New submission from Andrew Pennebaker <andrew.penneba...@gmail.com>:
Compared to pip, NPM warns users when a dependency subtree about to be installed, includes known vulnerabilities. This helps devs catch security issues earlier, so they can update or replace critical dependencies. Similarly, the dependency-check pip package offers the ability to detect pip dependencies with known vulnerabilities. https://pypi.org/project/dependency-check/ Now that we have a workaround for warning on vulnerable pip packages, let's move this logic into the default pip install code, so that all Python devs are alerted on vulnerable dependencies. ---------- messages: 346072 nosy: Andrew Pennebaker priority: normal severity: normal status: open title: pip: Warn on vulnerable packages type: security _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue37343> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com