Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vendor pip 25.0.1 #6343

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Vendor pip 25.0.1 #6343

wants to merge 4 commits into from

Conversation

matteius
Copy link
Member

@matteius matteius commented Feb 15, 2025
edited
Loading

Vendor in pip==25.0.1

Pretty straightforward overall, contains all the improvements in: https://pip.pypa.io/en/stable/news/#v25-0-1

Make safety an optional dependency via extras

Problem

Currently, pipenv vendors the safety package and its dependencies directly in the pipenv/patched/ directory. This approach has several drawbacks:

  1. We recently learned that the latest safety requires typer and its own safety-schemas which requires pydantic
  2. Pydantic was previously removed from pipenv for good reasons, and we don't want to reintroduce it
  3. Vendoring all these dependencies increases the size and complexity of the pipenv codebase
  4. Users who don't use the vulnerability checking functionality still have these dependencies

Solution

This PR makes safety an optional dependency via extras:

  1. Removed the vendored safety directory from pipenv/patched/
  2. Added safety and its dependencies as optional extras in pyproject.toml (pipenv[safety])
  3. Modified the check command to:
    • Check if safety is installed
    • If not, prompt the user to allow installing safety + dependencies
    • Install safety without modifying the user's Pipfile or lockfile
    • Use the installed safety module instead of the vendored one

Implementation Details

  • Added safety>=3.0.0 and typer>=0.9.0 as optional dependencies under optional-dependencies.safety in pyproject.toml
  • Removed the safety package data entry from pyproject.toml
  • Updated the check.py implementation to detect if safety is installed and offer to install it on-demand
  • Converted all click.echo/secho calls to use the project's rich interface (console.print/err.print)

Testing

To test this change:

  1. Run pipenv check without safety installed - it should prompt to install safety
  2. Confirm that installing safety doesn't modify the Pipfile or lockfile
  3. Run pipenv check again to verify it works with the installed safety
  4. Install pipenv with extras: pip install pipenv[safety] and verify check works without prompting

Impact

  • Reduces the dependency footprint of pipenv for users who don't use the vulnerability checking
  • Avoids reintroducing pydantic as a core dependency
  • Provides a cleaner, more maintainable approach to optional functionality
  • Improves user experience by only installing what's needed when it's needed

The checklist

  • A news fragment in the news/ directory to describe this fix with the extension .bugfix.rst, .feature.rst, .behavior.rst, .doc.rst. .vendor.rst. or .trivial.rst (this will appear in the release changelog). Use semantic line breaks and name the file after the issue number or the PR #.

@matteius
Copy link
Member Author

I fix ruff in the pythonfinder PR.

@matteius matteius requested a review from oz123 March 21, 2025 05:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oz123 oz123 Awaiting requested review from oz123

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@matteius