Add pip-audit to poetry operations that touch the lockfile
#6220
Labels
kind/feature
Feature requests/implementations
Comments
tigerhawkvok
added
kind/feature
|
Way out of scope IMO. If you like pip-audit, run pip-audit! |
|
Hey @tigerhawkvok, this is definitely something out of scope for Poetry. Maybe it's possible that somebody will provide a plugin in the future. fin swimmer |
finswimmer
added
wontfix
and removed
status/triage
|
Related issue on pip-audit: pypa/pip-audit#84. They suggest adding |
|
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Feature Request
Adding a tool like pip-audit to operations that touch the lockfile adds a measure of security to Poetry. Poetry knows the source of the files and can, correctly, only inspect the dependencies that come directly from PyPI; and further, since Poetry stores hashes in the lockfile once a dependency is known safe it doesn't have to be checked again. This helps mitigate PyPI poisoning attacks.
Possibly if performance is an issue its functionality (and the state of "is it default") can be a global Poetry config flag.
The text was updated successfully, but these errors were encountered: