Message346072
Compared to pip, NPM warns users when a dependency subtree about to be installed, includes known vulnerabilities. This helps devs catch security issues earlier, so they can update or replace critical dependencies.
Similarly, the dependency-check pip package offers the ability to detect pip dependencies with known vulnerabilities.
https://pypi.org/project/dependency-check/
Now that we have a workaround for warning on vulnerable pip packages, let's move this logic into the default pip install code, so that all Python devs are alerted on vulnerable dependencies. |
|
Date |
User |
Action |
Args |
2019-06-19 18:50:21 | Andrew Pennebaker | set | recipients:
+ Andrew Pennebaker |
2019-06-19 18:50:21 | Andrew Pennebaker | set | messageid: <1560970221.06.0.898012626205.issue37343@roundup.psfhosted.org> |
2019-06-19 18:50:21 | Andrew Pennebaker | link | issue37343 messages |
2019-06-19 18:50:20 | Andrew Pennebaker | create | |
|