-
Notifications
You must be signed in to change notification settings - Fork 504
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
🐛 Handle editable pip installs (#2731)
* fix: Handle editable pip install Editable pip installs (-e) should be considered secure if the package is installed from a local source or a remote source (VCS install) but pinned by commit hash. To keep the behaviour we have for normal pip installs, we need to guarantee the package dependencies are pinned by hash too. For normal pip installs, we verify that by using --require-hashes flag. Unfortunately, --require-hashes flag is not compatible with editable installs, so we use --no-deps flag to verify the dependencies are not installed since we can't verify if they are pinned. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Editable pip install in GHA Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Editable pip install in Dockerfile Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Editable pip install in shell script Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Code complexity increase Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Simplify boolean return Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Add pip editable install references in comments Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Handle multiple packages in editable pip install Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Multi editable pip install in GHA Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Multi editable pip install in Dockerfile Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Multi editable pip install in shell script Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
- Loading branch information
1 parent
110e352
commit 6ff94eb
Showing
7 changed files
with
322 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.