Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
scan without resolving/downloading dependencies
See original GitHub issuemaybe i’m misunderstanding, but it seems that pip-audit cannot scan the contents of a requirements file in the simplest way imaginable: for each entry, check if the specified version has known vulnerabilities.
currently, running against a requirements file with exclusively exact version matches (foo==x.y), like this
$ pip-audit -r requirements.txt
… downloads and (temporarily) installs various packages, which not only takes forever, but also eventually fails because some packages cannot be found – they come from a private index server, which is a different issue.
as a work-around, installing everything (also downloads and installs) and then using pip-audit --local seems to work, but this is not a convenient solution.
i understand that in the general case, requirements files may not be exhaustive and may not have exact versions, in which case running a resolver etc makes total sense, but that’s not always the case.
some background: the use case is that my requirements files are produced by pip-tools and hence constitute the exact list of pinned versions used by my application, and i would like to integrate pip-audit into a continuous integration job. i also run pip-compile (from pip-tools) in that job to warn about potential package upgrades, some of which come from private index servers, and it would be great if pip-audit can be added to it.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:19 (12 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Maybe
--no-deps, perhaps? 🙂@alex came up with another use case for this: sometimes our dependency source can be something like a third-party package manager, which has already done the hard work of fully resolving the dependency tree for us. Performing the resolution step in that case would be pointless, since we already have all of the information available to us.
What I’m thinking is a
--no-resolveor--already-resolvedflag that, when the dependency source is a requirements-style file, checks that every dependency is pinned to an exact version and only audits those dependencies.That will effectively address (2)/(3) above, since it assumes that the input is “flat” in the sense that no additional resolutions are necessary.