-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
requirement, pypi: Add a --require-hashes flag #229
Conversation
This needs cleanup + testing + doc but I wanted to engage early on this one since the intended behaviour isn't straightforward. @di You mentioned that the I was also wondering how hashes should work when the |
This is an indirect answer to both: we can skip dependency resolution entirely, since
In other words: our requirements parser in (Looking at things more, I'm not actually sure that we need the |
Ah! Right, I misunderstood the
I think it's still important because your file may not have ANY hashes in it. If you pass in |
Ah! You're absolutely right. Yes, we need it for that case. |
Thinking about this more, I think we still need to do dependency resolution, and ensure that we have hashes for all subdependencies, because this is what
Agreed! |
Can we leave that validation to |
I'm inclined to agree with this, although it does deviate our handling of Thoughts @di? |
Co-authored-by: William Woodruff <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall structure LGTM here!
I suppose the |
### Added * CLI: The `--fix` flag has been added, allowing users to attempt to automatically upgrade any vulnerable dependencies to the first safe version available ([#212](pypa/pip-audit#212), [#222](pypa/pip-audit#222)) * CLI: The combination of `--fix` and `--dry-run` is now supported, causing `pip-audit` to perform the auditing step but not any resulting fix steps ([#223](pypa/pip-audit#223)) * CLI: The `--require-hashes` flag has been added which can be used in conjunction with `-r` to check that all requirements in the file have an associated hash ([#229](pypa/pip-audit#229)) * CLI: The `--index-url` flag has been added, allowing users to use custom package indices when running with the `-r` flag ([#238](pypa/pip-audit#238)) * CLI: The `--extra-index-url` flag has been added, allowing users to use multiple package indices when running with the `-r` flag ([#238](pypa/pip-audit#238)) ### Changed * `pip-audit`'s minimum Python version is now 3.7. * CLI: The default output format is now correctly pluralized ([#221](pypa/pip-audit#221)) * Output formats: The SBOM output formats (`--format=cyclonedx-xml` and `--format=cyclonedx-json`) now use CycloneDX [Schema 1.4](https://cyclonedx.org/docs/1.4/xml/) ([#216](pypa/pip-audit#216)) * Vulnerability sources: When using PyPI as a vulnerability service, any hashes provided in a requirements file are checked against those reported by PyPI ([#229](pypa/pip-audit#229)) * Vulnerability sources: `pip-audit` now uniques each result based on its alias set, reducing the amount of duplicate information in the default columnar output format ([#232](pypa/pip-audit#232)) * CLI: `pip-audit` now prints its output more frequently, including when there are no discovered vulnerabilities but packages were skipped. Similarly, "manifest" output formats (JSON, CycloneDX) are now emitted unconditionally ([#240](pypa/pip-audit#240)) ### Fixed * CLI: A regression causing excess output during `pip audit -r` was fixed ([#226](pypa/pip-audit#226))
Closes #172
pip-api
version