Open albertodiazdorado opened 2 months ago
Disclaimer: This is only a question. I looked for a slack or discord space but could not find any, hence I am coming here. Please let me know if there's a better way of asking questions.
We don't use any of these at the moment, so opening here is fine! Thanks for filling out the issue fields, we appreciate it.
Is it possible, somehow, to have pip-audit scan not only the dependencies of my project as per pyproject.toml
Hmm, I don't believe we currently support this, but supporting it seems useful.
Do you have any proposals for an interface here? At the moment we only support pyproject.toml
in "directory" mode (e.g. pip-audit .
), so we'd probably need one or more flags or another way to signal the "extra" group to include in the audit.
One thing we could potentially do is use the same syntax as pip
, e.g. pip-audit .[dev]
to mean "audit the current directory, include the dev
extra". I'd need to think a bit more about how feasible that is, but it'd probably be minimally disruptive + consistent with pip
; I'm curious if you have other ideas as well :slightly_smiling_face:
(Separately: you probably already know this, but you can get the equivalent of this behavior by doing pip install .[dev] && pip-audit
within your local environment.)
I believe that the best solution would be to have something like what liccheck
already does. However, that's only possible once you can configure pip-audit
via pyproject.toml
and we are not there yet. We'll have to wait until there's some progress on https://github.com/pypa/pip-audit/issues/694
If I was the maintainer, I wouldn't want to implement the command flag now (i.e. pip-audit .[dev]
) only to have it become obsolete as soon as there is pip-audit
configuration via pyproject.toml
. So I would send the question back to you: how important do you consider providing pip-audit
configuration via pyproject.toml
? If you consider that important, then I would wait and do nothing regarding the scan of dev dependencies. If you consider that pyproject.toml
support is not important and has very low priority in the roadmap, then I do like your proposal for the API :)
(Separately: you probably already know this, but you can get the equivalent of this behavior by doing pip install .[dev] && pip-audit within your local environment.)
That's what I am planning to do for the time being. However, that's a very implicit solution that depends on previous shell commands, and since I am planning to use pip-audit
in a pipeline, I'd rather have something more explicit & robust.
Thank you for the feedback!
I believe that the best solution would be to have something like what
liccheck
already does. However, that's only possible once you can configurepip-audit
viapyproject.toml
and we are not there yet. We'll have to wait until there's some progress on #694
I'm not super familiar with liccheck
, do you have a resource I can read on it?
Separately, I'm not sure this should be blocked on whatever we generalize in #694 🙂 -- that issue is about fully generalizing pip-audit
's various CLI flags into a pip.conf
-esque configuration, while this more constrained to something that already has a well-known idiom in pip
(concretely, .[extra]
is the "standard" syntax for adding optional dependencies during installation).
So TL;DR: I consider configuration important, but also "wiggly"/separate enough to not be worth blocking this on. Since pip
already has a standard-ish syntax for this (and we already try to mimic pip
in many ways), we should go ahead and just use the .[extra]
syntax I think.
I'm not super familiar with liccheck, do you have a resource I can read on it?
Sure, just go to the section "How to use" in the README and have a look at the example pyproject.toml
. I am copying the relevant parts here. The main thing is the line optional_dependencies = ["test"]
[tool.liccheck]
authorized_licenses = [
"bsd",
"apache",
"apache 2.0",
"mit",
]
unauthorized_licenses = [
"gpl v3",
]
dependencies = true # to load [project.dependencies]
optional_dependencies = ["test"] # to load extras from [project.optional-dependencies]
Regarding your suggestion pip-audit .[dev]
, I find it plenty reasonable. I don't think I will find time to implement it short term, sadly, but if I find time I could try to help.
Pre-submission checks
What's the problem this feature will solve?
Disclaimer: This is only a question. I looked for a slack or discord space but could not find any, hence I am coming here. Please let me know if there's a better way of asking questions.
Is it possible, somehow, to have
pip-audit
scan not only the dependencies of my project as perpyproject.toml
But also include my dev dependencies?
For reference, tools like
liccheck
(for license checking) allow users to include dev dependencies in the analysis like this:Describe the solution you'd like
I'd love to be able to include dev dependencies in my scans
Additional context
No response