osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard
verified publisher icon google

Better support for transitive deps in Python (requirements.txt)

Open oliverchang opened this issue 3 years ago • 6 comments

Currently requirements.txt parsing does not resolve the full dependency graph.

One option here may be to integrate pip-audit into this tool (though that introduces an external dependency from a different ecosystem)

oliverchang avatar Dec 12 '22 03:12 oliverchang

Another option would be to require hashes to be specified, this ensures that the requirements file is fully resolved (because all dependencies must have hashes specified) and this dependency resolution is unnecessary.

di avatar Dec 19 '22 00:12 di

Or use pip-compile which introduces pip-tools as a dependency instead https://github.com/jazzband/pip-tools @oliverchang

h4sh5 avatar Jan 03 '23 04:01 h4sh5

Maybe deps.dev can be used here. @oliverchang

agmond avatar May 16 '23 13:05 agmond

This issue has not had any activity for 60 days and will be automatically closed in two weeks

github-actions[bot] avatar Jul 26 '24 18:07 github-actions[bot]

Maybe deps.dev can be used here. @oliverchang

We are planning to leverage deps.dev for this, similar to how we now support transitive resolution for Maven.

oliverchang avatar Jul 29 '24 00:07 oliverchang