[New-bugs-announce] [issue37343] pip: Warn on vulnerable packages
Andrew Pennebaker
report at bugs.python.org
Wed Jun 19 14:50:21 EDT 2019
New submission from Andrew Pennebaker <andrew.pennebaker at gmail.com>:
Compared to pip, NPM warns users when a dependency subtree about to be installed, includes known vulnerabilities. This helps devs catch security issues earlier, so they can update or replace critical dependencies.
Similarly, the dependency-check pip package offers the ability to detect pip dependencies with known vulnerabilities.
https://pypi.org/project/dependency-check/
Now that we have a workaround for warning on vulnerable pip packages, let's move this logic into the default pip install code, so that all Python devs are alerted on vulnerable dependencies.
----------
messages: 346072
nosy: Andrew Pennebaker
priority: normal
severity: normal
status: open
title: pip: Warn on vulnerable packages
type: security
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue37343>
_______________________________________
More information about the New-bugs-announce
mailing list