-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Capture more auditing metadata in the lock file #1886
Comments
@ncoghlan my rough understanding of the underlying implementation is that For Possibly we would want to store for each package then: Requirement metadata is out of scope I realize, just tossing it in as a piece of the data structure puzzle as we think about the hierarchy |
Checking "What's the latest available version?" should only need a single query to the index server's simple API per package, so building a list of outdated packages should be much cheaper than actually resolving those versions. I agree it would be more expensive than skipping build that list, though. The "operate-without-a- |
I've been thinking about this general question of "assessing lockfile freshness" a bit, and realised that another useful date to track would be when pinned dependencies were last checked for security vulnerabilities. I think if we had a well-defined concept of what it meant for a lock file to be "fresh" or "stale", then we could potentially warn about stale lock files when relying on them, and recommend running And given that kind of warning on |
How often would we recommend that I wonder? |
I'm not sure, as the most suitable default varies based on the kind of code you're writing. However, my initial inclination would be towards emitting a warning after something like 90 days (~3 months) or 180 days (~6 months), as "You should check your dependencies for security vulnerabilities at least 2-4 times a year" seems like a pretty reasonable maintenance recommendation to me. While it's honestly a bit low for full-time professional software development, it's much higher than is typical for hobbyist projects, and should also be manageable for work projects that are nevertheless a sideline to someone's main job.
|
(From #1865 (comment))
The
--keep-outdated
and--pre
options topipenv lock
mean that re-runningpipenv lock
without those options may result in a different lock file.Lock file generation is also inherently time dependent: if you want to recreate a previously locked lock file from a given
Pipfile
, you need to exclude any releases that weren't available at the time that lock file was generated.I believe adding the following three fields to the lock files
_meta
section would provide enough info to allow a historical lock file to be reconstructed:locked_at
: when thePipfile.lock
was generated (so an auditing and/or recreation tool knows to exclude any releases made after that date and time)kept_versions
: which versions in the current lock file have been retained from a previous version of the lock file by--keep-outdated
(a list of package names would suffice, since the exact versions are down in the package entries)prereleases_allowed
: boolean settingAlthough, given
--keep-outdated
, perhaps thelocked_at
metadata should be on the individual entries? Then it could be carried forward to each new version, and the lock file would inherently track how long it had been since each dependency had been updated.Alternatively, instead of a
kept_versions
field, there could be anoutdated_versions
field that recorded which packages had newer versions available at the time the lock file was generated that met thePipfile
constraints, but had been ignored due to--keep-outdated
.The text was updated successfully, but these errors were encountered: