Open woodruffw opened 2 years ago
In https://github.com/di/pip-api/pull/138/ I made a pip_api.VENDORED
flag, I would imagine we would do something similar here and could gate functionality on that. I'm not sure it needs to be specific to who has vendored us.
Breakout from https://github.com/trailofbits/pip-audit/issues/335: we need to design an ergonomic "feature gate" scheme for
pip-audit
, to handle the following deployments:python -m pip install pip-audit
(and all third-party packages): support for SBOM generation, the OSV vulnerability service, etc.pip audit
: no support for-s osv
,--format=spdx-...
, etc.Some ideas:
osv
andspdx
extras thatpip install
would activate by default. Unfortunately, default extras are currently not possible.pip_audit.VENDORED_INTO_PIP
, which we then just use to remove a handful of CLI options and prevent importingpip_audit._format.cyclonedx
.