Would it make sense to add an option to ignore packages?

Question

Would it make sense to add an option to ignore packages?

Opened this issue 3 years ago · 3 comments

There recently was a vulnerability with pip that caused many of my pipelines to break. Those cases are about libraries/packages so pip is not a direct dependency but, of course, present in the environment. Since pip is not a direct dependency and I don't want to control my users' environments, the best option is to ignore checking pip. I know that I could generate a requirements file for my package and check that file but that's cumbersome. Hence my question, just as we can ignore specific vulnerabilities, can't we have an option to ignore checking a package by name, please?

Answer 1 · 2021-05-25T21:52:40.000Z

I was just thinking, maybe

pip freeze | safety check --stdin --full-report

is a quick solution?

Answer 2 · 2022-02-04T12:46:01.000Z

I have the same problem with pip as @Midnighter and their solution works well for pip.

But I would like to have the alternative to ignore any package (instead of just a vulnerability id).

Something along the lines of:

safety check --ignore pip --ignore 42089

ie. make ignore parse the value given and checks if it's a number (ie a vulnerability id) or a string of chars (ie a package name).

Answer 3 · 2024-04-15T19:22:19.000Z

Hitting this with the latest pip version 🙄