Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement --fix for PipSource #82

Closed
2 tasks done
di opened this issue Oct 26, 2021 · 2 comments · Fixed by #212
Closed
2 tasks done

Implement --fix for PipSource #82

di opened this issue Oct 26, 2021 · 2 comments · Fixed by #212
Assignees
@tetsuo-cpp
Labels
component:cli CLI components pri:high High(er) priority tasks
Milestone
Follow-on

Comments

@di
Copy link
Member

di commented Oct 26, 2021
edited
Loading

For each of the available inputs, support adding a --fix flag which will automatically update the dependency specification or environment in question to exclude any found vulnerabilities.

For example:

  • if a vulnerability is found in a local environment, uninstall it and install a version with the fix
  • if a vulnerability is found in a requirements.txt file, update the version specification for the affected project to exclude the vulnerable version

This should be a meta-issue for determining the UX around this feature, and we should create sub-issues for each of the potential ways a fix can be applied.
@di di added this to the Follow-on milestone Oct 26, 2021
@woodruffw
Copy link
Member

An idle thought around the UX: anything that involves fixes should also support a --dry-run mode, where we tell the user what actions we'd take (e.g. updating a dep in their environment, rewriting their requirements.txt).

@woodruffw woodruffw added the component:cli CLI components label Oct 28, 2021
@di di mentioned this issue Nov 1, 2021
Closed
@woodruffw woodruffw added the pri:high High(er) priority tasks label Jan 11, 2022
@tetsuo-cpp tetsuo-cpp self-assigned this Jan 11, 2022
@tetsuo-cpp
Copy link
Contributor

I've opened #214 and #215 to track the remainder of this work. I'm going to repurpose this ticket to only capture the work for implementing --fix for PipSource.

@tetsuo-cpp tetsuo-cpp changed the title Support pip-audit --fix Implement --fix for PipSource Jan 13, 2022
@tetsuo-cpp tetsuo-cpp mentioned this issue Jan 13, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tetsuo-cpp tetsuo-cpp

Labels
component:cli CLI components pri:high High(er) priority tasks
Projects
None yet
Milestone
Follow-on
Development

Successfully merging a pull request may close this issue.

pip, _fix: Implement --fix for PipSource pypa/pip-audit
3 participants
@di @woodruffw @tetsuo-cpp