You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Pip-compile users may consider a package to be "unsafe" to pin for a variety of reasons: e.g. necessary security patches, bloated dependency chains, multiple providers of the same python package, etc. Currently, there is no option to customize the requirements.txt comment indicating a package is unsafe. They all have the same header:
# The following packages are considered to be unsafe in a requirements file:
# opencv-python
From just this information, it's unclear whyopencv-python is unsafe. Is there a security vulnerability? Or is a different reason as listed above?
Describe the solution you'd like
Ideally, each package can explain why it was excluded. As one example:
pip-compile --no-allow-unsafe \
--unsafe-package "opencv-python # has many providers such as opencv-python-headless, opencv-contrib-python, etc. so no need to force a more bloated option" \
--unsafe-package "another-package # with it's reason for exclusion"
Alternative solutions
It would also make sense if an --exclude option was present instead, which generates the heading:
# The following packages are listed as dependencies, but explicitly excluded from this requirements file:
# package-a
Or something similar. I am filing this request under allow-unsafe instead of an additional --exclude flag since #333 is marked as closed with the suggestion people use this instead.
The text was updated successfully, but these errors were encountered:
What's the problem this feature will solve?
Pip-compile users may consider a package to be "unsafe" to pin for a variety of reasons: e.g. necessary security patches, bloated dependency chains, multiple providers of the same python package, etc. Currently, there is no option to customize the
requirements.txt
comment indicating a package is unsafe. They all have the same header:From just this information, it's unclear why
opencv-python
is unsafe. Is there a security vulnerability? Or is a different reason as listed above?Describe the solution you'd like
Ideally, each package can explain why it was excluded. As one example:
Alternative solutions
It would also make sense if an
--exclude
option was present instead, which generates the heading:Or something similar. I am filing this request under
allow-unsafe
instead of an additional--exclude
flag since #333 is marked as closed with the suggestion people use this instead.The text was updated successfully, but these errors were encountered: