Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Report yanked versions of packages
See original GitHub issueIs your feature request related to a problem? Please describe.
My requirements.txt contained a yanked version of cryptography. pip-audit did not warn about this.
Describe the solution you’d like
If possible pip-audit should (maybe optionally) warn/report yanked package versions. pip itself already warns about it when installing the package:
WARNING: The candidate selected for download or install is a yanked version: 'cryptography' candidate (version 38.0.2 at https://files.pythonhosted.org/packages/56/1e/2ffbbdddfe17308511cb2e06ac8c5aced9391dd5eea339e330a204edac34/cryptography-38.0.2-cp36-abi3-manylinux_2_28_x86_64.whl#sha256=55974e634712f7d054886a754a10c67b58e6a9d1c6c3d0d1181919e7fb336d0e (from https://pypi.org/simple/cryptography/) (requires-python:>=3.6))
Reason for being yanked: Regression in OpenSSL.
Describe alternatives you’ve considered
I did not consider any alternatives as none were obvious to me at first glance.
Additional context
Thank you for this great tool.
Issue Analytics
- State:
- Created a year ago
- Reactions:2
- Comments:7 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I think as long as this is opt-in, it’s fine by me (since yanking does not necessarily mean there is a security issue, and this is primarily a security tool).
I took an initial stab at this (https://github.com/pypa/pip-audit/compare/ww/yanked), but a couple of issues arose:
If we change the return type of our audit steps from
Tuple[Dependency, List[VulnerabilityResult]to something likeTuple[Dependency, Yanked, List[VulnerabilityResult], we lose the (trivial) ability to turn the full audit into a mapping ofDependency => [VulnerabilityResult]viadict(...). This isn’t a huge deal, but it produces a lot of code churn (especially in the unit tests).The data model still isn’t ideal here: I’m doing a check for “yanked” status in the PyPI vulnerability source since that’s the easiest place to get it, but conceptually it belongs in dependency resolution. However, putting it there would require us to add additional network calls for some dependency resolvers (e.g. we’d have to check the simple respository API even when a requirements file is fully hashed and resolved).