Open oliverchang opened 1 year ago
Another option would be to require hashes to be specified, this ensures that the requirements file is fully resolved (because all dependencies must have hashes specified) and this dependency resolution is unnecessary.
Or use pip-compile
which introduces pip-tools as a dependency instead https://github.com/jazzband/pip-tools @oliverchang
This issue has not had any activity for 60 days and will be automatically closed in two weeks
Maybe deps.dev can be used here. @oliverchang
We are planning to leverage deps.dev for this, similar to how we now support transitive resolution for Maven.
Currently
requirements.txt
parsing does not resolve the full dependency graph.One option here may be to integrate
pip-audit
into this tool (though that introduces an external dependency from a different ecosystem)