-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read poetry.lock file #201
Comments
+1 on the feature request, I would love to have this as well. As a side note, from |
If using pre-commit, here's a hook to using the stdin approach @pawamoy described: - repo: local
hooks:
- id: python-safety-dependencies-check
name: Run safety on project packages.
entry: bash -c "poetry run pip freeze | poetry run safety check --stdin"
pass_filenames: false
language: system |
Running the above command with the latest beta of poetry does not work.
and
|
Please ignore me. Not enough coffee before I start work… Safety was not installed. I shall go sit in a corner wearing a dunce hat. /sigh |
It is clear there is work to be done here. One problem I see so far is that Safety was supposed to be using pyupio/dparse more than it is now, and such library should indeed have Poetry support. The work around looks great anyway! |
For reference:
|
I'm now using
...instead.
|
You can run safety in an isolated environment, and still track it as a development dependency in Poetry: # (steps to create and activate virtualenv omitted)
poetry export --dev --format=requirements.txt --output=requirements.txt
pip install --constraint=requirements.txt safety
safety check --file=requirements.txt This works best when automated with Nox. Here is an article that describes the technique in more detail (disclaimer: I'm the author): |
Having just found out about CVE-2020-5252, I'm migrating from installing safety into my poetry-managed environment to having it installed into a separate environment. In the process, I noticed that
When I use
I've double-checked and the Poetry-managed environment does contain I was going to file a separate issue about this but I figured I should mention it in here, since proper support for Poetry would make a separate issue irrelevant. |
@Franco0700 pls check this out, especially the last comment rgd poetry-audit. |
Hi @pawamoy and everyone involved, Thank you for your feature request and for your patience as we reviewed it. We're pleased to inform you that Safety now supports scanning poetry.lock files directly. This feature has been implemented to make it easier for users to check their dependencies without needing to install them first. You can now use the command If you wish to specify a target directory for the Safety Scan, you can do so using the --target option, e.g. If you have any further questions or encounter any issues, please let us know. Best Regards, |
Hi @dylanpulver , thanks a lot for the feature! Is there a migration path for users that used to run |
I would like
safety
to be able to read dependencies from apoetry.lock
file. It is written in TOML format.Here is an example of how a dependency is written:
Here is a complete file:
poetry.lock
Currently the only way to use
safety
when developing a project withpoetry
is to actually install the dependencies (which is costly in CI) and run something like:I would like to be able to run directly
safety check -r poetry.lock
or something equivalent 🙂 .The text was updated successfully, but these errors were encountered: