search

pypa / pip

The Python package installer
https://pip.pypa.io/
MIT License
9.54k stars 3.04k forks source link

✨[Feature Request]: Filter pip install by Python Package Authority's Security Advisory Database.✨ #13066

Open galenseilis opened 2 weeks ago

galenseilis commented 2 weeks ago

What's the problem this feature will solve?

It would make a higher-level of package security a default.

Describe the solution you'd like

I would like pip to only download packages that do not have entries in the Python security advisory database by default.

When given a package name without a version I would like pip to filter out packages with security advisories as it searches for viable package versions. If none can be found, then stderr should indicate that.

If a package version is given, then the package should be installed if there is no security advisory, else give a stderr message.

An optional flag to override this behaviour would be appropriate for those that need to work with packages with security advisories, and for cybersecurity specialists they may need to be able to attempt downloading and installing such a package.

Alternative Solutions

There are other tools like PDM, UV, Hatch, and Poetry in which plugins can be written. I expect a plugin which does the security check first before attempting to add a package to a project would also work.

Another partial solution is to use the pip-audit pre-commit hook or github action. These automation tools will not always catch that there is an advisory on a package before it is installed, however.

Manually checking pip-audit is "ok", but the manual nature of it makes it less reliable.

Additional context

Security as a default is important for most organizations (e.g. healthcare), and I expect that most users won't mind it either.

I have made a nearly-identical request for uv to do the same thing. I tend to use pip a lot at work, and uv on personal projects. Security is important in my work (healthcare data science), so whichever supports it if the other doesn't is going to take priority in the future.

Code of Conduct

notatallshaw commented 2 weeks ago

There's a recent discussion and early implementation attempt at plugins here: https://github.com/pypa/pip/issues/12766 / https://github.com/pypa/pip/pull/12985

Otherwise, this could be implemented by providing a custom index server that filtered what versions of a package was available. I've not used it, but you could probably implement this using simple index. This would then work with all tools that allow specifying an index server (such as pip and uv).

I suspect as a feature for pip it's unlikely to gain much traction as there are limited volunteer resources and this isn't based on either a Python or a Packaging standard.

galenseilis commented 3 days ago

@notatallshaw Alright, thank you for sharing those resources with me!