Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pip: Warn on vulnerable packages #81524

Closed
AndrewPennebaker mannequin opened this issue Jun 19, 2019 · 2 comments
Closed

pip: Warn on vulnerable packages #81524

AndrewPennebaker mannequin opened this issue Jun 19, 2019 · 2 comments
Labels
type-security A security issue

Comments

@AndrewPennebaker
Copy link
Mannequin

AndrewPennebaker mannequin commented Jun 19, 2019

BPO 37343
Nosy @tirkarthi

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2019-06-19.19:03:18.195>
created_at = <Date 2019-06-19.18:50:21.046>
labels = ['type-security']
title = 'pip: Warn on vulnerable packages'
updated_at = <Date 2019-06-19.19:03:18.195>
user = 'https://bugs.python.org/AndrewPennebaker'

bugs.python.org fields:

activity = <Date 2019-06-19.19:03:18.195>
actor = 'brett.cannon'
assignee = 'none'
closed = True
closed_date = <Date 2019-06-19.19:03:18.195>
closer = 'brett.cannon'
components = []
creation = <Date 2019-06-19.18:50:21.046>
creator = 'Andrew Pennebaker'
dependencies = []
files = []
hgrepos = []
issue_num = 37343
keywords = []
message_count = 2.0
messages = ['346072', '346074']
nosy_count = 2.0
nosy_names = ['xtreak', 'Andrew Pennebaker']
pr_nums = []
priority = 'normal'
resolution = 'third party'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue37343'
versions = []
@AndrewPennebaker
Copy link
Mannequin Author

AndrewPennebaker mannequin commented Jun 19, 2019

Compared to pip, NPM warns users when a dependency subtree about to be installed, includes known vulnerabilities. This helps devs catch security issues earlier, so they can update or replace critical dependencies.

Similarly, the dependency-check pip package offers the ability to detect pip dependencies with known vulnerabilities.

https://pypi.org/project/dependency-check/

Now that we have a workaround for warning on vulnerable pip packages, let's move this logic into the default pip install code, so that all Python devs are alerted on vulnerable dependencies.

@AndrewPennebaker AndrewPennebaker mannequin added the type-security A security issue label Jun 19, 2019
@tirkarthi
Copy link
Member

Thanks for the report. pip development happens at https://github.com/pypa/pip/ where this could get better attention since CPython just vendors latest pip. pipenv does similar check with "pipenv check" command [0]. Similar issue on GitHub : pypa/pip#6087 . I think this can be closed as third party issue.

[0] https://docs.pipenv.org/en/latest/#pipenv-check

@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brettcannon @tirkarthi