Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

_cli, resolvelib: Support for custom indices #238

Merged
merged 11 commits into from
Feb 11, 2022
Merged

Conversation

tetsuo-cpp
Copy link
Contributor

Closes #46

@tetsuo-cpp
Copy link
Contributor Author

tetsuo-cpp commented Feb 9, 2022

I'll spin up a DevPi instance tomorrow to test this out more thoroughly. Not quite ready to merge until I've done that.

@tetsuo-cpp tetsuo-cpp requested a review from woodruffw February 9, 2022 14:32
@woodruffw woodruffw added do not merge Do not merge this component:dep-sources Dependency sources labels Feb 9, 2022
@woodruffw
Copy link
Member

Overall structure LGTM! I agree about the additional testing.

@di
Copy link
Member

di commented Feb 9, 2022

I'll spin up a DevPi instance tomorrow to test this out more thoroughly.

You might be able to test with https://test.pypi.org instead, could be easier.

@tetsuo-cpp
Copy link
Contributor Author

tetsuo-cpp commented Feb 10, 2022

I'll spin up a DevPi instance tomorrow to test this out more thoroughly.

You might be able to test with https://test.pypi.org instead, could be easier.

Thanks! I did some testing with the test PyPI.

If my requirement simply says pip, it audits 22.0.3 from prod PyPI since it is a later version than anything on the test PyPI. If I constrain to pip==18.1, I can get it to audit the test PyPI version.

I think this is working properly.

@tetsuo-cpp tetsuo-cpp requested a review from di February 10, 2022 01:38
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, LGTM!

@woodruffw woodruffw merged commit a9c12b9 into main Feb 11, 2022
@woodruffw woodruffw deleted the alex/custom-indices branch February 11, 2022 18:43
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Feb 20, 2022
### Added

* CLI: The `--fix` flag has been added, allowing users to attempt to
  automatically upgrade any vulnerable dependencies to the first safe version
  available ([#212](pypa/pip-audit#212),
  [#222](pypa/pip-audit#222))

* CLI: The combination of `--fix` and `--dry-run` is now supported, causing
  `pip-audit` to perform the auditing step but not any resulting fix steps
  ([#223](pypa/pip-audit#223))

* CLI: The `--require-hashes` flag has been added which can be used in
  conjunction with `-r` to check that all requirements in the file have an
  associated hash ([#229](pypa/pip-audit#229))

* CLI: The `--index-url` flag has been added, allowing users to use custom
  package indices when running with the `-r` flag
  ([#238](pypa/pip-audit#238))

* CLI: The `--extra-index-url` flag has been added, allowing users to use
  multiple package indices when running with the `-r` flag
  ([#238](pypa/pip-audit#238))

### Changed

* `pip-audit`'s minimum Python version is now 3.7.

* CLI: The default output format is now correctly pluralized
  ([#221](pypa/pip-audit#221))

* Output formats: The SBOM output formats (`--format=cyclonedx-xml` and
  `--format=cyclonedx-json`) now use CycloneDX
  [Schema 1.4](https://cyclonedx.org/docs/1.4/xml/)
  ([#216](pypa/pip-audit#216))

* Vulnerability sources: When using PyPI as a vulnerability service, any hashes
  provided in a requirements file are checked against those reported by PyPI
  ([#229](pypa/pip-audit#229))

* Vulnerability sources: `pip-audit` now uniques each result based on its
  alias set, reducing the amount of duplicate information in the default
  columnar output format
  ([#232](pypa/pip-audit#232))

* CLI: `pip-audit` now prints its output more frequently, including when
  there are no discovered vulnerabilities but packages were skipped.
  Similarly, "manifest" output formats (JSON, CycloneDX) are now emitted
  unconditionally
  ([#240](pypa/pip-audit#240))

### Fixed

* CLI: A regression causing excess output during `pip audit -r`
  was fixed ([#226](pypa/pip-audit#226))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component:dep-sources Dependency sources do not merge Do not merge this
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support for custom indices
3 participants