-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Report yanked versions of packages #381
Comments
Thanks for the report! To clarify: you'd like |
Thinking out loud: we can do this via the PEP 503 API, since it includes a We might want to stuff this behind another auditing flag; something like |
Yes, that is exactly what I want. 😃 |
Excellent, thanks for confirming 🙂 CC @di and @tetsuo-cpp any objections to this functionality? IMO we should put it behind a flag, but otherwise I think it's a good addition. |
I think as long as this is opt-in, it's fine by me (since yanking does not necessarily mean there is a security issue, and this is primarily a security tool). |
Yep, agreed about opt-in. I'll take a stab at this in a bit. (Thinking about it more, IMO we shouldn't have Edit: Hmm, it's not 100% clear where this should go in Edit 2: The data model is also a little murky here: individual distributions are marked as yanked, despite "yanking" being a thing that happens to entire versions. Actually, never mind, the JSON API shows a top-level |
I took an initial stab at this (https://github.com/pypa/pip-audit/compare/ww/yanked), but a couple of issues arose:
|
Is your feature request related to a problem? Please describe.
My requirements.txt contained a yanked version of
cryptography
.pip-audit
did not warn about this.Describe the solution you'd like
If possible
pip-audit
should (maybe optionally) warn/report yanked package versions. pip itself already warns about it when installing the package:Describe alternatives you've considered
I did not consider any alternatives as none were obvious to me at first glance.
Additional context
Thank you for this great tool.
The text was updated successfully, but these errors were encountered: