Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Exempt editable packages

See original GitHub issue

Is your feature request related to a problem? Please describe.

We use pip-audit in the Manticore CI to check for security issues in our dependencies. This is fine for most of our development, but when we try to create a new release of Manticore, pip-audit fails. The problem is that the release PR we’re trying to check contains an incremented version number, but that version of Manticore hasn’t been published on PyPI yet, so pip-audit can’t check it for issues. Example

Describe the solution you’d like

Locally installed packages should be ignored when checking for security issues, since they may not have been published on PyPI.

Describe alternatives you’ve considered

I looked at removing the --strict flag, but this seems like a poor choice for running in a CI environment. The --local flag seems to make pip-audit only look at local packages.

Additional context The relevant lines from our ci.yml:

    - name: Run pip-audit
      run: |
        python -m pip install .
        pip-audit --strict --desc

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:1
  • Comments:7 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
dicommented, Feb 15, 2022

I’ll leave this open to track whether we want to exempt editible packages (and have updated the title accordingly).

1reaction
ehennenfentcommented, Feb 15, 2022

This is correct; we want to audit only the packages Manticore depends on, and not Manticore itself. #81 would work for our purposes. I wouldn’t mind having an option to ignore packages installed via pip install -e <directory>, but if that’s out of scope for pip-audit, we can close in favor of #81.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Exempt Organizations Forms and Instructions - IRS
Tax forms and instructions used by tax-exempt organizations. ... Form 990, Return of Organization Exempt from Income Tax.
Read more >
Form ST-121:1/11: Exempt Use Certificate, st121 - Tax.NY.gov
B — You may purchase, exempt from tax, tangible personal property used directly and predominantly in the production (including editing, dubbing, and mixing)...
Read more >
EXEMPTION CERTIFICATE ST-8 - SC Department of Revenue
Machines used in manufacturing, processing, agricultural packaging, recycling, compounding, mining, or quarrying tangible personal property for sale.
Read more >
Streamlined tax exempt form.pdf
This is a multi-state form. Not all states allow all exemptions listed on this form. Purchasers are responsible for knowing if they qualify...
Read more >
Exemption Certificates - CT.gov
Name Type Revised CERT‑100 Form & Inst. 01/05 CERT‑101 Form & Inst. 01/05 CERT‑102 Form & Inst. 02/05
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

pip-audit not auditing the same package versions as pip installs.

Next page

pypi_provider asks for bogus requirement pkg_resources==0.0.0