11 Feb
2019
11 Feb
'19
1:49 p.m.
Hi. I recently found myself installing a node.js package, and in the process noticed that (sometime recently?) it started automatically warning about known vulnerabilities during installation of package.jsons (see https://docs.npmjs.com/cli/audit). At work, we run safety (https://pypi.org/project/safety/) on all our projects (which has both free and paid versions). It's great. I know there's a ton of wonderful work happening at the minute to improve underlying scaffolding + specification to enable tools other than setuptools + pip to thrive, so maybe this is the wrong moment, but I figured I'd ask anyways :) -- what are opinions on running a similar thing during pip install? -J