> poetry vet
...
👍 pexpect-4.9.0 matches exemption
👍 pkginfo-1.10.0 matches exemption
✅ platformdirs-4.2.0 passes our audit
✅ pluggy-1.4.0 passes our audit
✅ poetry-1.8.2 passes audit by TrustedOrg
✅ pyright-1.1.356 passes audit by OtherTrustedOrg
...
After details of the xz backdoor came out, I thought we needed better visibility into our dependency trees.
This first iteration of vet is an MVP.
Should vet accrue interest, next steps are:
- Support for auditing version deltas
- CLI tools for auditing and importing audits (instead of manual editing)
- More robust testing
If you're interested in vet, or more generally in securing software supply chains, reach out on Discord.
Depending on how you installed poetry, you may need to install vet in a different way.
If you used the self-installer:
poetry self add vetIf you used pipx:
pipx inject poetry vetIf you used pip:
pip install vetFor more information and troubleshooting, see the poetry plugin installation docs.
Initialize vet in your project:
poetry vet initThis will create a chain-of-trust directory in your project.
See the generated README for more information on how to configure vet.
To audit your project dependencies, run:
poetry vetDependencies are trusted to be either safe to run or safe to deploy.
Upon initialization, all dependencies in the poetry.lock file are exempt, deemed safe to run.
To vet dependencies as safe to deploy, run:
poetry vet --safe-to-deployFor an example of how to run vet in GitHub CI, see the ci.yml file in this repository.
Modify the config.toml file as per the example in the generated README.
Then run:
poetry vet lockThis will download the audits from the trusted sources specified in the config.toml file and store them in the import.lock file.
Audit dependencies manually by adding entries in the audits.toml file as per the example in the generated README.