safety icon indicating copy to clipboard operation
safety copied to clipboard

Published 20 hours ago verified publisher icon pyupio

Would it make sense to add an option to ignore packages?

Open Midnighter opened this issue 3 years ago • 3 comments

There recently was a vulnerability with pip that caused many of my pipelines to break. Those cases are about libraries/packages so pip is not a direct dependency but, of course, present in the environment. Since pip is not a direct dependency and I don't want to control my users' environments, the best option is to ignore checking pip. I know that I could generate a requirements file for my package and check that file but that's cumbersome. Hence my question, just as we can ignore specific vulnerabilities, can't we have an option to ignore checking a package by name, please?

Midnighter avatar May 25 '21 21:05 Midnighter

I was just thinking, maybe

pip freeze | safety check --stdin --full-report

is a quick solution?

Midnighter avatar May 25 '21 21:05 Midnighter

I have the same problem with pip as @Midnighter and their solution works well for pip.

But I would like to have the alternative to ignore any package (instead of just a vulnerability id).

Something along the lines of:

safety check --ignore pip --ignore 42089

ie. make ignore parse the value given and checks if it's a number (ie a vulnerability id) or a string of chars (ie a package name).

vhoulbreque avatar Feb 04 '22 12:02 vhoulbreque

Hitting this with the latest pip version 🙄

wgordon17 avatar Apr 15 '24 19:04 wgordon17