➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2019-06-19 18:50 by Andrew Pennebaker, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Messages (2) | |||
|---|---|---|---|
| msg346072 - (view) | Author: Andrew Pennebaker (Andrew Pennebaker) | Date: 2019-06-19 18:50 | |
Compared to pip, NPM warns users when a dependency subtree about to be installed, includes known vulnerabilities. This helps devs catch security issues earlier, so they can update or replace critical dependencies. Similarly, the dependency-check pip package offers the ability to detect pip dependencies with known vulnerabilities. https://pypi.org/project/dependency-check/ Now that we have a workaround for warning on vulnerable pip packages, let's move this logic into the default pip install code, so that all Python devs are alerted on vulnerable dependencies. |
|||
| msg346074 - (view) | Author: Karthikeyan Singaravelan (xtreak) *  |
Date: 2019-06-19 19:02 | |
Thanks for the report. pip development happens at https://github.com/pypa/pip/ where this could get better attention since CPython just vendors latest pip. pipenv does similar check with "pipenv check" command [0]. Similar issue on GitHub : https://github.com/pypa/pip/issues/6087 . I think this can be closed as third party issue. [0] https://docs.pipenv.org/en/latest/#pipenv-check |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:16 | admin | set | github: 81524 |
| 2019-06-19 19:03:18 | brett.cannon | set | status: open -> closed resolution: third party stage: resolved |
| 2019-06-19 19:02:24 | xtreak | set | nosy:
+ xtreak messages: + msg346074 |
| 2019-06-19 18:50:21 | Andrew Pennebaker | create | |