safety icon indicating copy to clipboard operation
safety copied to clipboard
verified publisher icon pyupio

How we can manage not "==" in requirements.txt ?

Open dugdug36 opened this issue 5 years ago • 3 comments

  • safety version:lastest
  • Python version:3
  • Operating System:Linux

Description

Hello, As you know we have many differents way to put requirements.txt:

~=: Compatible release clause !=: Version exclusion clause <=, >=: Inclusive ordered comparison clause <, >: Exclusive ordered comparison clause flask: without version ===: Arbitrary equality clause. https://www.python.org/dev/peps/pep-0440/#public-version-identifiers

How to manage this kind of practice ? List versions included ?

I tried to list like this :

pip install safety==test

ERROR: Could not find a version that satisfies the requirement safety==test (from versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.8.3b0, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.9.0)

@Jwomers @mgedmin @benjaminp @maratsh @duncm

dugdug36 avatar Oct 23 '20 14:10 dugdug36

Can this be resolved as a matter of high urgency? The vast vast majority of Python packages use those different ways, commonly >=. But safety cannot handle that, so useless.

E.g., take this example requirements.txt:

lxml>=4.5.1

lxml 4.5.1 contains a vulnerability but is not flagged by safety. Only flagged if >= replaced with ==

ValueRaider avatar Nov 28 '22 15:11 ValueRaider

Hi @ValueRaider, there is a work in progress related to this; the following minor Safety versions will be able to handle this.

yeisonvargasf avatar Nov 28 '22 15:11 yeisonvargasf