Read poetry.lock file
See original GitHub issueI would like safety
to be able to read dependencies from a poetry.lock
file. It is written in TOML format.
Here is an example of how a dependency is written:
[[package]]
category = "dev"
description = "A configurable sidebar-enabled Sphinx theme"
name = "alabaster"
optional = false
python-versions = "*"
version = "0.7.12"
Here is a complete file:
Currently the only way to use safety
when developing a project with poetry
is to actually install the dependencies (which is costly in CI) and run something like:
poetry run pip freeze | poetry run safety check --stdin
I would like to be able to run directly safety check -r poetry.lock
or something equivalent 🙂 .
Issue Analytics
- State:
- Created 5 years ago
- Reactions:32
- Comments:8 (1 by maintainers)
Top Results From Across the Web
Basic usage | Documentation | Poetry - Python dependency ...
As mentioned above, the poetry.lock file prevents you from automatically getting the latest versions of your dependencies. To update to the latest versions,...
Read more >Verify that the lock file is up to date · Issue #1406 - GitHub
When I run poetry export or poetry install , I receive a warning message that says Warning: The lock file is not up...
Read more >python - How to update Poetry's lock file without upgrading ...
There is a specific option for the lock command: poetry lock --no-update. This makes it possible to remove a dependency from pyproject.toml ...
Read more >Dependency Management With Python Poetry
By running poetry lock , Poetry processes all dependencies in your pyproject.toml file and locks them into the poetry.lock file. And Poetry doesn't...
Read more >Insights into how poetry.lock works cross platform - Packaging
Surprisingly to me, but poetry produces a lockfile format that captures ... Otherwise, it falls back to using PEP 517 hooks or even...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Please ignore me. Not enough coffee before I start work… Safety was not installed.
I shall go sit in a corner wearing a dunce hat.
/sigh
I’m now using
…instead.
pip freeze
was also showing the current package as an editable install, that I had to filter out with an additionnalgrep -v
pipe (with ugly regex to match underscores/dashes and upper/lower case).poetry export -f requirements.txt
don’t show dev dependencies, which is good since I don’t care if they have CVEs as they are not part of the published package, and it also doesn’t show the current package, fixing the previous pain point.safety
is not installed as a dev dependency anymore, because doing so make it vulnerable to malicious packages installed in the same env, effectively canceling its usefulness (the malicious packages can override itscheck
function to hide themselves). See https://nvd.nist.gov/vuln/detail/CVE-2020-5252. Instead, I install it withpipx
so it’s isolated. You could also always usepipx
if you want:poetry export -f requirements.txt | pipx run safety check --stdin