Security Vulnerability Alerts (in examples/Pipfile.lock)

Question

Security Vulnerability Alerts (in examples/Pipfile.lock)

pfmoore opened this issue 5 years ago · 5 comments

I'm seeing security vulnerability alerts for it that and the last commit was 18 months ago. Is this still being used, or should it be archived somehow?

As a PyPA project, I think it should at a minimum be keeping up with security alerts.

Answer 1 · 2020-05-13T21:40:45.000Z

I guess, it's as active as pipenv is. :)

Seriously though, I've view pipenv as a stop-gap solution to pip actually solving the requirements.txt is both "user input" and "lockfile" problem with a "Requirements 2.0". I think I'm gonna start hitting that problem, once the resolver is out.

Answer 2 · 2020-05-13T21:42:04.000Z

FWIW, those security vulnerabilities are in examples/Pipfile.lock, so they're not exactly "real". :)

Answer 3 · 2020-05-14T06:53:35.000Z

It would be nice if they could be addressed "somehow", though, so I don't get spammed with vulnerability reports. Personally, I don't know what to do about them (short of trying to work out how to fix them myself...)

Answer 4 · 2020-05-15T11:54:20.000Z

PR #127 updates the examples lock file.

Answer 5 · 2020-05-15T13:13:13.000Z

Okay, closing this! Thanks @rmax! ^>^