Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Simplified Vendoring

See original GitHub issue

Is your feature request related to a problem? Please describe.

The problem is an increase in the frequency of software supply-chain attacks (example).

Describe the solution you’d like

I’d like to use pipenv to vendor the wheels for the packages in my Pipfile.lock into a folder in my app (to be checked in).

I’d like to use pipenv to install wheels from the vendor folder (during the CI pipeline and after deployment)

Describe alternatives you’ve considered

A private pypi server that houses “blessed” packages. I do not prefer this approach due to the overhead of maintaining a blessed list of packages and also of the private server itself.

Additional context

I do not have an opinion on how such a thing could be implemented, but I have an idea in my head of what I imagine. Something like:

$ pipenv --python 3.7
$ pipenv install --vendor-dir=./vendor requests
$ git add .
$ git commit -m "adds requests to the app"
$ git push

so now I’ve vendored requests.

$ pipenv sync --vendor-dir=./vendor

and now I’ve installed from the vendor folder

I don’t know. Perhaps vendoring package-by-package is too complicated (and maybe defeats the purpose of vendoring). Maybe it should be an all or nothing:

$ pipenv vendor --dir=./vendor on

just straight-up changes the [[source]] in Pipfile to the ./vendor dir

Don’t know. You all would know better.

Issue Analytics

State:
Created 4 years ago
Reactions:5
Comments:6 (2 by maintainers)

Top GitHub Comments

4reactions

nix7drummer88commented, May 12, 2020

FWIW I agree with @jar349 here, being able to vendor within pipenv would be excellent, and I’m surprised this isn’t a feature already.

I’m currently looking to vendor packages for one of my projects that uses pipenv, and it’s looking like the only way to do it at present is to go back to pip, which forces to re-evaluate our choice of using pipenv at all.

2reactions

jar349commented, Dec 20, 2019

I feel this is out of the scope of Pipenv and should be implemented in its own tool instead.

I feel that vendoring is squarely within the packaging lifecycle and that pipenv’s goal is to be the one-stop shop for python packaging. Introducing a new tool would take us back to the days when we were using two programs (pip and virtualenv) for our packaging needs.

However, if it were its own tool (let’s call it pipvend) then pipenv would - at a minimum - be asked to install packages from a vendored directory.

$ pipvend init
created wheelhouse in ./vendor
Pipfile updated to use wheelhouse as package source

$ pipvend install requests
downloaded requests-1.2.3.whl to wheelhouse
Pipfile updated
Pipfile.lock updated

$ pipenv sync  
# notices that the Pipefile source points to a local directory 
# and installs from the .whl files there

In this scenario, is pipenv already able to install from a local directory?

Top Results From Across the Web

Simplifying Vendor Management: How to Reduce ... - Blog

Simplifying vendor management is a challenge for many organizations. Let Ascend help provide some guidance.

SimpleVMS: Vendor Management System (VMS)

The user-friendly, ZERO COST vendor management system. Simplify working with staffing vendors & contract employees for time & cost savings.

4 Steps to Simplify Your Vendor Due Diligence Process

4 Steps to Simplify Your Vendor Due Diligence Process · Step 1: Gather the right documents using "trigger questions." · Step 2: Review...

Streamline and Simplify Vendor Management

Vendor management helps IT teams do more with less. Learn why it pays to have one partner bring all aspects of technology together....

Guide to Vendor Management Systems - Simplify VMS

A Vendor Management System is an application that helps businesses hire and manage a flexible workforce including provisioning via third-party staffing ...