Simplified Vendoring
See original GitHub issueIs your feature request related to a problem? Please describe.
The problem is an increase in the frequency of software supply-chain attacks (example).
Describe the solution you’d like
I’d like to use pipenv to vendor the wheels for the packages in my Pipfile.lock into a folder in my app (to be checked in).
I’d like to use pipenv to install wheels from the vendor folder (during the CI pipeline and after deployment)
Describe alternatives you’ve considered
A private pypi server that houses “blessed” packages. I do not prefer this approach due to the overhead of maintaining a blessed list of packages and also of the private server itself.
Additional context
I do not have an opinion on how such a thing could be implemented, but I have an idea in my head of what I imagine. Something like:
$ pipenv --python 3.7
$ pipenv install --vendor-dir=./vendor requests
$ git add .
$ git commit -m "adds requests to the app"
$ git push
so now I’ve vendored requests.
$ pipenv sync --vendor-dir=./vendor
and now I’ve installed from the vendor folder
I don’t know. Perhaps vendoring package-by-package is too complicated (and maybe defeats the purpose of vendoring). Maybe it should be an all or nothing:
$ pipenv vendor --dir=./vendor on
just straight-up changes the [[source]] in Pipfile to the ./vendor
dir
Don’t know. You all would know better.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:5
- Comments:6 (2 by maintainers)
Top GitHub Comments
FWIW I agree with @jar349 here, being able to vendor within pipenv would be excellent, and I’m surprised this isn’t a feature already.
I’m currently looking to vendor packages for one of my projects that uses pipenv, and it’s looking like the only way to do it at present is to go back to pip, which forces to re-evaluate our choice of using pipenv at all.
I feel that vendoring is squarely within the packaging lifecycle and that pipenv’s goal is to be the one-stop shop for python packaging. Introducing a new tool would take us back to the days when we were using two programs (pip and virtualenv) for our packaging needs.
However, if it were its own tool (let’s call it
pipvend
) then pipenv would - at a minimum - be asked to install packages from a vendored directory.In this scenario, is pipenv already able to install from a local directory?