Would something like this require:
- a pip extension/plugin/post-install hook API
- a post-install hook that discloses all installed packages and versions (from
pypi.org, mirrors, local directory) in exchange for checking and online security DB
- a way to specify a key to e.g. pyup
GItHub and GitLab offer similar functionality:
> pipenv check relies on safety and Safety-DB to check for known vulnerabilities in locked components
On Monday, February 11, 2019, Julian Berman <
julian@grayvines.com> wrote:
Hi.
I recently found myself installing a node.js package, and in the process noticed that (sometime recently?) it started automatically warning about known vulnerabilities during installation of package.jsons (see
https://docs.npmjs.com/cli/audit).
I know there's a ton of wonderful work happening at the minute to improve underlying scaffolding + specification to enable tools other than setuptools + pip to thrive, so maybe this is the wrong moment, but I figured I'd ask anyways :) -- what are opinions on running a similar thing during pip install?
-J