Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Read poetry.lock file
See original GitHub issueI would like safety to be able to read dependencies from a poetry.lock file. It is written in TOML format.
Here is an example of how a dependency is written:
[[package]]
category = "dev"
description = "A configurable sidebar-enabled Sphinx theme"
name = "alabaster"
optional = false
python-versions = "*"
version = "0.7.12"
Here is a complete file:
Currently the only way to use safety when developing a project with poetry is to actually install the dependencies (which is costly in CI) and run something like:
poetry run pip freeze | poetry run safety check --stdin
I would like to be able to run directly safety check -r poetry.lock or something equivalent 🙂 .
Issue Analytics
- State:
- Created 5 years ago
- Reactions:32
- Comments:8 (1 by maintainers)
Top Results From Across the Web
Basic usage | Documentation | Poetry - Python dependency ...
As mentioned above, the poetry.lock file prevents you from automatically getting the latest versions of your dependencies. To update to the latest versions,...
Read more >Verify that the lock file is up to date · Issue #1406 - GitHub
When I run poetry export or poetry install , I receive a warning message that says Warning: The lock file is not up...
Read more >python - How to update Poetry's lock file without upgrading ...
There is a specific option for the lock command: poetry lock --no-update. This makes it possible to remove a dependency from pyproject.toml ...
Read more >Dependency Management With Python Poetry
By running poetry lock , Poetry processes all dependencies in your pyproject.toml file and locks them into the poetry.lock file. And Poetry doesn't...
Read more >Insights into how poetry.lock works cross platform - Packaging
Surprisingly to me, but poetry produces a lockfile format that captures ... Otherwise, it falls back to using PEP 517 hooks or even...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Please ignore me. Not enough coffee before I start work… Safety was not installed.
I shall go sit in a corner wearing a dunce hat.
/sigh
I’m now using
…instead.
pip freezewas also showing the current package as an editable install, that I had to filter out with an additionnalgrep -vpipe (with ugly regex to match underscores/dashes and upper/lower case).poetry export -f requirements.txtdon’t show dev dependencies, which is good since I don’t care if they have CVEs as they are not part of the published package, and it also doesn’t show the current package, fixing the previous pain point.safetyis not installed as a dev dependency anymore, because doing so make it vulnerable to malicious packages installed in the same env, effectively canceling its usefulness (the malicious packages can override itscheckfunction to hide themselves). See https://nvd.nist.gov/vuln/detail/CVE-2020-5252. Instead, I install it withpipxso it’s isolated. You could also always usepipxif you want:poetry export -f requirements.txt | pipx run safety check --stdin