Mastodawn

So, in the #PHP ecosystem, people can build a package like roave/security-advisories, which has a huge list of "conflict" dependencies.

These don't say "install this as a dependency", but instead "I'm incompatible with that dependency in that version". And the versions listed there are those with known security vulnerabilities, effectively preventing you from installing them, which is good.

Is there something similar in the #Python ecosystem? Is it even possible?

https://github.com/Roave/SecurityAdvisories/blob/latest/composer.json

SecurityAdvisories/composer.json at latest · Roave/SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily - Roave/SecurityAdvisories

GitHub

Show thread

Lucas Werkmeister

@scy composer 2.9 added similar built-in functionality, by the way: https://wikis.world/@LucasWerkmeister/115545221332071015

(no idea about Python)

Show thread

Stéphane 🏴‍☠️🐘👨‍💻🇪🇺🐧️Mar 20

@LucasWerkmeister @scy so the roave package is now useless ? I added it in all the projects I joined, might be the time to take a step back and change my automated behavior 🙂

Show thread

qrazi Mar 21

@s_hulard @LucasWerkmeister @scy From what I understand they are complimentary. Use composer audit to regularly check already installed packages, and use roave/security-advisories to prevent installing or updating to known issues.

Edit: seems roave package is indeed not needed anymore, I have some projects to update as well 😅 https://blog.packagist.com/composer-2-9/

Composer 2.9 Release

We are pleased to announce the release of Composer 2.9.0, bringing improvements to security, repository management from the CLI, and lots more. Automatic Security Blocking Composer now automatically blocks updates to packages with known security advisories. This protection is enabled by default and prevents you from accidentally updating

Private Packagist

Show thread

Stéphane 🏴‍☠️🐘👨‍💻🇪🇺🐧️Mar 21

@scy @qrazi @LucasWerkmeister oh thank you for the details and the update !