ENH: check for security updates with safety/pyup

[westurner]

Could the bot also check for security-related updates with the https://pyup.io safetydb JSON?

From https://mail.python.org/archives/list/distutils-sig@python.org/message/TSHUCVYXEYM5YMLQTNMRP76JK4GD3T2A/ :

Is this the same data that pipenv/safety retrieves from pyup? https://github.com/pyupio/safety-db/blob/master/data/insecure_full.json

https://pipenv.readthedocs.io/en/latest/advanced/#detection-of-security-vulnerabilities :

Note In order to enable this functionality while maintaining its permissive copyright license, pipenv embeds an API client key for the backend Safety API operated by pyup.io rather than including a full copy of the CC-BY-NC-SA licensed Safety-DB database. This embedded client key is shared across all pipenv check users, and hence will be subject to API access throttling based on overall usage rather than individual client usage.

You can also use your own safety API key by setting the environment variable PIPENV_PYUP_API_KEY.

https://github.com/pypa/pipenv/blob/master/pipenv/patched/safety/cli.py vulns = safety.check(packages=packages, key=key, db_mirror=db, cached=cache, ignore_ids=ignore)

[scopatz]

It certainly could. Pull requests welcome!

[westurner]

I'm not sure when I'll be able to get to this feature idea. Hopefully someone else can in the meantime.

Thanks for this service!

(GitHub may be able to raise the API limit for this generous and essential service)

On Saturday, March 2, 2019, Anthony Scopatz notifications@github.com wrote:

It certainly could. Pull requests welcome!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/regro/cf-scripts/issues/470#issuecomment-468920846, or mute the thread https://github.com/notifications/unsubscribe-auth/AADGy2fdWv_OTyrnAtfBaAPp8_3Dz2N8ks5vSnzqgaJpZM4baYd- .