You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Operating System: MacOS High Sierra and CentOS Linux release 7.2.1511
Description
I'm trying to run safety check --full-report. I expect the check to pass, but it fails with a pyyaml vulnerability. Safety has a dependency on dparse, which has a dependency on pyyaml. I'm running safety against a package (no requirements.txt), so it falls back to checking installed packages via pip's API. This means that any dependencies of safety or its sub-dependencies are also checked.
There doesn't appear to be a non-pre-release version of PyYAML on PyPI of version 4.
There are ways for me to work around this (add ignore, create and maintain requirements alongside setup.py, etc.) but I thought it might be helpful for anyone else that runs into this. Curious what your thoughts are too around some way to check only non-dev dependencies. I really like checking whatever pip has installed, but that will always catch everything installed.
The text was updated successfully, but these errors were encountered:
So why can we not keep marking <4.1 as unsafe to trigger the upstream packages?
"Let's not scream about vulnerabilities marked won't fix by maintainer" is a bad precedent for a security scanner IMHO. Especially when fix versions are available (albeit other major versions).
[EDIT]: I see now that 4.1 has been pulled or never released and they're taking their time with 4.2. So I take it, that once 4.2 has been officially released, this is being reactivated?
Description
I'm trying to run
safety check --full-report
. I expect the check to pass, but it fails with a pyyaml vulnerability. Safety has a dependency on dparse, which has a dependency on pyyaml. I'm running safety against a package (no requirements.txt), so it falls back to checking installed packages via pip's API. This means that any dependencies of safety or its sub-dependencies are also checked.What I Did
I'm running safety via tox:
There doesn't appear to be a non-pre-release version of PyYAML on PyPI of version 4.
There are ways for me to work around this (add ignore, create and maintain requirements alongside setup.py, etc.) but I thought it might be helpful for anyone else that runs into this. Curious what your thoughts are too around some way to check only non-dev dependencies. I really like checking whatever pip has installed, but that will always catch everything installed.
The text was updated successfully, but these errors were encountered: