Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add custom comment to excluded "unsafe" package #2151

Open
ntjess opened this issue Dec 22, 2024 · 0 comments
Open

Add custom comment to excluded "unsafe" package #2151

ntjess opened this issue Dec 22, 2024 · 0 comments

Comments

@ntjess
Copy link

ntjess commented Dec 22, 2024

What's the problem this feature will solve?

Pip-compile users may consider a package to be "unsafe" to pin for a variety of reasons: e.g. necessary security patches, bloated dependency chains, multiple providers of the same python package, etc. Currently, there is no option to customize the requirements.txt comment indicating a package is unsafe. They all have the same header:

# The following packages are considered to be unsafe in a requirements file:
# opencv-python

From just this information, it's unclear why opencv-python is unsafe. Is there a security vulnerability? Or is a different reason as listed above?

Describe the solution you'd like

Ideally, each package can explain why it was excluded. As one example:

pip-compile --no-allow-unsafe \
    --unsafe-package "opencv-python  # has many providers such as  opencv-python-headless, opencv-contrib-python, etc. so no need to force a more bloated option" \
    --unsafe-package "another-package  # with it's reason for exclusion"

Alternative solutions

It would also make sense if an --exclude option was present instead, which generates the heading:

# The following packages are listed as dependencies, but explicitly excluded from this requirements file:
# package-a

Or something similar. I am filing this request under allow-unsafe instead of an additional --exclude flag since #333 is marked as closed with the suggestion people use this instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant