Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨[Feature Request]: Filter uv install by Python Package Authority's Security Advisory Database.✨ #8842

Open
galenseilis opened this issue Nov 5, 2024 · 1 comment
Open

✨[Feature Request]: Filter uv install by Python Package Authority's Security Advisory Database.✨ #8842

galenseilis opened this issue Nov 5, 2024 · 1 comment

Comments

@galenseilis
Copy link

galenseilis commented Nov 5, 2024
edited
Loading

What's the problem this feature will solve?

It would make a higher-level of package security a default.

Description

I would like uv to only download packages that do not have entries in the Python security advisory database by default.

When given a package name without a version I would like uv to filter out packages with security advisories as it searches for viable package versions. If none can be found, then stderr should indicate that.

If a package version is given, then the package should be installed if there is no security advisory, else give a stderr message.

An optional flag to override this behaviour would be appropriate for those that need to work with packages with security advisories, and for cybersecurity specialists they may need to be able to attempt downloading and installing such a package.

Alternative Solutions

Tools like PDM, uv, Hatch, and Poetry all support plugins. I expect a plugin which does the security check first before attempting to add a package to a project would also work with these various tools (including uv, obviously).

Another partial solution is to use the pip-audit pre-commit hook or github action. These automation tools will not always catch that there is an advisory on a package before it is installed, however.

Manually checking pip-audit is "ok", but the manual nature of it makes it less reliable.

Additional context

Security as a default is important for most organizations (e.g. healthcare), and I expect that most users won't mind it either.

I have made a nearly-identical request for PIP to do the same thing. I tend to use pip a lot at work, and uv on personal projects. Security is important in my work (healthcare data science), so whichever supports it if the other doesn't is going to take priority in the future.

End

Happy to discuss if the above needs clarification or revision. I'm also not highly familiar with the internal implementation details, so if this behaviour is already supported I would be grateful for direction to that feature.

Thanks for considering my request! 🙏
@galenseilis galenseilis mentioned this issue Nov 5, 2024
Open
1 task
@galenseilis
Copy link
Author

Looks like PDM supports uv experimentally so, this type of change could become an integral part of PDM if that support continues and matures.

@31z4 31z4 mentioned this issue Nov 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@galenseilis