One way to avoid disclosing user environments to a third party is to build this into PyPI instead. The API could generate the warning for pip to display.
This only covers packages on PyPI, of course, but trying to audit local and self-hosted packages is is a fools errand anyway IMO since there is no practical way for any tool to reliably know what *actually* is installed. -- Tzu-ping Chung (@uranusjr) uranu...@gmail.com Sent from my iPhone > On 12 Feb 2019, at 11:34, Wes Turner <wes.tur...@gmail.com> wrote: > > Would something like this require: > > - a pip extension/plugin/post-install hook API > - a post-install hook that discloses all installed packages and versions > (from pypi.org, mirrors, local directory) in exchange for checking and online > security DB > - a way to specify a key to e.g. pyup > > GItHub and GitLab offer similar functionality: > > https://github.blog/2018-07-12-security-vulnerability-alerts-for-python/ > > https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/ > > https://docs.gitlab.com/ee/user/project/merge_requests/dependency_scanning.html > > https://gitlab.com/gitlab-org/security-products/dependency-scanning#supported-languages-and-package-managers > > https://pyup.io > > https://github.com/pyupio/safety-db > > > pipenv check relies on safety and Safety-DB to check for known > > vulnerabilities in locked components > > >> On Monday, February 11, 2019, Julian Berman <jul...@grayvines.com> wrote: >> Hi. >> >> I recently found myself installing a node.js package, and in the process >> noticed that (sometime recently?) it started automatically warning about >> known vulnerabilities during installation of package.jsons (see >> https://docs.npmjs.com/cli/audit). >> >> At work, we run safety (https://pypi.org/project/safety/) on all our >> projects (which has both free and paid versions). It's great. >> >> I know there's a ton of wonderful work happening at the minute to improve >> underlying scaffolding + specification to enable tools other than setuptools >> + pip to thrive, so maybe this is the wrong moment, but I figured I'd ask >> anyways :) -- what are opinions on running a similar thing during pip >> install? >> >> -J > -- > Distutils-SIG mailing list -- distutils-sig@python.org > To unsubscribe send an email to distutils-sig-le...@python.org > https://mail.python.org/mailman3/lists/distutils-sig.python.org/ > Message archived at > https://mail.python.org/archives/list/distutils-sig@python.org/message/GSTL47B4CREYHKOS5I47WOPQURBKTOAY/
-- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-le...@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/UT77IM2YPV7BKHJX7N3QZJUE4TGRRP5E/
