The Poetry export plugin will soon no longer be a part of the default Poetry install.
This combined with the fact that we are not auditing dev dependencies due to an old (and resolved) issue, suggests that we should just avoid using poetry export.
@daniel-makerx suggests that we could just have poetry run pip-audit.
It will be up to each user of this template to define a strategy about how to deal with dependencies that have vulnerabilities but no available fixes (e.g.: prevent merging PR, use --ignore-vuln, ...).
The Poetry export plugin will soon no longer be a part of the default Poetry install. This combined with the fact that we are not auditing dev dependencies due to an old (and resolved) issue, suggests that we should just avoid using poetry export.
@daniel-makerx suggests that we could just have
poetry run pip-audit.It will be up to each user of this template to define a strategy about how to deal with dependencies that have vulnerabilities but no available fixes (e.g.: prevent merging PR, use
--ignore-vuln, ...).