di
commented
3 years ago We may choose to do this only via https://github.com/trailofbits/pip-audit/issues/83, or we may want to extend this to setup.cfg or non-static formats like setup.py.
Open di opened 3 years ago
di
commented
3 years ago We may choose to do this only via https://github.com/trailofbits/pip-audit/issues/83, or we may want to extend this to setup.cfg or non-static formats like setup.py.
woodruffw
commented
2 years ago Let's evaluate supporting this in the context of pyproject.toml (#83).
di
commented
2 years ago Command invocation for this would be something like
$ pip audit .$ pip audit /path/to/source/tree
woodruffw
commented
2 years ago That makes sense!
Making sure that I understand the behavior here: how would we go about disambiguating the top-level project(s) from their sub-dependencies? Are you thinking that pip-audit . would behave similarly to pip install ., where we'd scan the target directory for Python packaging files (specifically, setup.py) and use those to distinguish the top-level package(s) from their dependencies?
As a project maintainer, I'd like to be able to use
pip-auditto audit the sub-dependencies of my project (likely by somehow evaluating my local source tree prior to building a distribution artifact).E.g., I maintain https://github.com/pypa/sampleproject, which depends on
peppercorn. A CVE is released for some version ofpeppercorn, and I need to adjust my sub-dependency specification to avoid installing affected versions.