Message 346072 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Andrew Pennebaker
Recipients	Andrew Pennebaker
Date	2019-06-19.18:50:20
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1560970221.06.0.898012626205.issue37343@roundup.psfhosted.org>
In-reply-to

Content
Compared to pip, NPM warns users when a dependency subtree about to be installed, includes known vulnerabilities. This helps devs catch security issues earlier, so they can update or replace critical dependencies. Similarly, the dependency-check pip package offers the ability to detect pip dependencies with known vulnerabilities. https://pypi.org/project/dependency-check/ Now that we have a workaround for warning on vulnerable pip packages, let's move this logic into the default pip install code, so that all Python devs are alerted on vulnerable dependencies.

Compared to pip, NPM warns users when a dependency subtree about to be installed, includes known vulnerabilities. This helps devs catch security issues earlier, so they can update or replace critical dependencies.

Similarly, the dependency-check pip package offers the ability to detect pip dependencies with known vulnerabilities.

https://pypi.org/project/dependency-check/

Now that we have a workaround for warning on vulnerable pip packages, let's move this logic into the default pip install code, so that all Python devs are alerted on vulnerable dependencies.

History
Date	User	Action	Args
2019-06-19 18:50:21	Andrew Pennebaker	set	recipients: + Andrew Pennebaker
2019-06-19 18:50:21	Andrew Pennebaker	set	messageid: <1560970221.06.0.898012626205.issue37343@roundup.psfhosted.org>
2019-06-19 18:50:21	Andrew Pennebaker	link	issue37343 messages
2019-06-19 18:50:20	Andrew Pennebaker	create