We found that the pip detector returned incomplete dependencies or wrong versions under certain conditions. For instance,
numpy \
== \
1.19.2
is a legit requirements.txt, but CD finds the latest version 1.26.4.
Likewise, CD ignores the extras field like fastapi[all], and some syntax like -r other-requirements.txt and -c constraints.txt.
Given how the go and maven detectors work, would it be better to incorporate something like pip install -r requirements.txt --dry-run --ignore-installed --ignore-requires-python for pip detection?
Hello,
We found that the pip detector returned incomplete dependencies or wrong versions under certain conditions. For instance,
is a legit requirements.txt, but CD finds the latest version 1.26.4.
Likewise, CD ignores the extras field like
fastapi[all]
, and some syntax like-r other-requirements.txt
and-c constraints.txt
.Given how the go and maven detectors work, would it be better to incorporate something like
pip install -r requirements.txt --dry-run --ignore-installed --ignore-requires-python
for pip detection?