https://pypi.org/pypi/django/json',
  deliveries: [
    { type: 'discord', webhookUrl: 'https://discord.com/api/webhooks/...' },
  ],
});

What the webhook delivers

{
  "id": "del_01H...",
  "fired_at": "2026-05-08T16:02:00Z",
  "diff": {
    "fields_changed": ["latest_version", "summary"],
    "before": {
      "latest_version": "5.2.1",
      "summary": "A high-level Python Web framework that encourages rapid development and clean, pragmatic design.",
      "yanked": false
    },
    "after": {
      "latest_version": "5.2.2",
      "summary": "A high-level Python Web framework that encourages rapid development and clean, pragmatic design.",
      "yanked": false
    }
  }
}

Caveats & tips

  • PyPI's info.version excludes prereleases. Beta and RC versions go into releases but info.version only reflects the latest stable. Good for production tracking; not what you want for an ecosystem-watch view.
  • Some packages republish patch versions. info.version can occasionally flip back-and-forth during a yank-and-republish. The yanked flag in the composite predicate above filters those out.
  • Pin the URL to /json. The HTML page at https://pypi.org/project/{package}/ works for browsers but isn't a stable extraction target. The JSON endpoint is.

Related use cases

For npm packages, see NPM package version tracking. For GitHub releases, see GitHub release monitoring. For broader JSON-field watch, see JSON API field monitoring.

Related use cases

GitHub Release MonitoringNPM Package Version TrackingStatus Page Incident Detection

Ship this monitor today

5 monitors free, no credit card. Set up takes about a minute.

Get started free