search

jazzband / pip-tools

A set of tools to keep your pinned Python dependencies fresh.
https://pip-tools.rtfd.io
BSD 3-Clause "New" or "Revised" License
7.74k stars 613 forks source link

[Security Practice] pip-tools should not store API tokens/any credentials in generated lockfiles #1873

Open spstarr opened 1 year ago

spstarr commented 1 year ago

When generating hashed pypi dependencies with pip-tools, I notice it wants to write API tokens into those lock files.

This is not a good idea as a developer can write that to their code repository.

Shouldn't this be stripped from the lockfile?

Thanks, Shawn

atugushev commented 1 year ago

Hey @spstarr,

Thanks for the issue! Yes, the API tokens should be stripped. Could you provide an example of your lock file with masked sensitive data?

atugushev commented 1 year ago

@chrysle FYI removed the hashes label since it's related to --generate-hashes functionality.