New submission from Andrew Pennebaker :
Compared to pip, NPM warns users when a dependency subtree about to be
installed, includes known vulnerabilities. This helps devs catch security
issues earlier, so they can update or replace critical dependencies.
Similarly, the dependency-check pip package offers the ability to detect pip
dependencies with known vulnerabilities.
https://pypi.org/project/dependency-check/
Now that we have a workaround for warning on vulnerable pip packages, let's
move this logic into the default pip install code, so that all Python devs are
alerted on vulnerable dependencies.
--
messages: 346072
nosy: Andrew Pennebaker
priority: normal
severity: normal
status: open
title: pip: Warn on vulnerable packages
type: security
___
Python tracker
<https://bugs.python.org/issue37343>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com