Would something like this require: - a pip extension/plugin/post-install hook API - a post-install hook that discloses all installed packages and versions (from pypi.org, mirrors, local directory) in exchange for checking and online security DB - a way to specify a key to e.g. pyup
GItHub and GitLab offer similar functionality: https://github.blog/2018-07-12-security-vulnerability-alerts-for-python/ https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/ https://docs.gitlab.com/ee/user/project/merge_requests/dependency_scanning.html https://gitlab.com/gitlab-org/security-products/dependency-scanning#supported-languages-and-package-managers https://pyup.io https://github.com/pyupio/safety-db > pipenv check relies on safety and Safety-DB to check for known vulnerabilities in locked components On Monday, February 11, 2019, Julian Berman <jul...@grayvines.com> wrote: > Hi. > > I recently found myself installing a node.js package, and in the process > noticed that (sometime recently?) it started automatically warning about > known vulnerabilities during installation of package.jsons (see > https://docs.npmjs.com/cli/audit). > > At work, we run safety (https://pypi.org/project/safety/) on all our > projects (which has both free and paid versions). It's great. > > I know there's a ton of wonderful work happening at the minute to improve > underlying scaffolding + specification to enable tools other than > setuptools + pip to thrive, so maybe this is the wrong moment, but I > figured I'd ask anyways :) -- what are opinions on running a similar thing > during pip install? > > -J >
-- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-le...@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/GSTL47B4CREYHKOS5I47WOPQURBKTOAY/