One way to avoid disclosing user environments to a third party is to build this into PyPI instead. The API could generate the warning for pip to display.
This only covers packages on PyPI, of course, but trying to audit local and self-hosted packages is is a fools errand anyway IMO since there is no practical way for any tool to reliably know what *actually* is installed. -- Tzu-ping Chung (@uranusjr) [email protected] Sent from my iPhone > On 12 Feb 2019, at 11:34, Wes Turner <[email protected]> wrote: > > Would something like this require: > > - a pip extension/plugin/post-install hook API > - a post-install hook that discloses all installed packages and versions > (from pypi.org, mirrors, local directory) in exchange for checking and online > security DB > - a way to specify a key to e.g. pyup > > GItHub and GitLab offer similar functionality: > > https://github.blog/2018-07-12-security-vulnerability-alerts-for-python/ > > https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/ > > https://docs.gitlab.com/ee/user/project/merge_requests/dependency_scanning.html > > https://gitlab.com/gitlab-org/security-products/dependency-scanning#supported-languages-and-package-managers > > https://pyup.io > > https://github.com/pyupio/safety-db > > > pipenv check relies on safety and Safety-DB to check for known > > vulnerabilities in locked components > > >> On Monday, February 11, 2019, Julian Berman <[email protected]> wrote: >> Hi. >> >> I recently found myself installing a node.js package, and in the process >> noticed that (sometime recently?) it started automatically warning about >> known vulnerabilities during installation of package.jsons (see >> https://docs.npmjs.com/cli/audit). >> >> At work, we run safety (https://pypi.org/project/safety/) on all our >> projects (which has both free and paid versions). It's great. >> >> I know there's a ton of wonderful work happening at the minute to improve >> underlying scaffolding + specification to enable tools other than setuptools >> + pip to thrive, so maybe this is the wrong moment, but I figured I'd ask >> anyways :) -- what are opinions on running a similar thing during pip >> install? >> >> -J > -- > Distutils-SIG mailing list -- [email protected] > To unsubscribe send an email to [email protected] > https://mail.python.org/mailman3/lists/distutils-sig.python.org/ > Message archived at > https://mail.python.org/archives/list/[email protected]/message/GSTL47B4CREYHKOS5I47WOPQURBKTOAY/
-- Distutils-SIG mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/UT77IM2YPV7BKHJX7N3QZJUE4TGRRP5E/
