-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Override URL for pypi service #684
Comments
Hi @MichelEdkrantz, thanks for the issue. I'm struggling to understand the goal here, though: do you issue vulnerability advisories for your internal, private packages? Would a method to suppress checks for a set of internal package names be sufficient here instead? |
Hi, thanks for the quick feedback :) When pip-audit fails, it will output the issue and an additional table of all our internal package that it could not find. This has been confusing for some of our developers, that are getting this feedback as part of our CI flow. Being able to suppress checks for packages that we know won't be in public PyPI would be good also, and would take us a long way. But this is harder for us in reality since we don't have a list readily available of all my orgs public packages. For reference, we have an internal pypi proxy that we point pip install to, and have this either serve a private package or fallback to the public PyPI. Makes sense? |
I understand this use case, but I think it probably implies a public stability contract that In other words: I think that allowing users to customize the vulnerability URL here would make other changes more burdensome for us down the line. Taking a step back: have you considered refactoring your
This would effectively avoid leaking any of your private package names to the public index, would avoid the confusing messages you're currently seeing, and wouldn't require any upstream changes to |
Hi, |
Glad to hear it! |
Hi,
it would be very nice to be able to override the pypi vulnerability service url. There are multiple reasons:
The url hard coded in the query method in the class
PyPIService
inhttps://github.com/pypa/pip-audit/blob/main/pip_audit/_service/pypi.py
likemaking it hard to override.
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
Add an config flag or env variable (whatever you prefer) to make to be able to use a custom service for PYPI_SERVER_URL
url = f"{PYPI_SERVER_URL}/{spec.canonical_name}/{str(spec.version)}/json"
Describe alternatives you've considered
query
methodAdditional context
Would be happy to submit a PR if you think this is a good idea 😄 Thanks!
The text was updated successfully, but these errors were encountered: