Skip to content

PEP 751 support #888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Apr 7, 2025
Merged

PEP 751 support #888

merged 9 commits into from
Apr 7, 2025

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented Apr 2, 2025
edited
Loading

WIP.

Some scattered thoughts:

  • Right now this adds a --locked flag to enable lockfile collection. Does this make sense? Should it happen by default instead, taking priority over pyproject.toml when present?
  • Right now this collects all pylock.*.toml files by default, not just the generic one or a particular service-specific one. Does this make sense? Should --locked take a value to control this, e.g. --locked=all for the current behavior and --locked=<service> for just pylock.<service>.toml?
  • This only checks [[packages]]. I need to do another closer read of PEP 751 to understand if there are other parts of the file we should collect from. Checked, and packages should be the only part.
  • This doesn't perform any deduplication at the moment, i.e. foo==1.2.3 will be audited multiple times if specified in multiple lockfiles or multiple times in the same file (which the PEP allows). This probably won't happen often but I should probably add that deduplication, similarly to how requirements.txt inputs are handled. This is moot, since deduplication is done at the audit layer.
  • This currently skips any package that doesn't have a version. I think this is probably the right behavior, but perhaps it should be stricter, i.e. skip if it's a non-sdist/wheel but fail/warn if an sdist or wheel is missing a version?

Signed-off-by: William Woodruff william@trailofbits.com

woodruffw added 3 commits April 2, 2025 17:00
@woodruffw
WIP: PEP 751 support
98b606d 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
improve NotImplementedError
f3a2171 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
formatting
5cfe575 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw added enhancement New feature or request component:dep-sources Dependency sources labels Apr 2, 2025
@woodruffw woodruffw self-assigned this Apr 2, 2025
woodruffw added 5 commits April 2, 2025 17:14
@woodruffw
README: bump --help
fae6372 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
README: fixup help
02f15d7 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
cli: forbid --locked without project path
0de78e4 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
README: cleanup
66054b2 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
fill in pylock coverage
bcc8e30 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw marked this pull request as ready for review April 4, 2025 21:19
@woodruffw woodruffw changed the title WIP: PEP 751 support PEP 751 support Apr 4, 2025
@woodruffw woodruffw requested a review from di April 4, 2025 21:30
@woodruffw
CHANGELOG: record changes
5ed1e78 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw enabled auto-merge (squash) April 7, 2025 15:24
@woodruffw woodruffw merged commit b07f28f into main Apr 7, 2025
10 checks passed
@woodruffw woodruffw deleted the ww/pep-751 branch April 7, 2025 15:28
This was referenced Apr 7, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@di di di approved these changes

Assignees

@woodruffw woodruffw

Labels
component:dep-sources Dependency sources enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@woodruffw @di