aswinnnn / pyscan

python dependency vulnerability scanner, written in Rust.
MIT License
184 stars 6 forks source link

Add support for constraints.txt #4

Closed sarimak closed 1 year ago

sarimak commented 1 year ago

Names and version of Python packages can be specified also in a constraints.txt file and pyscan doesn't detect it by name. Please search also for constraints.txt in addition to requirements.txt.

Workaround: ln -s constraints.txt requirements.txt; pyscan (both files use the same syntax)

Context: A monorepo containing several Python packages which need to be installable into the same virtual environment needs a central place for pinning the 3rd-party package versions (in addition to per-package setup.cfg/pyproject.toml). There is a standard mechanism for that: https://pip.pypa.io/en/stable/user_guide/#constraints-files

aswinnnn commented 1 year ago

Sure, adding constraints.txt is feasible and can be worked on in the future. It's on the list.

aswinnnn commented 1 year ago

Hey, support has been added and is included in the latest version on both pypi and cargo. Thanks for the input!